[Swan-commit] Changes to ref refs/tags/v3.3

Paul Wouters paul at vault.libreswan.fi
Mon May 13 21:02:36 EEST 2013


Created a new ref, with the following commits:
commit 71b86e8846c935e7982010f73b3b8881519a881a
Author: Team Libreswan <team at libreswan.org>
Date:   Mon May 13 13:49:18 2013 -0400

    * Added today's release date

commit fb3729a48b8ba9a7844a9dd48d7504441f8a8162
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat May 11 14:27:19 2013 -0400

    * remove duplicate list_rm() entry from connections.c defined in hostpair.h

commit 9693f38150a9277c2c4e75597973b7e9ed245e52
Merge: 00fc2f7 392bd72
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat May 11 14:24:07 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 00fc2f7c5c671710da2772b38d37396576bd2870
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat May 11 14:23:52 2013 -0400

    * updated changes

commit 154033ea9166722c1d60380bf9329ecc0c9997b3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat May 11 14:18:05 2013 -0400

    * ranbits: The ranbits program was no longer used by anything. Removed

commit c385c1ee1f9f3e556f1a1621b85f86bf958e5425
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat May 11 14:10:43 2013 -0400

    * rsasigkey: cleanup code, remove nss_initialized and oldkeyformat

commit 62ded6dc4beaf6aa6827be6c76c5326658383755
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat May 11 13:48:34 2013 -0400

    * security: Cleanup of ASN1_BUF_LEN/BUF_LEN/PATH_MAX defines

commit 392bd72ad53ac91da94f2f6d88e3f4daf5067664
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri May 10 20:22:47 2013 +0300

    pluto: more #define fixes

commit 339f45b36a317d42e1738be4e922221ad73b4351
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri May 10 20:05:06 2013 +0300

    include: fix (some of) the #define's with "{ ... }"

commit 8139fca28d82dda8d7c6286cdd8e50b413f57256
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri May 10 19:58:41 2013 +0300

    lib, pluto: fix more syntax errors

commit 03cdccfbd51166a2e807d3f0f5330c4c371d0d3b
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri May 10 19:41:23 2013 +0300

    lib, pluto: fix major syntax error

commit 5ba02fcb26a656b817afa2a486b2f2dda5f73753
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri May 10 10:18:52 2013 -0400

    * rename  mpz_to_n2() to mpz_to_n_autosize()
    
    mpz_to_n() takes a second argument size_t bytes.
    
    mpz_to_n2() does not take the argument, but uses (mpz_sizeinbase(mp, 2)+7)/8
    to round up the size to the next byte.
    
    This was not clear from the name, so mpz_to_n2() was renamed mpz_to_n_autosize()

commit 2634859cc403e6bf06525677195541cf63775cd8
Merge: 6e92308 8c1a52e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri May 10 10:16:25 2013 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 6e923080e1d1b08169ae8e04cf278c361e753d5f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri May 10 10:15:47 2013 -0400

    * testing: fixup ikev2-04 to use klips

commit 8c1a52eeedecf569f022ceea7d962c202b7d5f85
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri May 10 10:10:58 2013 -0400

    * remove the PR_GetErrorText() usage for now
    
    Let's look at how best to do this for all nss/nspr errors.

commit 773518d7939e310966afbdf3ae3ed52f9fab6ef2
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri May 10 14:42:23 2013 +0300

    linux/net/ipsec/infutil: fix syntax error

commit 6c6249b69cace5cb2c999a66c4db9192439af3b7
Merge: c92b565 d086f41
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri May 10 09:41:38 2013 +0300

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit c92b56554616a06ca4a1e5f9f3f67a63fd7a3d46
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri May 10 09:41:12 2013 +0300

    comment cleanup: use C89 style

commit d086f41829849b0d8d805505295f049118dd7bf5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 21:59:21 2013 -0400

    * pluto: fixup previous rewrite for ESP traffic stats
    
    Accidental %lu%s left in.

commit 859cf43cfc52ae630bdecbb7ea7d192f0bb7d4d9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 20:04:25 2013 -0400

    * updated changes to reference CVEs

commit 80c5166cceb48e5d607c5392beb7ada1c6c324db
Merge: 5d6facd 4ae8a68
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:52:21 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 5d6facd157ffc90960924ba8d44c176928eab42f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:52:05 2013 -0400

    * updated changes

commit 9040be5131fe57dda3f9dad4a07586a1e9daeea9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:49:26 2013 -0400

    * pluto: Add support for OID_SHA224_WITH_RSA signatures
    
    Also log a more meaningful error when we see OID_MD2_WITH_RSA. It's not that
    we don't support it, we just think it shouldn't be accepted as it's too weak.

commit 94b9ef1f0803aa9225f0563fc9aac6ddb0c95bfa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:33:54 2013 -0400

    * Fix for CRL signature verification failure if first byte is a zero
    
    ASN.1 integer values have a leading zero if they are above a certain size to
    denote whether they are positive or negative values. Oddly enough, the signature
    is stored as an integer value.
    
    The CRL verification code introduced with the NSS code path used the gmp library's
    bignum to convert the signature chunk_t into a bignum and back, thereby removing
    the leading zero. However, this would remove more then the 1 leading zero, so if
    the signature started with a 0x00, then the RSA signature of the CRL would be short
    a byte and fail to verify. The CRL would be rejected.
    
    This patch removes the conversions to bignum, and handles the leading zero by just
    moving the pointer one forward, and reducing the length by 1.
    
    Debugging was also slightly cleaned up, and errors in the CRL are now reported back
    to the user if reading the CRLs was triggered by "ipsec auto --rereadall
    
    (this is rhbz#959969)

commit 8f6711bcc52ef5cee85f5f52cae242509f405afc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:32:46 2013 -0400

    * whack: throw an error to the user if CRL is rejected

commit 4ae8a685b9eaa0bda85760e007b9d32126836262
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 16:46:00 2013 -0400

    * pluto: always print header of "List of X.509 XXXXX" as well.

commit d3ee7bccb7a12b53e5cc763f2d58e3650fdfa614
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 16:42:08 2013 -0400

    * pluto: always show "List CRLs" header like other items
    
    This makes the behaviour similar to "List of Public Keys:" and others.
    
    (I was wondering if the code was called or not to list these)

commit 083e1d1cdae93d22475728a3b870bf564c3f2428
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu May 9 21:03:50 2013 +0300

    testing/utils/siocprivate/tncfg: fix comment to correct style

commit 2003868d52ffc14381bd9594f6136d9dcd005816
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu May 9 20:59:07 2013 +0300

    contrib/lucent/UDP501encap: fix link

commit 9c508a46b7b93578a5e5064bfc10e8976066ca15
Author: Kim B. Heino <b at bbbs.net>
Date:   Thu May 9 15:40:06 2013 +0300

    testing/utils/siocprivate/tncfg: fix syntax error

commit 35fa6b072feaa6705d41d039ddf8a85a0465b2cd
Author: Kim B. Heino <b at bbbs.net>
Date:   Thu May 9 15:33:56 2013 +0300

    programs/pluto/ikev2: fix syntax error

commit 949666ee6f11a4ae20b48896287e394e626ae1fe
Author: Kim B. Heino <b at bbbs.net>
Date:   Thu May 9 14:54:58 2013 +0300

    programs/pluto/ikev1_main: fix syntax error

commit a07b4cf54a3e4cb5867032af2b3ff294a32f3849
Author: Kim B. Heino <b at bbbs.net>
Date:   Thu May 9 14:51:40 2013 +0300

    testing/utils/siocprivate/tncfg: fix syntax error

commit e0b4fe8e7ed22124c9e16d8cecb62dcc43e363de
Author: Kim B. Heino <b at bbbs.net>
Date:   Thu May 9 14:48:56 2013 +0300

    contrib/lucent/UDP501encap: fix syntax error

commit 7123661909ef218b319c81a86267905778533d5e
Author: Kim B. Heino <b at bbbs.net>
Date:   Thu May 9 14:46:14 2013 +0300

    pluto/connections: fix syntax error

commit 919cbe0445c2f7f398cdf27066cffa6b39fa9f7f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon May 6 17:40:10 2013 -0400

    * security: Removal of USE_WEAKSTUFF, USE_NOCRYPTO, 1DES and modp768
    
    NULL encryption should still be possible - but at least people then
    know it is not real encryption. Note that 1DES and modp768 were already
    disabled in the default build for about a decade.

commit 68c8fdb850e4ee064fcf4265efb784ade91f462e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon May 6 17:31:41 2013 -0400

    * KLIPS: ensure prng.c can only be used for KLIPS build, not userland

commit 9ef03e37172655d149390f948c5a4893dcd31b46
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon May 6 17:29:12 2013 -0400

    Revert "linux/net/ipsec/prng.c: Remove, no longer used"
    
    This reverts commit 1a968534c35fdb236c0dcc1ab29eaaaa1a09f15e.
    
    This is actually still used by KLIPS

commit 806e1ae097d91c5b5286577a76f8509bcd0c7d0d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon May 6 16:35:56 2013 -0400

    * crypto: cleanup SHA2 unused funcs, introduce USE_MD5/USE_SHA1 like USE_SHA2
    
    Use of USE_MD5 / USE_SHA1 needs to be expanded

commit 4e5e9d7aed802f5415b79d1e54ee2d53ee908f29
Merge: eab5249 427bee8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon May 6 14:59:05 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit eab5249c0d89bd2a2b81308c64e74c29ac49548c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon May 6 14:47:42 2013 -0400

    * updated changes

commit ba6884a4962c4f15c24126bbeaca7ae87c1c8144
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon May 6 14:45:31 2013 -0400

    * security: Initial loading of CRL fails for NSS CAs [Matt Rogers]
    
    This is rhbz#960171

commit 427bee8fd007f4334debb34144bd7928e0b36a70
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun May 5 16:28:26 2013 -0400

    * testing: converted algo-pluto-0X except 05/06 testcases to KVM
    
    The 05/06 test cases use multiple run.sh files which we don't yet support

commit 89f93fcaf316fb285ec3749272ea1a472117acf4
Merge: eece0d2 b17efb7
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri May 3 17:41:49 2013 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit eece0d2557352996ed6d1ab3292c918917a097b9
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri May 3 11:39:30 2013 -0400

    * add comments to clarify intricate unpack_RSA_public_key

commit b17efb71513463b5ad48c2c58c56af3aafa55cd2
Merge: 5f8fd25 e6bff86
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri May 3 11:26:37 2013 -0400

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit e6bff86e0428871026a90e0dcf157cb4078c80e1
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri May 3 02:41:47 2013 -0400

    * simplify humanize_number
    Avoid unnecessary overflow for numbers that are already kilobytes.

commit 2f6cbcc77620295fcb03ed02a180dd7ed280b609
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri May 3 01:53:22 2013 -0400

    * clean up code to reduce GCC warnings
    Mostly safe transformations (I hope).
    Corrections for remaining warnings are not as obvious.

commit a61aa3952ceddc9ae7de6bc3565d30a9a331f7e6
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri May 3 01:28:09 2013 -0400

    * fix call to strspn that should have always segfaulted

commit 929e19480268077b5518065e87163bb8c65056c7
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu May 2 23:59:32 2013 +0300

    CHANGES: fix bug#90 description

commit c8310a891affc471e0a77cc46accd0116f5f51ba
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 2 13:19:11 2013 -0400

    * updated changes

commit a2f7496d7a79cb67c6a08ffafd1a6308fa88b508
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 2 13:15:21 2013 -0400

    * security: Remove stale non-NSS ASN1 handling and pem decryption code
    
    pem_decrypt_3des() has incorrect padding verification code.  (There can
    be at most 8 bytes of padding.)  first_padding_pos can be blob->ptr -
    1, which appears to result in an out-of-bounds array read.
    
    This code however is not used anymore, since NSS is mandatory and we don't
    read encrypted keys from /etc/ipsec.d/private anymore. (we might do again
    later for an openssl port, but then we should be using native openssl calls)
    
    looking further into pem.c, more dead code was found and removed, and the
    remaining code was stripped of any decryption hooks, as we do still use
    load_cert() (the non-nss version) to load CRLs and CAcerts from disk.
    
    Note that openswan when compiled without HAVE_NSS does have a problem with
    verifying the padding and requires a different fix.

commit 0b245f75c39383839ec02505a138265489c16824
Merge: 93e0ea6 6d41e8a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Apr 29 22:37:34 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
    
    Conflicts:
    	CHANGES

commit 93e0ea67c479196b4ef0c46dc00dcde2f96708ac
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Apr 29 22:36:27 2013 -0400

    updated changes

commit e25f659f78f3dc3b36f21fc2416b8fcc4066b4ab
Author: Andreas Herz <andi at geekosphere.org>
Date:   Mon Apr 29 22:26:15 2013 -0400

    * SAREF: Patches updated for 3.4.x kernels. Tested on 3.4.42
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 6d41e8a341bb6f4191e8f3f61ec52c0a7265956e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Apr 29 18:03:34 2013 -0400

    * updated changes

commit babfbbbb219ac8a58dbe87279a13a85fc6f5cd2c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Apr 29 18:02:26 2013 -0400

    Revert "* IKEv2: Initiating IKEv2 with nhelpers=0 failed"
    
    This reverts commit 05edc7769f4c962012fb00e1102dedd01fb5f23a.
    
    Conflicts:
    	programs/pluto/ikev2.c

commit ae132cd1ebb40cbcdafedac83f63fd25bf7d88a3
Merge: fbe3c8c 586773e
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Apr 29 09:53:29 2013 +0300

    Merge branch 'lswbz90'

commit 586773ecd30385ac1e0e909e62b58c2c186fa791
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Apr 29 09:52:58 2013 +0300

    CHANGES: update for bug#90 fix

commit 1cc21e0952331bdd341df89cb8d040b283ac08c9
Author: Kim Heino <b at bbbs.net>
Date:   Mon Apr 29 09:32:04 2013 +0300

    NETKEY: Generate transport mode eroute from peer host to our host.
    This is a fix for bug#90. Back from openswan-2.4 inbound eroute with
    netkey was generated from peer client to our host which is wrong in
    case of transport mode where there is no client.
    
    Information about enacapsulation was added to connection struct
    so we know how policy has been genrated when removing inbound eroute.
    
    Also policy generation has been changed to pass proto = SA_ESP
    for inbound eroute generation instead of SA_IPIP which was used before.
    SA_IPIP was anyway wrong type for transport mode. This proto info is used
    for eroute creation to find out if eroute should be transport or tunnel.
    
    Signed-off-by: Tuomo Soini <tis at foobar.fi>

commit fbe3c8c109fae0ae894bf77dd4a3e1c91446d350
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Apr 29 08:23:34 2013 +0300

    update changes

commit 4efa994ffea58195d3277611b23839e046fb1207
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Apr 29 08:21:13 2013 +0300

    _stackmanager: fix loading of aes-x86_64 caused by typo in module name

commit 63a9b7e2da1173ded689e4a5bd36db65392a414a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 20:31:46 2013 -0400

    updated changes

commit 3c7711bd4f67524cbf123d1546fe0e64b339d624
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 20:29:23 2013 -0400

    * security: cleanup CFLAGS handling
    
    Per default, everything now gets a WERROR set to:
    
    -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security #-pedantic
    
    (pedantic causes a lot of additional warnings, like "comma at end of
    enumerator list", which we often do on purpose to reduce diff size)

commit f6b8563f83271388f981d35797a38d6bbbc584ff
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 18:56:02 2013 -0400

    * log length of information payload that we are ignoring.

commit be33d462b1f552d404bac540537b9732a8f040ec
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 18:55:12 2013 -0400

    * add comment to checking esp/ah/ipcomp states
    
    Added comment to ensure someone later on does not "optimise" the if/else
    loop with a switch()

commit aaca56dd807c52553e256733bb9ee083efb0de7e
Merge: 5dae612 db32c8a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 18:29:32 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit db32c8ac547c5b32c586816922a6895d6bf08236
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 13:18:58 2013 -0400

    * PK11_CreateContextBySymKey() cannot actually return SECFailure
    
    It returns a pointer, so NULL is the only failure case. The error
    introduced by Florian was just that he checked for not-NULL instead
    of NULL.

commit 1966f881b4d908cb72db93829dec8620266005e6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 13:00:35 2013 -0400

    * updated changes

commit a7ed46071760b5a329e3bb40a06206cb5806f204
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 12:50:30 2013 -0400

    * security: Fix the abort calls for do_aes() and do_3des()
    
    The NSS function PK11_CreateContextBySymKey() can return 0 in the functional
    case. It returns NULL or SECFailure in the failure case.

commit 7fbdc1adc71cd0ccc29466612866f54b552e0784
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 12:38:55 2013 -0400

    * update changes

commit 45af631a213859b8bc72200496cf99d3baa5b6f3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 12:37:31 2013 -0400

    * Removed unused function load_host_cert()
    
    This function was only used in the non-NSS path which we no longer
    support.

commit 8827a35fea604eb19d8d15010ab40250ddf8ab3b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 12:32:34 2013 -0400

    * security: Fix misuse of ASN1_BUF_LEN and PATH_MAX in unused function
    
    ASN1_BUF_LEN was declared as 512 at one location and 256 at another. Moved
    it to x509.h as 512 and verified its usage.
    
    In load_host_cert() it copied a char[PATH_MAX] for ASN1_BUF_LEN length. Luckilly,
    PATH_MAX is 1024 so it would always fit.
    
    Additionally, since load_host_cert() is only used in the non-NSS code branch
    which we no lnoger support, this function has been #if'defed out.

commit bd59ffdf2fe39c2139f1126c4c3d10fff89bcb22
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 27 12:29:47 2013 -0400

    * updated changes

commit c78e908fcc01da7c89e5f7bb2a090889ab988309
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 25 13:49:24 2013 -0400

    updated changes

commit a62ba1bb2675d2b8cd7f9616ed118c44ea3d5bd0
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 25 13:48:41 2013 -0400

    * security: list_acerts: Correct snprintf length argument
                and do not use return value

commit f96f513a0fdd1b48cf50c856deb22c3bb7a02bfa
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 25 13:47:11 2013 -0400

    * security: unpack_RSA_public_key: Check modulus length against key

commit ebf7d7d75d94269cd3d852bb5e4a3bb7448fead0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 25 13:40:12 2013 -0400

    * updated changes

commit 2cd9002ceee7602c1a51061ee9c50bd7e76781e3
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 25 13:37:34 2013 -0400

    * security: fetch_curl: Set timeout for the entire request
    
    Otherwise a stuck connection could effectively disable CRL fetching.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>
    
    This is due to the CRL fetching not using proper helper threads like
    the crypto/dns threads. This only affects a broken CRL URI point
    as taken from the CA certificate.

commit 34e669419f7b130ddeedf2c3559f75f98f73f316
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 25 13:34:43 2013 -0400

    * security: do_aes: Abort on failure
    
    The routine cannot signal encryption failures to the caller
    and would leave the buffer unencrypted on error.

commit 30da4deb7f01ce260f5905a7d6032225c1998fd1
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 25 13:34:14 2013 -0400

    * security: do_3des: Abort on failure
    
    The routine cannot signal encryption failures to the caller
    and would leave the buffer unencrypted on error.

commit a0d451dd055cc30014d67f7ee563dfdb9791c23f
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 25 13:31:07 2013 -0400

    * security: Check that origin of netlink message is the kernel [Florian]

commit 0c9e7831570fbe1c641df16baf51446b55e63a7e
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 25 13:29:30 2013 -0400

    * security: escape_metachar: Do not write beyond the end of the buffer

commit 8f5b979438c89297daa2c608e7250e1064c3f8ab
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 25 13:26:26 2013 -0400

    * security: alloc_bytes1(): Integer overflow if the leak detective enabled
    
    leak detective is not enabled per default.

commit 41b7588627719b36807fd4d23dd695ca13e6537b
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 4 11:45:15 2013 +0200

    prettypolicy: Avoid buffer length computations
    
    This ensures that snprintf is not called with a length argument of
    zero.

commit efd322f6cc8c24174e49cd437c79fc4f3779dbdb
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 4 11:50:12 2013 +0200

    readwhackmsg: Guard against integer overflow when rounding up length

commit bb4402e9fbda06afb3153b97a2494c3d2b90c435
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 4 11:59:45 2013 +0200

    alg_enum_search_prefix, alg_enum_search_ppfix: Guard against long prefix
    
    Existing callers use short, constant strings, so this does not make a
    difference at present.

commit 43b5d6ee61a38167b45c7c9f67552dca91430a28
Author: Florian Weimer <fweimer at redhat.com>
Date:   Mon Apr 8 15:46:18 2013 +0200

    spawn_worker: Call _exit instead of exit in the child process
    
    This suppresses unwanted cleanup actions.

commit 201247c6b0798d1e5f239284940aa7db4a4e6b04
Author: Florian Weimer <fweimer at redhat.com>
Date:   Mon Apr 8 16:30:58 2013 +0200

    Remove random_devices variable from programs/pluto/rnd.c

commit 1a968534c35fdb236c0dcc1ab29eaaaa1a09f15e
Author: Florian Weimer <fweimer at redhat.com>
Date:   Mon Apr 8 16:33:01 2013 +0200

    linux/net/ipsec/prng.c: Remove, no longer used

commit f93f5a4fbaa1a895640b6b994c3aaefc88a123fa
Author: Florian Weimer <fweimer at redhat.com>
Date:   Mon Apr 8 16:42:12 2013 +0200

    get_rnd_bytes: Abort on random number generator failure
    
    We must not return without overwriting the buffer.

commit 5c5d103c836cd4d5ecc3e58adef60db85cc4aac6
Author: Florian Weimer <fweimer at redhat.com>
Date:   Mon Apr 8 17:21:28 2013 +0200

    db_trans_expand, db_attrs_expand: Use ptrdiff_t for the pointer offset
    
    This still invokes undefined behavior, but is more 64 bit safe.

commit 4f90867f0c804a68a538c1fb3d370e6fd35984ff
Author: Florian Weimer <fweimer at redhat.com>
Date:   Tue Apr 9 16:19:11 2013 +0200

    pluto_crypto_allocchunk: Avoid wrapround in assert

commit 4d1dda24046ae4e713d34baf61b1911522736ed8
Author: Florian Weimer <fweimer at redhat.com>
Date:   Tue Apr 9 16:21:48 2013 +0200

    pluto_crypt_handle_dead_child: Remove, dead code

commit ecce8df69fa88fd89efd62672c238882a3289dbf
Author: Florian Weimer <fweimer at redhat.com>
Date:   Tue Apr 9 16:48:22 2013 +0200

    humanize_number: Avoid variable format string
    
    Also add check for snprintf result.

commit ba2104c9d4634701e77e18ef95722b9f63c6d2c8
Author: Florian Weimer <fweimer at redhat.com>
Date:   Tue Apr 9 17:03:34 2013 +0200

    get_addr: Move docstring comment in front of the function

commit 33faa04556b7e8de0547a032b89f4d8e29d336fc
Author: Florian Weimer <fweimer at redhat.com>
Date:   Wed Apr 10 09:52:56 2013 +0200

    LSW_FDMASK: Avoid signed integer overflow
    
    Shifting into the sign position is currently a GCC extension, but that
    may change in the future (according to the GCC manual).

commit 2ea078b21cbaab5f8824b85f95f6e4554f05b54a
Author: Florian Weimer <fweimer at redhat.com>
Date:   Wed Apr 10 10:14:20 2013 +0200

    format_connection: Avoid using the snprintf return value

commit 612cb44274692713d598347d6cf98c9cdb87df08
Author: Florian Weimer <fweimer at redhat.com>
Date:   Wed Apr 10 10:35:57 2013 +0200

    biglset_format: Do not rely on the return value of snprintf

commit 4031611a1c187c6e7968add1a54ddfc729befa85
Author: Florian Weimer <fweimer at redhat.com>
Date:   Wed Apr 10 10:47:59 2013 +0200

    alg_info_snprint: Do not rely on the return value of snprintf

commit e8779816991b191eccdb2c498edae9d1ba9347fb
Author: Florian Weimer <fweimer at redhat.com>
Date:   Wed Apr 10 11:21:49 2013 +0200

    quick_inI1_outR1_authtail: Do not rely on the snprintf result

commit f137fcb99d40a0b102af1e4fa6e4c0fe98895f97
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 25 13:11:46 2013 -0400

    * update changes

commit 7ecc33cd9bf4ee01ae1f72dfb58ee8d25e15cb5d
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Apr 25 13:08:23 2013 -0400

    * security: dn_parse(), hex_str() write beyond end of the buffer
    
    lib/libswan/x509dn.c:dn_parse(), hex_str() seem to write beyond the
    end of the buffer, via side effect in the second arguments of
    update_chunk calls.  update_chunk should call snprintf itself, with
    the proper remaining buffer length.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 7d0ca355a5c7f8337130d4b0b3e7686f2fa4d4c2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 25 12:44:55 2013 -0400

    * security: atodn() / atoid() buffer overflow
    
    lib/libswan/x509dn.c:atodn() does not perform any length checking
    whatsoever on the output buffer.
    
    Affected:
    - Libreswan 3.0 and 3.1 (3.2 disabled the oe= option)
    - Openswan versions up to and including 2.6.38
    - Possibly certain strongswan 3.x/4.x versions
    
    This overflow is exposed (pre-authentication) only in opportunistic
    encryption mode. When it is called via receiving a certificate
    via IKEv1 or IKEv2, and when it is loaded from disk, the buffers
    passed to atodn() are big enough.
    
    This means this vulnerability can only be triggered when:
    - Opportunistic Encryption is enabled (oe=yes)
    - The attacker is local in the same network and adds a malicious
      reverse DNS record to the client's IP, or
    - The attacker can trigger an OE DNS lookup to a client fully
      configured with OE and their own key.
    
    Libreswan and openswan versions do not enable Opportunistic Encryption
    per default.  Most distributions like RHEL, Fedora, Debian and Ubuntu
    also do not enable OE per default.
    
    This patch addresses the vulnerability in atodn() and further limits the
    atoid() call not to traverse into the ASN1 case when triggered by non-cert
    cases such as opportunistic encryption.
    
    Vulnerability discoverd by Florian Weimer <fweimer at redhat.com> of the
    Red Hat Product Security Team.
    
    Patch by D. Hugh Redelmeier <hugh at mimosa.com> and Paul Wouters <pwouters at redhat.com>

commit 33c14306a63f63b96c833ee325d06ce1adce0856
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 25 12:39:37 2013 -0400

    * testing: converted ikev2-04-basic-x509 to kvm

commit b2f4192db2710306ac9a00773b69681c98ce54e3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 25 12:22:56 2013 -0400

    * testing: bring tunnel down to look for broken remnants

commit 9be71a403aa7033f984d98ce1eb565a81538d8ba
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 24 15:39:47 2013 -0400

    * testing: converted ikev2-05-basic-psk to KVM

commit 5dae61236e9bb597046178834497bb2243cbac64
Merge: 32df6c4 97fc483
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 24 12:22:37 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit f82ba4566a712bb48e67eb692e226f94e3176229
Merge: 1f5e3f9 97fc483
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 23 22:50:04 2013 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 1f5e3f914a9a9e35606b3f44c9fc4430fa12e388
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Tue Apr 23 15:59:07 2013 -0400

    * libreswan_log takes a format string and arguments: no need for a buffer

commit 97fc483a43857d24c5c0a69381de98336786ec38
Author: Kim B. Heino <b at bbbs.net>
Date:   Tue Apr 23 10:43:47 2013 +0300

    pluto/kernel: remove tailing whitespace

commit a5cbacf0a8c375e56ceb3528803079d7d079ca41
Merge: a2d0f2c f1d25aa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Apr 22 13:27:16 2013 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit a2d0f2cc05a2ddb622ec4ab531bbd7b04bdd369c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Apr 22 13:05:03 2013 -0400

    * _stackmanager: Warn properly when esp4/esp6 module fails to unload

commit 32df6c4175a5f22e5c83f1478356d20776d9f64e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 20 12:29:46 2013 -0400

    * remove commented out sha2_256-96 handling

commit 6a72cc8d13a6c7e926b9992836e8372aa5317e09
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 20 12:18:46 2013 -0400

    * pluto: fix error message
    
    The error for ike=modp1536 said "esp error" instead of "ike error"

commit f1d25aaf74f5efb8ec091ee41c6616f361eb03de
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Apr 19 13:42:53 2013 -0400

    * verify: debian has the ss command in /sbin/

commit 5f8fd25bfb320601748c29fd715116ec5ea998df
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Apr 19 00:29:59 2013 -0400

    * partial fixup of transport-01

commit 434d2118f98a99e8a146c45c24b361feb8020fdc
Merge: 49070b2 5a4a17e
Author: Kim B. Heino <b at bbbs.net>
Date:   Thu Apr 18 11:38:07 2013 +0300

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 49070b2917de21bf0328d9974803f128c3dcfe05
Author: Kim B. Heino <b at bbbs.net>
Date:   Thu Apr 18 11:37:28 2013 +0300

    pluto/kernel_netlink: remove tailing whitespaces

commit 5a4a17e4e7789716c57aab2543b07d929d9bd3b9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 17 16:01:06 2013 -0400

    * testing: added results for ipv6-tunnel-mode-02-netkey-netkey
    
    These also need sanitation for the ip xfrm commands.

commit 07eb404e4c08a604b7c8c1b34c8d52fe3378c8e5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 17 15:37:43 2013 -0400

    * testing: preliminary results for ipv6-transport-mode-02-netkey-netkey

commit 4f9f33b54b1edc7926900c881460030637a01a29
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 17 11:40:24 2013 -0400

    * testing: Added six IPv6 test cases for host-host mode
    
    These test host-host for transport and tunnel mode. Using klips, netkey
    and an interop for with both stacks.

commit 4eaf13c1533f6765189a9a257cdd80f74085f841
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 17 00:40:21 2013 -0400

    * testing: mark ipv6-v6-through-v6-klips-klips as converted in TESTLIST

commit 67705a3652bad02233558460e0fead3067372273
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 17 00:33:55 2013 -0400

    * testing: updated ping sanitizer
    
    The old ping command shows icmp_req= while the new ping command shows icmp_seq=
    
    Allow either one.

commit 7ef7e03f3026356ce2247d0a4cbd1717bbc6939f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 17 00:33:47 2013 -0400

    * testing: Updated test case ipv6-v6-through-v6-klips-klips

commit 99c1bb2c0b24ded83f02afdc11285168227aee79
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 17 00:15:36 2013 -0400

    * parsing: turn oe= into kt_obsolete_quiet

commit 9549da61bbeeeb9ce21e1b8b11c89897eb2fcf38
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 17 00:14:55 2013 -0400

    * parser: Added keyword type kt_obsolete_quiet
    
    Same as kt_obsolete, but we only log a warning in full debug mode.

commit f21102b2336f668c72f06334be535155141232bd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 16 18:51:40 2013 -0400

    * testing: SElinux update to avoid false positive audit avc messages
    
    - No longer bind mount, but copy the host files in swan-transmogrify
      to allow us to relabel SElinux context.
    - For Fedora/RHEL guests, add context= parameters to /etc/fstab for
      the /testing and /source mounts to provide proper SElinux context
      to avoid audit avc messages
    - Wipe the audit log on boot in swan-transmogrify so previous SElinux
      audit warnings don't flag in the current test.

commit f2d7f1255da6c20d8edc3c6311bbeb633a5641a3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 16 14:38:24 2013 -0400

    * testing: use raw format for ausearch so it does not display "<no matches>"
    
    This ensures the output of final.nl is the same for "no audit tools insalled"
    and "audit tools installed but no problem found"

commit 4da132b6860f2927ad4c7ca2be3457ee24b1658f
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 16 09:19:00 2013 +0000

    * testing : add more timezones to look sanitizer

commit a11e97dc50a9b222e41577a3778ada16316ba491
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 16 09:16:54 2013 +0000

    * testing : fix the flow problem when running final.sh on respnder
        	    every sendline need a matching expect

commit 357da69ece3a9801c10d4c52324f5f4cf7f695b6
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 16 08:40:21 2013 +0000

    * testing : put the wait_pid initiator line back

commit 2ded8b4e354da5ee2faf663f931eb02a2a0c0bd8
Merge: 1e5ee54 0f88ab9
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 16 05:14:21 2013 +0000

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 0f88ab9d40532cabd2be77ee3ab0fb96f7534088
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Apr 15 18:31:30 2013 -0400

    * testing: run final.sh directly on initiator still on serial console
    
    This is a workaround (and optimization) as it prevents some expect/flow
    issues.

commit 545779dfe68648e48123f0e08fa465a245d789f2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Apr 15 10:23:07 2013 -0400

    * building: Enable some more hardening features
    
    - Enable -z now linker flag
    - Added -Wformat-nonliteral -Wformat-security
    - Changed -fstack-protector to -fstack-protector-all

commit d3eecd069717a103db2ebcef6adaf7add910c577
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Apr 14 21:43:56 2013 -0400

    * testing: Make date replacement a bit more robust for within ipsec look
    
    But match more exactly using numbers to prevent matching other things

commit bf169d9c9a3a41e8a27a3c71844d1fb29cdc41b6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Apr 14 21:22:22 2013 -0400

    * testing: account for dropped leading zero's in ipsec-look-sanitize.sed

commit c193a53c490e7b73da5fff3a88b21d708fadde55
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Apr 14 20:08:04 2013 -0400

    * testing: fixup ipsec-look-sanitize.sed
    
    also sanitize esp.XXXXXXXX@ lines (and ah/comp)

commit 072f0b2fd91518eaf26c25877b20a2bfd051f409
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 20 15:00:45 2013 -0400

    * testing: add new sanitizer backgrounder.sed
    
    This removes the variable pid from the output of background tasks,
    such as lauches of "nc" on eastinit.sh
    
    It removes strings like: ^[1] 1234
    (upto 3 processes only, for more we assume its something else)

commit 3e1cb19d5084ba59d3dcc75602b3b6e711181a80
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 20 20:48:20 2013 -0400

    * stackmanager: if mtu of mast0 interface is 0, set it to 16260

commit fac1d97a0792fbc9012c087f9587713142900d2d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 20 17:02:16 2013 -0400

    * testing: cleanup all final.sh scripts
    
    Should probably be replaced by a smarter output script that we can run
    on all hosts.
    
    Importantly, the "cat /tmp/pluto.log" was removed everywhere because
    we now just cp that log from VM to host. Additionally, the test for
    core's now include numbered cores (core.1234) and we check for any
    SElinux warnings.
    
    Conflicts:
    	testing/pluto/basic-pluto-02/final.sh
    	testing/pluto/basic-pluto-04/final.sh
    	testing/pluto/dpd-02/final.sh
    	testing/pluto/dpd-03/final.sh
    	testing/pluto/dpd-04/final.sh
    	testing/pluto/dpd-06/final.sh
    	testing/pluto/ikev2-04-basic-x509/final.sh
    	testing/pluto/phase1-expire-02-reconnect-netkey/final.sh
    	testing/pluto/tpm-accept-01/final.sh
    	testing/pluto/tpm-accept-01b/final.sh
    	testing/pluto/tpm-accept-02/final.sh
    	testing/pluto/tpm-accept-03/final.sh
    	testing/pluto/tpm-accept-04/final.sh
    	testing/pluto/tpm-accept-05/final.sh
    	testing/pluto/tpm-accept-06/final.sh
    	testing/pluto/tpm-accept-07/final.sh
    	testing/pluto/tpm-accept-08/final.sh
    	testing/pluto/tpm-pluto-01/final.sh
    	testing/pluto/xauth-pluto-07/final.sh

commit dfab0317767e5104c7202f9a4c9e9cf317b25c96
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Apr 14 14:26:35 2013 -0400

    * setup CHANGES for 3.3

commit caa4b2cbf812a2c7ea49212c28d310e7c9f076aa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Apr 14 13:19:02 2013 -0400

    * packaging: updated rhel6 version of spec file

commit 1e5ee54d64d60874b7aacd405b21daf8c161e27e
Merge: ee70e48 26396e4
Author: Antony Antony <antony at phenome.org>
Date:   Sun Apr 14 09:17:27 2013 +0000

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 26396e441aa5b8909682ea6d38d8cbb5e69c612f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 13 16:11:21 2013 -0400

    * add release date

commit b0de3eb18542ef988225b933240e739f1e1d134e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Apr 13 16:09:41 2013 -0400

    * testing: fixup compress-pluto-netkey-03 and compress-pluto-01

commit ee70e48e42500e500e1b1203cc86ccd63fd534f3
Author: Antony Antony <antony at phenome.org>
Date:   Sat Apr 13 17:41:22 2013 +0000

    * testing : add check for stop-tests-now so we can interrup make check.

commit 219bd86b4b260f75b419da535960f728ea9e5837
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Apr 12 19:59:25 2013 +0300

    CHANGES: update for lswbz#85

commit 80dfdb8ce980372d606adc1590f5ea0ec54ddf44
Merge: 16d1604 7b1cd93
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Apr 12 19:56:02 2013 +0300

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 16d160428ad1a8f97f601140f0c3ee17513d6960
Merge: a23cd52 21a6e0c
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Apr 12 19:54:42 2013 +0300

    Merge branch 'lswbz85'

commit 21a6e0c79732a3ea16dfbeeda4edff9ccc1dad1d
Author: Kim Heino <b at bbbs.net>
Date:   Fri Apr 12 19:36:57 2013 +0300

    This is fix for libreswan bug #85.
    
    We only add traffic selectors for transport mode. The problem is that
    Tunnel mode ipsec with ipcomp is layered so that ipcomp tunnel is
    protected with transport mode ipsec but in this case we shouldn't any
    more add traffic selectors or we break the tunnel.
    Function setup_half_ipsec_sa was modified to inform netlink_setup_sa with
    add_selector boolean about need to add selectors. This prevents breaking
    ipcomp in tunnel mode. Direction of sa is now passed to netlink_setup_sa
    so client can be substituted with host ip so that selector works for natted
    transport mode.
    
    Signed-off-by: Tuomo Soini <tis at foobar.fi>

commit 7b1cd93056a67c499f4b20d28565733af33f3550
Merge: a2c8632 a23cd52
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Apr 12 12:23:25 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit d38911304a0129c67130de68ced87e28d79a4171
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Apr 12 19:02:51 2013 +0300

    NETKEY: remove irrelevant logging - this is not needed when traffic selectors
    support has been restored.
    
    Revert "Revert "netkey: remove logged warning which is not true after commit 9ed4d3e9""
    
    This reverts commit 340329cdf966f8467eced54327189eb52cbfd736.

commit f3fbf2a9a196da8db16dd73cbd04c4313cba776d
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Apr 12 18:58:20 2013 +0300

    NETKEY: restore traffic selectors for fixing them to work with transport
    mode nat-traversal.
    
    Revert "Revert "* Pass traffic selectors to the kernel in Transport Mode""
    
    This reverts commit a4e6195811c6685c1c440ff965890a2d3c9f56e3.

commit 375fe9d54d4aa27279046c099691a0a93155b876
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Apr 12 18:55:01 2013 +0300

    NETKEY: remove work-around for NATD port leaking to traffic selectors

commit a2c86320ea2cf2c39501adaa59dfe4dbb9a5ef58
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Apr 12 10:28:24 2013 -0400

    * Temporarily disable option to enable opportunistic encryption
    
    This will be re-implemented with an external helper that is more aware
    of the forward DNS query and IP address answer, so it will not require
    the reverse DNS.

commit a23cd52fd7c1fc9f1297a57107b74f78d860d1d4
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Apr 12 15:31:41 2013 +0300

    remove CHANGES entry which is not relevant yet

commit 9605d7628de60f975154d6359f59d21233c9b992
Merge: 2291b98 7eb3db6
Author: Antony Antony <antony at phenome.org>
Date:   Thu Apr 11 22:40:38 2013 +0000

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 2291b989359d68922dcd8027e080af6220fb0784
Author: Antony Antony <antony at phenome.org>
Date:   Thu Apr 11 22:40:11 2013 +0000

    * testing : cleanup commit reults with initial_contact:no;

commit 8d324608d97250d00ca8f9369cbde2d898d90c82
Author: Antony Antony <antony at phenome.org>
Date:   Thu Apr 11 22:07:10 2013 +0000

    * testing : remove 'cat /tmp/pluto.log' from final.sh

commit 7eb3db6cdd9fffaaf5d1ba5a98675046de726031
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 11 18:03:40 2013 -0400

    * showhostkey: --ipseckey option mistakenly printed "0s" prefix
    
    also moved an nss configdir diagnostic into --verbose like the rest

commit c5b3aa10d9720634aeb784985d40af38bfd8e008
Author: Antony Antony <antony at phenome.org>
Date:   Thu Apr 11 21:33:54 2013 +0000

    * testing : ikev2-05-basic-psk results
                ikev2-04-basic-x509 results

commit 85942b9e5e9917df75eb276ac3654c83e5449e18
Author: Antony Antony <antony at phenome.org>
Date:   Thu Apr 11 18:31:44 2013 +0000

    * testing : swan-build rm OBJ.linux.x86_64 no *

commit 2e15e2f9f2a9c3c42b5f3980278ef3a914496b54
Author: Antony Antony <antony at phenome.org>
Date:   Thu Apr 11 18:18:47 2013 +0000

    * .gitignore  added Makefile.inc.local and removed UMLPOOL

commit 9760a966d24bd149ef170a779933b0452106e5c5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 11 11:06:36 2013 -0400

    * packaging: updated ipsec.conf.d with the commeted *.conf include

commit a46d2d7405401f0f140f2275b2ca5c93bf53f384
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 10 22:14:50 2013 -0400

    * packaging: use full relro (-z,relro,-z,now) for fedora spec

commit 670a5175a7daf4bccee8daf88833077112752f1f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 10 17:14:20 2013 -0400

    * packaging: we need the INITSYSTEM= override in make install as well

commit 38d3347c24880060995359d39f3f06ed8a3ccef2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 10 16:29:50 2013 -0400

    * packaging: updates to libreswan.spec for fedora 18
    
    - Enable _hardened_build
    - Added -Wformat-nonliteral -Wformat-security to USERCOMPILE
    - Added -Wl,-z,relro  to USERLINK
    - Support macros for 'prever' to get proper versions for dr/rc releases
    - Removed obsolets defkv/kversion/krelver/srcpkgver variables
    - Add Obsoletes/Requires/Conflicts for openswan
    - Force init system detection with INITSYSTEM=systemd

commit be90ed4683612df489afec74fb54404327bcaa58
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 10 13:16:50 2013 -0400

    * packaging: changed remaining $RPM_BUILD_ROOT to %{buildroot}

commit d2474fcd5d9a7ffad5c8a774d4bf0873bb775422
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 10 13:10:41 2013 -0400

    * permissions: open up /var/run/pluto, close down /etc/ipsec.d
    
    The rundir (default /var/run/pluto) is changed from 700 to 755, to
    allow non-root processes to read pluto.pid (eg monitor scripts)
    
    The ipsecddir (default /etc/ipsec.d) and its subdirectories is changed
    from 755 to 700. This was already the case for some distributions
    (Fedora, RHEL). This provides a little more privacy about which IPsec
    tunnels are configured, which certificates are known, etc.

commit 4bbdd9fa73bd3c22958d794f71beddac270b6dd9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 23:45:56 2013 -0400

    * added comment for unknown juniper vendorid.

commit 98751d85f47131a5bd599e6d67bea113b6f6330d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 13:44:32 2013 -0400

    * initial_contact man page entry

commit 12a24be0b1639e1d6a60022d999852603208aab2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 13:38:18 2013 -0400

    * updated changes

commit d74f33f22a7e6d6bf6b4ff32367b81ffbab56b40
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 13:35:55 2013 -0400

    * IKEv1: Support initial_contact=yes|no (default no) in Main Mode [Paul]
    
    This only affects sending the payload. As responder, we still ignore this
    payload and base our decision for replacing the IPsec SA on the uniqueids=
    setting. That code does not cause downtime like the initial_contact behaviour
    (on Cisco) does.

commit 3e6543a6bd5db6bf3c11ad72a0fccdec5e8cf542
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 13:05:37 2013 -0400

    * fix whack usage for --addresspool with mandatory range argument

commit d6a2b4b80a340a3dda6d9b5ea520dbb4285f5b53
Merge: b5fe675 78c4e52
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 12:58:40 2013 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit b5fe675402b64532a535083ca05c1a9785840348
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 12:58:23 2013 -0400

    * more updates to CHANGES

commit 78c4e524aa68db4b4c9126aea264dd21b3d9baf1
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 9 16:45:25 2013 +0000

    * addresspool : code cleanup. removed unused bits

commit a1d7edfae641371025ebd1c5a5a127356a0aa2d0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 12:32:10 2013 -0400

    * updated changes

commit b7e19e8dad109fb14c6826438ee8c3acfea2f07e
Merge: afd74c1 49793ba
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 12:31:04 2013 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit afd74c1b4c430248b491a9296cc715b03c14d8dc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Apr 9 12:30:45 2013 -0400

    * updated changes

commit 9c3130dbe56a12349fb672afcb934ed3fcc7b3f4
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 9 12:28:15 2013 -0400

    * addresspool: Use same_id() to identify reconnecting client and re-use lease
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 49793baeb4659d6013346b67737627bcda584e68
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 9 09:57:27 2013 +0000

    * testing : ikev2-05-basic-psk seems to need nhelpers=4 too. may be 2 is
     enough

commit a9d558f144f106a3b1f5069d4eab37e636c59f09
Author: Antony Antony <antony at phenome.org>
Date:   Tue Apr 9 09:51:40 2013 +0000

    * ikev2 nss : fix bug 78. may need 	nhelpers=4 or so too

commit d31fbfc9dcf376df7ae5fb5fa7c7129faa0cd1ff
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Apr 7 18:48:10 2013 -0400

    * added another (unknown) nortel vendorid in a vendor.c comment.

commit 955ba75cd49f87bb48f0a156ce2d052c3de96ed4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Apr 5 22:37:26 2013 -0400

    * _stackmanager: when unloading NETKEY, unload ip_vti before xfrm*tunnel

commit bbe1d2e134188e2442df8dde54d0c1209c0b42f5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 4 13:26:22 2013 -0400

    * updated changes

commit 68c98e67ef3c4e6aaaaabc5b1d07d368c8ec121c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 4 13:24:27 2013 -0400

    * pluto: Obsoleted force_keepalive= and --force_keepalive
    
    It violates RFC 3947/3948 where an explicit DOS is mentioned. It was
    not enabled per default. It would not actually accomplish keeping the
    NAT mapping open in the opposite direction.

commit 4556b56267fe0ddd67cc94e54ed6837afb9394ae
Merge: e08e793 9678a75
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 4 00:55:26 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit e08e793a4267a258829f47ca790fe87721b25cf1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 4 00:44:08 2013 -0400

    * pluto: added per-conn nat_keepalive=  (whack --no-nat_keepalive)
    
    Add an option nat_keepalive= to allow disabling keep alives by
    specifying nat_keepalive=no. The default (yes) causes the same
    behaviour as we have currently without the option.
    
    This option takes precedence over the global force_keepalive= option
    
    Note: I don't fully understand the purpose of the global option, it
    would send NAT-T KA packets when "they are NATed" where as normally
    we only send NAT-T KA packets when "we are NATed". Is there an actual
    use case for this?
    
    To ensure we don't change the current behaviour, the whack option
    does the negative, eg --no-nat-keepalives, so that not specifying it
    gives the proper default behaviour of doing regular NAT-KA packets.
    
    NOTE: We currently always send these packets, even when there is
    traffic flowing over the IPsec SA (and thus over port 4500 so the
    NAT router would keep the port mapping open anyway)

commit f3b76f40f668f4222dd0ae3d010de9675525597a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Apr 4 00:42:56 2013 -0400

    * oeconns: fix format string which was missing a %s.

commit 86a76b8e79b01fe1fd2c082a281d57cda9290df0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 3 23:28:47 2013 -0400

    * starterwhack: fix format string in starter_log() to use %d for int

commit 03e41b968673c3aa5ec6f4a030d4461d95e6d65a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 3 23:19:02 2013 -0400

    * pluto: Log out own vendorid as "received" instead of "ignored"

commit 9678a75e575542c4edb75e1fed34ee0231c98c1e
Merge: 0250657 2a88180
Author: Antony Antony <antony at phenome.org>
Date:   Wed Apr 3 21:53:31 2013 +0000

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 0250657938a220fe15cb12a3e96b31a17ab1ed2f
Author: Antony Antony <antony at phenome.org>
Date:   Wed Apr 3 21:52:43 2013 +0000

    * testing :  fixed sed line Restart=no

commit 37637bbf2f637a5822ecb89ac99734eb337a41ee
Author: Antony Antony <antony at phenome.org>
Date:   Wed Apr 3 21:51:29 2013 +0000

    *testing : swan-prep creates OUTPUT/<hostname>.pluto.log with right
    permissions

commit 06f645fe136a98b03d67406e34968827694ad444
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 3 16:53:29 2013 -0400

    * pluto: clarify Commit Flag log message

commit 2a8818092e4da79c549fd8fe7c44b95998ad3c8f
Merge: b8d8d59 2690046
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 3 16:37:23 2013 -0400

    Merge branch 'fweimer'

commit b8d8d59b572bcf80646cbea46a18644e2e5b7e06
Merge: 2a9e59c 241da18
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 3 16:33:27 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 2a9e59c481591c3720b73521c45048523fec8205
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 3 16:24:17 2013 -0400

    * IKEv1: fragmentation check for null state was too late.
    
    We would have already tried to dereference it

commit 269004618ec392706e4f198644c5b59d79d28fed
Author: Florian Weimer <fweimer at redhat.com>
Date:   Wed Apr 3 18:32:43 2013 +0200

    Add missing format string attribute to starter_log
    
    And add format strings to call sites which lack them.

commit 2595da46930233c405d86b35bde3caa40043643a
Author: Florian Weimer <fweimer at redhat.com>
Date:   Wed Apr 3 11:38:32 2013 +0200

    Replace GNU-style designated initializers with C99-style ones

commit 241da18e477598ad14ffc776137f64b105874191
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Wed Apr 3 13:27:06 2013 -0400

    * pluto: constants.c: jam_str: fix typo in comment

commit af00a6d746c8dcfe24c0d6ef007d5581fafa9650
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 3 12:42:48 2013 -0400

    * pluto: sadetails of 256 is actually also not enough, raised to 512

commit bd04fc15c44775aec1f501b0e1c4a94a2d48644c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Apr 3 12:36:56 2013 -0400

    * pluto: increased sadetails string from 128 to 256 so XAUTHuser isn't cut off
    
    The size of sadetails is for the message that is printed when the IPsec SA comes
    up, and is passed via fmt_ipsec_sa_established(). Since we now log the XAUTH user
    name, this 128 character limit was causing the line to be cut of at 128, leaving
    out the partial XAUTH user name (especially when NAT was used and the NATOA/NATD
    info was also printed)
    
    It now looks like:
    
    Apr  3 16:36:12: "iphone-general"[6] 76.10.157.78 #6: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0d0f1c0c <0x8600e9d1 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none XAUTHuser=B6188A01A77A6825B535A5A20D5E44E013BFF326}

commit f8b0a4497ba2aa1931f2962d45d0cd14dc27075d
Author: Antony Antony <antony at phenome.org>
Date:   Wed Apr 3 11:05:15 2013 +0000

    *testing : skip the umlplutotest  don't run final.sh twice on initiator

commit e18d621a95ac1827cf97862d26b44712a5e89a0b
Merge: bb75c17 6218791
Author: Antony Antony <antony at phenome.org>
Date:   Wed Apr 3 10:49:23 2013 +0000

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit bb75c1788751aa69143a85dc38f315d61a752092
Author: Antony Antony <antony at phenome.org>
Date:   Wed Apr 3 10:46:14 2013 +0000

    * testing : hack to get make check run for pluto tests. disbled kvm
      checks. change the TESTLIST command to kvmplutotest

commit 621879100f7acabd1ac4b5038d5f941e29de329f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 30 16:48:44 2013 -0400

    * Added our GPG key as LIBRESWAN-GPG-KEY.txt

commit 10f43a7b7542c88dcf3b68ffca4da9445534a3b1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 30 16:47:28 2013 -0400

    * updated changes

commit 9f1ab06d52870e4d6d92914dd96e6ee6c2918266
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 30 16:43:57 2013 -0400

    * pluto: don't log 0 bytes traffic stats for phase1 SA's
    
    We tried to determine the amount of traffic on ISAKMP SA's as well as
    IPsec SA's. We no longer log bogus 0byte traffic for ISAKMP SA's.

commit 18d929eb88e5984cd1635cabec0c918845d9ef82
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 30 16:29:12 2013 -0400

    * XAUTH: cleanup XAUTHuser in ipsec auto --status/--down
    
    Don't list it with connections and down events that don't have an XAUTHuser

commit 3ee789af4728f22219273c33eba3b81f67490fd5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 28 17:07:15 2013 -0400

    * building: make depend cleanup - two old nss/nspr entries were left

commit 0cbdd95da9808a851787e28a08621d510772a45b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 26 11:36:25 2013 -0400

    * building: make depend results should not include any nss/nspr includes

commit e180ac8af232c3df815c294d775fca29bf1df226
Merge: 9172d28 2287094
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 26 11:15:30 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 9172d281447ef915094c91961add9ef8b25fa7a7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 26 11:03:04 2013 -0400

    * initscripts: IPsec stack was not cleaned up for upstart, non-modular
    
    ipsec setup stop on upstart did an "exec stop ipsec" preventing the
    module cleanup code to be called, leaving old kernel policy around
    
    If the stack was compiled inline, cleanup was not performed either.

commit 228709416591f3120793b06003da00d19984de95
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Mar 26 11:49:27 2013 +0200

    add changelog entry for defaultroute finder improvement

commit fe2af772c58227b0dbab09dba0bdefddcc20c14e
Author: Kim B. Heino <b at bbbs.net>
Date:   Tue Mar 26 11:33:49 2013 +0200

    addconn: improve defaultroute finder
    
    If both nexthop and source are undefined find out values in two pass:
    
    1) find out nexthop for destination
    2) find out source for nexthop
    
    Doing both in one pass returns source for destination.

commit b52a9e44222d0d3568bd28854c550b200a1494bf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 25 16:34:24 2013 -0400

    * building: remove nss3/utilmodt.h from Makefile.depend.linux
    
    We won't detect if it is changed, but it should not change anyway.
    This file is not present in nss-3.13 (RHEL5)

commit b6af19187467107dc577bda86e5c2e2f3ec2173c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 25 16:17:41 2013 -0400

    * building: remove check for labeled security file - it breaks make depend

commit a96f9d47e1d2385f85385d0469a7d097d5c26351
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 25 12:37:47 2013 -0400

    * building: Add -pie to default linker flags, ensure relro is not overwritten

commit fc26df66145f47775aa9e169a7cffbd83d260a34
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 25 09:56:57 2013 +0200

    update changes for variable tweaks

commit 340329cdf966f8467eced54327189eb52cbfd736
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 25 09:53:52 2013 +0200

    Revert "netkey: remove logged warning which is not true after commit 9ed4d3e9"
    
    This reverts commit 6470bb3737da49370d511afd1d3f63bbbbab4f18.
    
    We need this warning because commit 9ed4d3e9 was reverted.

commit 2e6a5396a38baf83d727e4c8d8be50b4a377d4b8
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 25 09:40:25 2013 +0200

    libswan: fix conffile to use correct define

commit 7ecac68f816f02ef857575abe219ea590ae3b61b
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 25 09:26:34 2013 +0200

    build: don't use buildsystem variables in code

commit 8bd19428ecd9a5f7a0633da2b37d7359269105cf
Author: Antony Antony <antony at phenome.org>
Date:   Sun Mar 24 23:29:44 2013 -0400

    * building: fix "make depend" in programs/pluto
    
    Makefile was using $(GCC) instead of $(CC)
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 67049b41ab4a8be3dca7a10d0be59da097d86710
Merge: 15f7131 5efb4a4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 24 21:08:36 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 15f7131fb6dacb7197e446277ddaa8da53f8769a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 24 21:06:52 2013 -0400

    * _stackmanager: flush netkey unconditionally upon restart
    
    It seemed sometimes we did end up with some leftovers from the
    previous run, causing module unload failure and lingering unknown
    internal state. To prevent that, we unconditionally flush state and policy now

commit c05eb90259d89fd3108a3bf53808e03adb380611
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 24 21:05:09 2013 -0400

    * pluto: clear out old logfile on restart
    
    Don't append. Old behaviour was to start a new file and is preferred.

commit 5efb4a4a9134ea08134d0a0a2855de9345b62449
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 24 21:43:58 2013 +0200

    update changes for VERIFY confdir location

commit e21ff23e439484e2b2a98b33fbbc87d2b82b8c81
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 24 21:41:25 2013 +0200

    verify: fix wrong confdir location

commit f40a2237e5cad7149d0f3188b816ac4c965ab4a0
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 24 21:15:27 2013 +0200

    initsystem: fixed default sysv init status function

commit 89e3b517348b46ffd4f65407123a2b9512d66949
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 24 20:19:04 2013 +0200

    update changes for ipsec --help fix

commit 168554fec90325e2089c7f1115a0629547ec573a
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 24 20:16:11 2013 +0200

    ipsec: fix syntax error in --help

commit c736bc94dd289bc29da6a78f6c2a27d39cdbd1a0
Author: Antony Antony <antony at phenome.org>
Date:   Fri Mar 22 20:17:07 2013 +0000

    *testing : rename test output file, fixed and pluto log files
    	east.console.verbose.txt fixed file east.console.txt
    	pluto logs are east.pluto.log

commit 644a65f213b99a98601fed2771f13eb74905961e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 21 22:59:18 2013 -0400

    * packaging: rhel5 has no %{_isa} macro and no nss-softokn

commit f5192fc258f1d3e2f36c2531a0867afd658cfbbe
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 21 22:21:32 2013 -0400

    * packaging: Split RHEL spec files into rhel5/rhel6 versions
    
    Also added OCF support as an option.

commit 94d08ca0e05b53bce6bb4c663dcb7bf518d05975
Author: Pavel Kopchyk <pkopchyk at gmail.com>
Date:   Thu Mar 21 14:54:01 2013 -0400

    * KLIPS: SAref patches for 3.0.55+ kernels
    
    This takes into account changes made by upstream in:
    
    http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/net/ipv4/ip_sockglue.c?h=linux-3.0.y&id=26aeb8bdda7619453e0958e8c38a84c7add3643b
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 6987e4d1c0ee62d879778eb3da68e252b371bfcb
Merge: 983259f a4e6195
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 20 22:22:03 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 983259fffc586bc00512ea12852ebbd789eceb86
Author: Pavel Kopchyk <pkopchyk at gmail.com>
Date:   Wed Mar 20 22:10:19 2013 -0400

    * SAref patches for RHEL/CentOS 2.6.32-358.2.1
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit a4e6195811c6685c1c440ff965890a2d3c9f56e3
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Mar 19 16:41:51 2013 +0200

    Revert "* Pass traffic selectors to the kernel in Transport Mode"
    
    This reverts commit 9ed4d3e9ca2f57872167149c633f7ee2a3b01549.
    
    This patch was quite badly wrong and caused natted transport mode
    to break up completely.

commit fac4e47f1d27ed89aaba92b45037c090c21d269c
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Mar 19 10:42:33 2013 +0200

    ipsec: use environment variable in script

commit 25db3fa3ea6d2ccd5e8f1baa4095c7f82fa87045
Merge: 7e8af6e c81069f
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Mar 19 10:29:49 2013 +0200

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
    
    Conflicts:
    	Makefile.inc

commit 7e8af6e16897daa681c6fe6e96cfbe750857e59a
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Mar 19 10:26:09 2013 +0200

    ipsec: cleanup coding style

commit 6ffca8740086509964d2c2ce6024438df33d663a
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Mar 19 10:14:22 2013 +0200

    update changes for bug #76 fix

commit fb89162dccb46e1f2158957fe821f99cc506deba
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Mar 19 10:12:06 2013 +0200

    initnss: fix bug #76: ipsec initnss fails with a @FINALCONFDDIR@ replace and
    no default configdir

commit c81069f40a2f99d0e3d51f91521b3e85cf1074cc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 18 23:34:40 2013 -0400

    * fix preprocessing filename comment for /etc/ipsec.conf

commit b7b38a766f465d9df365f955eacd3fc311158224
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 19 03:23:48 2013 +0000

    * testing: Give north a new raw rsa key

commit f8c3714cc4ea778259d31daa9cfb51f37660eadb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 19 03:21:01 2013 +0000

    * testing: fixup basic-pluto-03 test results
    
    This test required a new north raw rsa key as the NSS db files never got
    commited.
    
    consoles taken from OUTPUT/*fixed* except for two manual changes that
    still need fixing:
    
    - mark tcpdump output as still needing a filter
    - pretend we correctly identify all Libreswan vendorid's
      (instead of logging a "ignored vendorid [....])

commit 16c3e70d7987c58f5d435c85aea9c9e27514eb66
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 18 22:50:09 2013 -0400

    * newhostkey: set default NSS dir for call to newrsakey
    
    via @FINALCONFDDIR@ which becomes /etc/ipsec.d per default

commit 99ca899eccb7b4c361bf34cdab4520fdd79e0ab5
Merge: be0448c 93e0992
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 18 22:35:54 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit be0448c05b7d72e04c85ee2fdc8ad6b08fd5282f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 18 22:35:17 2013 -0400

    * building: @FINALCONFDDIR@ was not properly expanded in the ipsec cmd

commit 93e0992e829fd8e3736000c6628e4d2c8f39d67d
Author: Libreswan Build <build at libreswan.org>
Date:   Tue Mar 19 01:51:21 2013 +0000

    * testing: basic-pluto-02 fixup as it likely was meant to be.
    
    Since part of the "known good output" was missing, west specifically,
    I have to take a guess at what this was supposed to do. I believe it
    is meant to reject the connection on east because the eastnet-westnet
    conn is explicitely not loaded, and the OE conn would not match such
    subnets.

commit 25f4be69f7449a082961082c55cb1b145d249dd1
Author: Libreswan Build <build at libreswan.org>
Date:   Tue Mar 19 01:11:18 2013 +0000

    * testing: cleanup east/west conf for basic-pluto-01

commit 1fb4e818765e157e9bcfa2ffe3650cf49b9a0eba
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 18 21:01:26 2013 -0400

    * testing: update basic-pluto-01 known good output
    
    Now includes a line with "Total IPsec connections", as well as
    receiveing the FRAGMENTATION vendorid

commit e4d035a61be2cc13d115a6d7efd50017c71461ee
Merge: 17e355d 244b79b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 18 20:51:12 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 17e355d9ed6d495b8df7091149e762a2bd4b48c4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 18 20:49:23 2013 -0400

    * _updown.klips: Fix parse error introduced with b5cc4343f567

commit 244b79bcd86baed9d65ce051f87329e762fe84df
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 18 09:59:15 2013 +0200

    CHANGES: #75: Libreswan inserts wrong xfrm policies on some configurations [Tuomo]

commit a55f9d8ad1b1541f639d954bb461d6781ebf340d
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 18 09:56:14 2013 +0200

    netkey: clarify comment on bug #75 fix

commit d37adcebbca781a2ad40769ea077619faa2f2cb9
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 18 09:50:42 2013 +0200

    Revert "Revert "Revert "Revert "Always use XFRM_MSG_UPDPOLICY instead of XFRM_MSG_NEWPOLICY. This avoids""""
    
    This reverts commit 39b7891e50fae053e8acebdc1f55af6408f8fdad.
    
    Fixes bug #75
    
    Without this code we fail to insert another policy with same subnets.

commit 40948526dff2482351e36bfe2889718df6a9c279
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 15 17:16:53 2013 -0400

    * update CHANGES for next release

commit 32e465ee578c97cee0ff582ae9ebe96b43a62f1e
Merge: 6470bb3 5eccf88
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Mar 14 22:16:18 2013 +0200

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 6470bb3737da49370d511afd1d3f63bbbbab4f18
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Mar 14 22:16:02 2013 +0200

    netkey: remove logged warning which is not true after commit 9ed4d3e9

commit 5eccf8876c4ca95cee94661415fe0f3dcfa6ded6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 14 13:24:02 2013 -0400

    * libipsecconf: fix parsing nexthop= setting
    
    When sourceip was specified, we could accidentally overwrite nexthop
    setting.
    
    Bug was introduced with HAVE_DNSSEC in libreswan 3.0

commit cdd265136cd77d7dc558bbafafeae57f491ccea0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 14 13:19:10 2013 -0400

    * update changes

commit be65143a730807479e9dcc57112c8d8a6fd0a906
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 14 12:59:03 2013 -0400

    * libipsecconf: Remove unused cmp.[ch]

commit c6fce31a7725e1e7e923bc539343afb9f7b872f6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 14 12:48:31 2013 -0400

    * readwriteconf: update usage(), initialise rootdir2

commit 497aa2501f1ad6f04bd7208bd170cb3c32c73fa6
Merge: 2284147 cfdc7df
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 14 00:46:19 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 228414770f2e2309eb3cbcc2f2f7280bb1f1e6f9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 14 00:45:41 2013 -0400

    * packaging: fixup libreswan-kmod.spec to work on rhel5 as well

commit cfdc7dfec523508a90546431d11023082230a14a
Merge: cfb763e a2b28b8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 13 17:37:42 2013 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit cfb763e00952e643abc104971dd08ed0ec07ef67
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 13 17:36:08 2013 -0400

    * clarify error "defaulting leftsubnet to 1.2.3.4"
    
    This really means the user specified leftsourceip=a.b.c.d where left=
    is not a.b.c.d and no leftsubnet= containing a.b.c.d was specified.
    We then construct leftsubnet=a.b.c.d/32

commit a2b28b81f1e8500f2993a3132d903d2fe2476249
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 13 23:16:05 2013 +0200

    initsystem: sysvinit whitespace cleanup

commit b5cc4343f567abb0aa963b2f0e74c8cbbbc60ec8
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 13 22:31:30 2013 +0200

    _updown.*: script cleanup

commit 688511ce24c743804432fafd15aaddd1ff368c9b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 13 15:47:46 2013 -0400

    * make default case the last switch entry

commit da225cdc0e7b71d51b1138484b63436f28db7e54
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 13 13:16:20 2013 -0400

    * man page entry for leftaddresspool=

commit 0a9e0ae3402d7c158e6100d674d8840b3f9e0af2
Author: T.J. Yang <tjyang2001 at gmail.com>
Date:   Wed Mar 13 14:20:02 2013 +0200

    packaging: fix crl fetching support in rhel rpm spec

commit b22c95888b71050ff4e7c13da185dcea70c5c179
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 13 10:35:43 2013 +0200

    update CHANGELOG for bug #71

commit bccae61ee685b7232d90bb6ea1a790bac33f7434
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 13 10:27:59 2013 +0200

    Revert "* Block rules created by openswan remain even after tunnel establishment"
    
    This reverts commit 8c4cc708ff398a2addd2923d9e461078b1a714f7.
    
    Fixes bug #71.

commit dfb32e4b87e1056e3132eea078b753925411f16f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 12 18:50:37 2013 -0400

    * Remove an unused variable buftest

commit 5b825cfc5325ab2a04643b873d96af8dd97f65d8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 12 18:49:26 2013 -0400

    * packaging: remove klips from fedora spec file

commit 8c745b3f22259190c806404b9ea5c599d79b17c0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 12 18:47:39 2013 -0400

    * packaging: remove KLIPS parts from libreswan.spec
    
    This is all located in the kmod-libreswan.spec file

commit 6b275e62b1ba4d84f832d7fb12b3ab8c5eca0690
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 12 18:43:34 2013 -0400

    * X509: Don't compile authcert locking when not compiling with LIBCURL

commit 1271c4a5eaca5fd6285937fe99d0992de89db40c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 12 18:33:07 2013 -0400

    * libipsecconf: prevent leftaddresspool= + leftsubnet= in 1 connection

commit f3c47d25fa18efa863114d440b314b5b03f075ad
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 12 15:26:25 2013 -0400

    * update  changes

commit 59287b227316ab4f655d0ba59abc0d186fca07ad
Merge: 7806bec a7758cd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 12 15:21:33 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit a7758cdf297b3335abcf5fff2a8b18b1671b795b
Author: Kim B. Heino <b at bbbs.net>
Date:   Tue Mar 12 20:59:35 2013 +0200

    addconn: find peer address if default gateway is ppp without via

commit 88af3c398e1f22c77873f8eab1b485182b0415a6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 12 14:29:57 2013 -0400

    * updated CHANGES

commit ce3e91696c6a751ae90a2578d7d9c055e5aaa576
Author: Antony Antony <antony at phenome.org>
Date:   Tue Mar 12 17:19:19 2013 +0200

    * addresspool : fix warnings. internal functions are type static

commit 7806becb61b74a832806c8ab6368395ca512a120
Merge: f617aee 4b677f6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 11 22:34:07 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit f617aee5b170ef1d0e60c124b815cc2c6040c298
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 11 22:32:22 2013 -0400

    * packaging: Added libreswan-kmod.spec and kmodtool-libreswan-el6.sh
    
    kmodtool-libreswan-el6.sh should be copied into the SOURCES/ directory
    and then libreswan-kmod.spec can be used to make a kmod kernel package
    for KLIPS.

commit 4b677f60ba8925a2c32433ea41d9bd5a30ca936c
Author: Antony Antony <antony at phenome.org>
Date:   Tue Mar 12 01:08:13 2013 +0200

    *config remove obsolete/unused modecfg_wins*

commit 649e5c0d5e412a1dfa0f179f215ffb112b43a20f
Author: Antony Antony <antony at phenome.org>
Date:   Tue Mar 12 00:40:16 2013 +0200

    *addresspool : added to Makefile.options

commit 581b42695b1ec14563caf304cc8b8385247665c5
Author: Antony Antony <antony at phenome.org>
Date:   Tue Mar 12 00:19:58 2013 +0200

    *addresspool : left|rightaddresspol support and testcases

commit f0530a007b8b7a17db4c100b035c099081dce311
Merge: 21045bd 6e9f6f9
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 11 19:52:54 2013 +0200

    Merge branch 'fragmentation'

commit 6e9f6f959b63db72a429449fa844320437d9feaa
Merge: 54ad009 21045bd
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 11 19:36:10 2013 +0200

    Merge branch 'master' into fragmentation

commit 21045bd0d125fa9385798e5ded7d656f85786291
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 11 14:54:24 2013 +0200

    update CHANGELOG for _plutorun changes and sysvinit tuning

commit 08887f953a6da062a5ae47df92132db77e8c295c
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 11 14:49:53 2013 +0200

    sysvinit: change initscripts to use new _plutorun interface which passes all pluto options

commit 37be2781d9ab457384338403f3c38d2ebdf915fa
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 11 14:45:25 2013 +0200

    _plutorun: change plutorun to pass all command line options to pluto
    simplify script to actually work

commit 54ad009025f27f364df94691a16a8bc453464f5d
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 11 07:53:17 2013 +0200

    ipsec.conf: Fix some typos in ike_frag= documentation

commit bbc65776e8896e8f83dab9869f1b49f1a7780932
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 10 13:27:04 2013 -0400

    * pluto: threading cleanup in log.c
    
    Use one mutex for all locks.
    Protect whack_log() with a mutex
    Don't protect fmt_log with mutex
    Change debug_prefix to const
    
    Based on patch by Philippe Vouters

commit e9969f7de062d93a906ca79c80d5687011b67d7f
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 10 18:27:02 2013 +0200

    re-fixed CHANGES for pthread

commit fc06d1ca87c59142a1c1bf609f153a12496b25fc
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 10 18:26:39 2013 +0200

    compiling: correct fix for CFLAGS: -pthread

commit f819a384c8beef5158ed54985748723020c089b9
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 10 17:34:45 2013 +0200

    add info about -pthreads to changelog

commit a47146d38f96abb80da188aee43c3646cf7ce04b
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 10 17:27:16 2013 +0200

    compiling: added -pthreads to CFLAGS

commit 6e267fe116c13e58e71a07f87f9f9f8b74d28245
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 10 12:46:04 2013 +0200

    pthreads: Make sure pthread.h is the first include file

commit 2dbbbc7011042ccc6c273b89c557eede2d73f288
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 9 22:52:03 2013 -0500

    * packaging: make pluto pam file %config(noreplace) in spec files

commit 4a07734ffc75e6bdaceadddcb6eec98d2dbbc02a
Merge: 13cb4f5 cd2acdf
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 10 00:06:26 2013 +0200

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 13cb4f591e65a6fe1434a7cdcc37ee47f43a5d07
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 10 00:06:11 2013 +0200

    sysvinit: fix location of sysconfig dir on install

commit cd2acdfec8f153eab5b9ef92fb0ec2024d34a20d
Author: Antony Antony <antony at phenome.org>
Date:   Sat Mar 9 21:43:31 2013 +0200

    *updwon script syntax fix _updown.klips.in

commit 2c03d725571a9750f2961b556f09a597520a0973
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 9 00:13:09 2013 -0500

    * IKEv1: Only mark peer as fragment capable after assembling a fragment
    
    We used to mark a peer as fragment-capable after receiving a first
    fragment. Now we wait until we have assembled a full IKE packet from
    fragments.
    
    Regardless, when we receive the vendorid we deem them fragment capable.
    In theory this could be spoofed, but an attacker that can modify packets
    can do a DOS anyway.

commit 934a4944d6edd7a5aeac9fd7ed2e03f664da9d42
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 9 00:12:34 2013 -0500

    * IKEv1: Don't process incoming fragments with ike_frag=no

commit 06b26d0c2b76e9abee5816d88c5cdcd90d741b1c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 21:59:21 2013 -0500

    * pluto: fix log message causing crash on INVALID_COOKIE
    
    Introduced a few commits ago by me using a wrong:
    
    	(st == NULL) ? st->st_msgid : ""
    
    (I paid for it with a few hours of my time)

commit 4d226e7c78305fe8b6554718bb06e1959c80a78c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 19:32:10 2013 -0500

    * ipsec.conf: Add documentation for ike_frag= option

commit e8f212ba5029ea093ff160058ded237e5ae75caf
Merge: d3459cf b771ac1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 19:15:35 2013 -0500

    Merge branch 'fragmentation' of vault.foobar.fi:/srv/src/libreswan into fragmentation

commit b771ac179fab828f4e35d964c3cf472b5217d440
Merge: 9748787 cd4aa64
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 19:15:07 2013 -0500

    Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into vault_fragmentation
    
    Conflicts:
    	testing/guestbin/swan-prep

commit 97487873be3fd2846dd3f17b3bf9cea40938b735
Merge: 0b6b498 54ec872
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 19:14:13 2013 -0500

    Merge branch 'fragmentation' into vault_fragmentation

commit d3459cfda7a02bc946c251384af4e184be2a127a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 19:12:25 2013 -0500

    * vendor.c: mark st UNUSED in handle_known_vendorid

commit cd4aa6479bd9dfe7dfdc8583d743e402987161c5
Merge: 0b6b498 42a46c4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 18:57:55 2013 -0500

    Merge branch 'master' into fragmentation
    
    Conflicts:
    	programs/pluto/demux.h
    	testing/guestbin/swan-prep
    	testing/x509/dist_certs

commit 42a46c43be90dda2c9054312ea6ebf915adeabbd
Merge: 61bd40d e0c6962
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 18:52:17 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 61bd40dfbe10337f65e7f690508850a49857e872
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 18:49:18 2013 -0500

    * pluto: fixup phread locking using lock_certs_and_keys()/unlock_certs_and_keys()
    
    The code using lock_certs_and_keys()/unlock_certs_and_keys() was commented
    out because it depended on LIBCURL which is not always present. A "fixme"
    warning was issued.
    
    But only the CRL code should depend on LIBCURL. So I re-instated the
    pthread locking by moving these functions from programs/pluto/fetch.c
    to lib/libswan/secrets.c

commit 54ec872a12a81ed3003155b35ec0d433ad9b362c
Merge: 2b997d7 961dc4e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 18:32:24 2013 -0500

    Merge branch 'master' into fragmentation
    
    Conflicts:
    	programs/pluto/demux.h
    	testing/guestbin/swan-prep
    	testing/x509/dist_certs

commit e0c6962f636408cdd4600177c5ff0acd1284efe0
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Mar 8 23:36:08 2013 +0200

    scripts: fix ipv6 default route split

commit be31894a46c6af0fea62e41c49c24d22ffe8f28a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 14:15:20 2013 -0500

    * pluto: Add pthread mutex locks to some logging functions
    
    Some logging functions are calling non re-entrant functions. Until we've
    caught them all, use a mutex to insure threads aren't accessing them at
    the same time.
    
    Functions changed: libreswan_log() DBG_log() loglog() and fmt_log()

commit 12acc276f502ec0c9379cba5be158e22cbd1c28e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 13:51:48 2013 -0500

    * clarify logging example in ipsec.conf

commit 00c8c8e3a0918145b382370c7c08405906266e06
Merge: 2a97164 961dc4e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 13:46:54 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 2a9716410c34e9786770d846ca6d6d53515bd197
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 8 13:42:50 2013 -0500

    * log XAUTH username on same line as Traffic statistics
    
    In ipsec auto --status it shows up as:
    
    000 #2: "redhat" esp.e4432d35 at 66.187.233.55 esp.a9433c16 at 172.20.10.2 tun.0 at 66.187.233.55 tun.0 at 172.20.10.2 ref=0 refhim=4294901761 XAUTHuser=pwouters Traffic: ESPin=474B ESPout=336B ESPmax=4095GB
    
    when the connection goes down, it shows up as:
    
    "redhat" #2: deleting state (STATE_QUICK_I2)
    "redhat" #2: ESP traffic information: in=474B out=336B XAUTHuser=pwouters
    
    Also, make humanize_number() static

commit 5b725c34ae3477c326474319a367f05171d7178c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 7 19:43:01 2013 -0500

    * Removed xfrm xuctx security context log message with incomplete format string

commit 961dc4eb72c221b6fa13c3799dc5b52a5305ba93
Merge: 4d7ce94 bd44e1c
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Mar 7 22:05:20 2013 +0200

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit bd44e1c18d1315f163655e324a5f14a34d830176
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 7 14:34:32 2013 -0500

    *  Bug 73 - extra logging from dpd packets after commit d18825150b
    
    Fixed, and added a comment to ensure this isn't 'fixed' again.

commit 5627bf955e2f207c0097f0e3f45212da8e3c060d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 7 14:17:04 2013 -0500

    * threads: protect crypt() with a mutex
    
    crypt_r requires -D_GNU_SOURCE. Not sure crypt_r is implemented under
    OpenBSD and FreeBSD.  crypt requires -D_XOPEN_SOURCE and thus should
    be implemented on every Unix/Unix-like. The pthread library is even
    implemented under Windows/Cygwin. It is implemented on Linux/HP-UX/Tru64
    (both HP's Unix). So the pthread library should as well be under
    OpenBSD/FreeBSD.
    
    Patch by Philippe Vouters <philippe.vouters at laposte.net>
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit bdddc287874d7fe9a36c3ce6f66f93f37e7a7da4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 7 14:07:31 2013 -0500

    * xauth: crypt() can return NULL (ie in FIPS mode)

commit a1f1b5815cee2327183045d09d50cdf1a8c3f5cc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 7 14:05:51 2013 -0500

    * audit: add comment about false positive valgrind warning

commit 713deb1a7294f59134eda52a8eef1d14106dadbe
Merge: 5ede192 5291079
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 7 11:55:31 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 4d7ce94fd7f245ccfcb1d7ac3ee3afa2517aba71
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Mar 7 11:23:27 2013 +0200

    scripts: remove whitespaces at end of the line

commit 52910798b6c8d81e3c57194901fc0397528ec846
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Mar 7 11:10:35 2013 +0200

    scripts: fix hardcoded path in ipsec.in

commit fb534e5dc42faa26ede1331fb6e4365c8cebc091
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Mar 7 11:04:52 2013 +0200

    initsystem: fix bashism in init scripts

commit ef11afa8971af1c5b4c2fd1039c89a0b94a6d08a
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Mar 7 11:01:18 2013 +0200

    scripts: cleanup ipsec script and fix one bashism.

commit 5ede19293a9f604923dd135214258bbfe2c92ca5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 23:15:49 2013 -0500

    * simplify PK11_Derive_lsw() and squash a warning about an unreachable switch default

commit 819b129f617f94b27bbcd9f80ba51d491340091f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 23:46:38 2013 -0500

    * sprinkled a few passert()s to ensure conn name is not NULL

commit 578e6c4ad6d8c65182c27998b5526e2feb50dde4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 6 17:31:23 2013 -0500

    * added testcase for basic-pluto-01 with valgrind

commit 4103f3b8a6b9a9dcaa51301c82cda5eb7fd381c0
Merge: cb798e0 e25f507
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 6 15:41:10 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit cb798e0817fa5bf2a193dd0d158c860ba7ddfe18
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 6 15:37:30 2013 -0500

    * pluto: display the number of loaded/active connections in status
    
    000 "redhat":   prio: 32,32; interface: bnep0; metric: 0, mtu: unset;
    000 "redhat":   newest ISAKMP SA: #1; newest IPsec SA: #2;
    000 "redhat":   IKE algorithms wanted: AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2)
    000 "redhat":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
    000 "redhat":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
    000 "redhat":   ESP algorithms wanted: AES(12)_000-SHA1(2)_000; pfsgroup=MODP1024(2)
    000 "redhat":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
    000 "redhat":   ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=MODP1024
    000
    000 Total IPsec connections: loaded 1, active 1
    000
    000 #2: "redhat":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 85643s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate

commit e25f5079936682e1add8e8c0362497750c300ca4
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 6 21:56:17 2013 +0200

    fix typo in d18825150b042f7dbe2c25e85b1c0b6a949a663a

commit b4bbff0949ee9b5f225669b4cb6ec7058fc2e359
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 6 21:28:18 2013 +0200

    init.debian.in: fix wrong variable expansion

commit 4d75cf59b1b8264294c0d95d6f282c59ce672b83
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 6 21:21:36 2013 +0200

    plutorun: use correct variable for config file

commit 9664adc5d309055b1016d177f615aaf2241d69a4
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 6 21:18:30 2013 +0200

    stackmanager: remove extra then and finalize cleanup

commit 982e36711df044604e48a1a700cd1940a4b4c202
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 6 20:36:09 2013 +0200

    add changelog entry for bug#50

commit 6d534f25b26ade55c4c18c4029a85f7f610188bf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 6 12:49:57 2013 -0500

    KLIPS: fix kmod building for rhel/fedora spec file versioning with arch

commit c382317f1e21a0939a1f01d7e9f29efd81066f15
Merge: d5a9176 ec3054f
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 6 17:33:53 2013 +0200

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit d5a917623ce2fb58ca254dd9013c7c7a5532aa70
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Mar 6 17:31:00 2013 +0200

    scripts: big script cleanup unifying coding style to new one where possible.
    This cleanup also fixes multiple bugs in scripts.
    Also this should fix libreswan bug #50.

commit ec3054f1c17e521adc38d452cfb9539c4a42fa65
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Wed Mar 6 03:07:39 2013 -0500

    * address re-entrancy
    - add NOT RE-ENTRANT comments where evident
    - make bitnamesofb() re-entrant
    - add a jame_str function to do what people try to use strncpy for
    - replace confusing global buffer diag_space with local variables
    - convert some file-static variables to function-static

commit 5d4e8cd79e147ca6e64f65852230e71b0378e300
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Wed Mar 6 02:04:03 2013 -0500

    * tweak timetoa to make it more concise

commit 852a7c61cff495acbb1707cdb683f5bc4c787d65
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 5 14:49:36 2013 -0500

    * testing: int/string issue in swan-prep

commit 418da26c1f5ffdd13cf3ea523bf7a69f295f6a17
Merge: 29999c3 896ff57
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 5 14:19:13 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 896ff57192f6846ef6864c5596d00ef200d76766
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Mar 5 21:18:50 2013 +0200

    pluto: fix IPCOMP logging to be easier to read

commit 29999c34453352a80feaad787fd8b2961998cd52
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 5 14:17:27 2013 -0500

    * fixup recently introduced check for rekey=no plus dpdaction=restart
    
    commit 4dde1771e5e89cd80 to implement this never triggered because it
    confused conn->options_set[X] and conn->options[X]

commit a0e4dd1a3a854286deef1ef876b94ea17b5d31f7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 5 14:11:35 2013 -0500

    * testing: added testing/klips/fixups/cut-postfinal.sed

commit 79a9a9d9a951d8cdd8a69d28ed37c94b7e34bd4d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 5 13:35:28 2013 -0500

    * lswconf.c: remove unused variable env

commit d18825150b042f7dbe2c25e85b1c0b6a949a663a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 5 13:33:44 2013 -0500

    * ikev1.c: code cleanup - as suggested by dhr on the mailing list

commit eeaf4d5c2cbf8257cce3ed5715581ef8ce518c77
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 5 12:25:18 2013 -0500

    * libswan/pluto: don't use localtime/gmtime - not thread safe
    
    Instead use localtime_r/gmtime_r
    
    This resolves a crasher when many rekeys with XAUTH are happening,
    and the do_authentication() call in the threads are logging a lot.

commit 9ff70cbb08ecb00c045354f80c6d44a46b62078c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 5 11:52:49 2013 -0500

    * testing: swan-prep: fix regression in killing old IKE daemons

commit 76ae9b534a24159f23da1fcc1043e14b3fa15192
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 5 00:11:25 2013 -0500

    * testing: sync up test case work.

commit 2ed580d33b18ee5dbd66c30856fb81c2a2f9cc36
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 4 23:53:29 2013 -0500

    * testing: dotest logs RESULT now.

commit 04e006fd6e97005599ebc0cb00d0dac79c376849
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 4 23:52:51 2013 -0500

    * testing: swan-prep: don't use lstat, it throws exception.

commit ff4dfee2c2c5cdf2e20e5afff45f618b7de02e1f
Merge: ece0d94 d666696
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 4 17:58:17 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit ece0d94d7e2f699fe6779b70d3ddc554914310ca
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 4 17:57:41 2013 -0500

    * testing: make stackmanager call path independant

commit d666696d755b4fbd58fd7f68621abd9b6734f3fd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 4 16:03:27 2013 -0500

    * testing: lstat / testname/dir fix.

commit 8d406e98dd1be3272f4bd424902b20e6f2da3b62
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 4 15:36:00 2013 -0500

    * testing: run swan-prep in each test, to assist manual test runs
    
    It has been taken from runkvm.py so it is easier to run test manually.
    Some better checks for the /tmp/pluto.log softlink as well

commit 426c47723f6a96e1e9dac3a13b2c01c089b3fdd0
Merge: 7542cd1 a7ff698
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 4 11:13:06 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 7542cd1cb5eab5eab955d3d7f4eaf6eac84a46b8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 4 11:10:40 2013 -0500

    * testing: added four testcases for compression=
    
    compress-pluto-01 is klips-klips with compress=yes
    compress-pluto-02 is klips-klips with compress=yes/no mismatch (should fail)
    compress-pluto-03 is netkey-netkey with compress=yes (should not fail but does)
    compress-pluto-03 is klips-netkey with compress=yes (should not fail but does)
    
    This shows a clear bug in kernel_netlink.[ch] with compress handling on NETKEY
    (regression from osw 2.6.38)

commit a7ff69897209ccdc7ebaccb71d7e190190379e30
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 3 20:44:39 2013 +0200

    update changes for rpm spec file changes

commit 506a0d3b97f353aba2cd2eed3ef0996aa245a95e
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Mar 3 20:42:55 2013 +0200

    packaging: add /etc/ipsec.d/crls and /etc/ipsec.d/cacerts dirs to rpm spec files

commit c821518211729228ee3b397632b7d24cf4dd9ea2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 3 12:38:55 2013 -0500

    * testing: fixups of basic-pluto-0[134]

commit b42987f38600d68f90fcd275362791c3af379343
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 3 12:10:30 2013 -0500

    * testing: added host-prompt-sanitize.sed

commit 02c89c841f45e1acd9b90cd10626021589d4d0aa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 3 11:54:39 2013 -0500

    * testing: basic-pluto-01 dont run duplicate swan-prep

commit cd113d3d11be3027806c5435d3cd7352890074d9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 3 11:49:39 2013 -0500

    * testing: dotest.sh store RESULT in OUTPUT/
    
    Also, at the start of the test, create the RESULT file with content "RUNNING"

commit 59cf5d47d2a04e442aa92897dab0b87dc0017c8b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 3 00:47:23 2013 -0500

    * testing: fix version sanitizer

commit d2692a785fb2c4637ca431b4cd883a43f275f6e2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 3 00:46:22 2013 -0500

    * testing: dotest.sh should pick different tcpdump iface for north tests

commit 6d1594d509e859f99f4859a4f057a20e488280ee
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Mar 3 00:45:47 2013 -0500

    * testing: fixed basic-pluto-03

commit cda1132a8e30d14d3c04ab287d81bf637cf974cc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 2 23:32:16 2013 -0500

    * testing: fixup klips-spi-sanitize.sed to replace all esp.XXXXX occurances

commit 6c95cc11947399a28f704148b579066e098b6af0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 2 22:37:40 2013 -0500

    * testing: basic-pluto-03 converted to kvm style

commit 84327a996a94d1c79426c5742218c637b798d264
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 2 22:36:06 2013 -0500

    * testing: sanitizer fixup for "Starting Pluto" without pid.

commit 3a28e178f34d460466306d0bc91a2f1ef6caec30
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 2 18:24:57 2013 -0500

    * testing: dotest.sh would abort when nic was in use.
    
    The following would terminate dotest.sh
    
    if [ -n "$NIC_PID" ] ; then
           kill -9 $NIC_PID
    fi
    
    Commented out

commit 16789b973974c0fff9a89876ba8d7130c9ca0bda
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Mar 2 18:23:43 2013 -0500

    * testing: remove lefnexthop= from left=%any setting in ipsec.conf.common

commit e78c346c1c2f2e0fb00c613fb04b51360732da14
Merge: f5b7db1 7f3fa6c
Author: Antony Antony <antony at phenome.org>
Date:   Fri Mar 1 20:37:44 2013 +0200

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 7f3fa6cc56c28a24cd4f71a7c77c6f3d0cc8de3d
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Mar 1 20:21:15 2013 +0200

    fix: crlcheckinterval value is time, not number

commit 86fe4d1afa7a33de799c381e872b263f843110a8
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Thu Feb 28 23:09:36 2013 -0500

    * add comments describing protocol for Informational Exchange

commit 3d3594f5406260e91d8732cdbc9ccd20f87dbc67
Merge: a65a4e6 ab5d717
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Thu Feb 28 23:07:10 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit a65a4e6e21058c78bb6921b16c4568af326059ce
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Thu Feb 28 23:01:36 2013 -0500

    * struct msg_digest: clarify that some fields are only for ikev1 and some are only for ikev2

commit ab5d71709978bcdf4bed7d2927afc8f6c03aa571
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 28 18:08:26 2013 -0500

    * stackmanager: don't do anything without kernel module support

commit 67de91d21fe22515a17fdc0878186dd49b7d7e84
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 28 10:46:51 2013 -0500

    * testing: runkvm.py: give the prompt a 0.5ms margin to appear.
    
    This secret sauce seems to make final.sh happier.

commit 9cee42c35d4ece93db1f8cadda6877d369b3b993
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 28 10:28:37 2013 -0500

    * testing: runkvm.py Attempts to grab serial reduced from 200s to 20s
    
    This was put in by mistake by me. Also removed the implicit default
    for hostname to east

commit c7d0d0d5cf165b60be77dfb75d4fe40eacc79194
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 28 10:25:06 2013 -0500

    * testing: runkvm.sh also needs full prompt for running final.sh

commit f50caa292f0de28efc2c5330fb9decd0e8b25ae4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 28 00:15:58 2013 -0500

    * documentation: updated stock ipsec.conf file

commit 43e1428e8c5b070b2dd109a99ad3a4c718a8cacc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 27 23:45:00 2013 -0500

    * testing: Figured out the occasional mangling of lines!!
    
    The cause was that we were waiting in the expect loop on the prompt
    to return, to then send the next line. But the prompt was defined
    as "root at hostname", even though it was "[root at hostname testname]# ".
    
    probably the [] were left out because within expect that also has
    meaning so you have to protect them using \[ and \]
    
    With matching the full prompt now, I managed to run basic-pluto-01
    5 times in a row without seeing the mangling anywhere.

commit eee8e35e170f32d9d9a568f141bb76668c660c8a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 27 23:44:14 2013 -0500

    * testing: north gets a new raw rsa key that's in NSS

commit aad9f13140ed57b2c6f3fccb85682d0226d390fb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 27 23:14:45 2013 -0500

    * testing: remove unused virtinstall-base

commit 3dcf525c51d81c44b88bd389bc74fc2e671d05b5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 27 22:59:58 2013 -0500

    * testing: dotest.sh now logs results to testname/RESULT

commit ba895127bf6fa79d5f37d8b522f0d577b81aa24e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 27 21:52:30 2013 -0500

    * testing: Make dotest.sh and runkvm.py a little more robust
    
    I was regularly seeing "hangs" and a failure for a test case to take
    control of a VM. These changes resolve the hangs for me and improves
    the output for humans to figure out what's going on.
    
    We used the serial console to reboot a VM, now we use virsh reboot
    directly. When we still had something running (eg ipsec auto --up retrying
    a long time) our reboot command would never arrive.
    
    Related, we now hit return and ctrl-c when reconnecting to the
    VM. Additionally, we run stty sane because the console's tty insanity upon
    reconnect seems to cause what we called "flow problems" in the output.
    
    Use setproctitle to rename the runkvm.py processes (called python) to
    "swankvm". This allows us to "killall swankvm" at the start of a test
    to kill any lingering python scripts from previous runs. We also kill
    any remaining tcpdump processes.
    
    Prepend the prompt (hostname at testname:) for all output to the shell
    running the test, to make it easier for the human to see which of the
    running hosts is generating the output while the test is running. This
    does not change the output in the test OUTPUT/ directory
    
    wrap all child.expect() calls into a try: / except: statement, so we can
    just throw a human readable error, instead of a python stack trace that
    scrolls off the screen, especially when sharing a screen with 'screen'.
    
    When expect is waiting on either the login: prompt or the root prompt,
    act differently based on which we actually get back. Only attempt to
    login when we did not get a root prompt.
    
    Move deletion of /tmp/pluto.log and symlink from runkvm.py to swan-prep
    
    Also reboot "nic" for each test so it properly clears the iptables and
    conntrack tables.
    
    Reduce the timeout values for expect so failing tests fail a little quicker.
    Before this it would take minutes to fail.
    
    Clearly notify failure/success for gaining access to a VM.
    
    When hitting return to get a shell prompt, also attempt ctrl-c

commit 99767039c33ee7bf73fea5594dec339de4bc8f46
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 26 21:12:17 2013 -0500

    * testing: basic-pluto-01 fix in eastinit.sh to use rm -f not rm -r

commit b00165aa6eb21bcbf016c25efbd6355afb3c969c
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Mon Feb 4 16:41:02 2013 +0100

    * XAUTH: remove modecfg* from sa_policy_bit_names
    
    They were only removed from pluto_policy in commit c015d1a038546a5c32d9a36d16462d490108e254.

commit 840b15e445a5544f8446d010f9d3ee3d16ca0f01
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 26 16:40:55 2013 -0500

    * testing: basic-pluto-01 showed wrong policy name for SAREFTRACK and IKE_FRAG

commit 06564f0fff2d6ddd99e1e1da2d9064db36fabb9d
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Feb 26 16:23:12 2013 +0200

    Fix ipsec.secrets.5 man page name which was broken by
    8a0165bd09ce2e7328abbc95dfab14b855f84526

commit f9039425c342523d86d43eb566e7024585c5c2fb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 26 01:54:25 2013 -0500

    * testing: fix harmless typo in dotest.sh

commit e82619d2410083e2f8b638d12acf0763ace382fa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 26 01:43:03 2013 -0500

    * testing: basic-pluto-01 now passes on bofh.nohats.ca.

commit dec81090c44f70a7225e33c068b1045d5c5e5681
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 26 01:38:01 2013 -0500

    * testing: fixup of runkvm.py
    
    I had introduced the skipping of lines starting with "#" a while ago
    to fix text flow issues, but that caused us to not put in the markers
    in the console log for # --- cut --- and # --- tuc --- and we would
    end up with too much for the sanitized console.
    
    runkvm.py also called ipsec whack shutdown, even though we do that already
    in final.sh. At for non-pluto userlands it would need to be different anyway.
    And for some tests (eg netkey) we want to test if the ip xfrm tables are
    empty afterwards, so it is not neccessarily the last action we want to do.
    So leave it up to final.sh to do the shutdown.

commit 0cdfdf67e0114ff12188b073cc72a8aac4e9d75b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 26 01:30:51 2013 -0500

    * testing: add esp.XXXXXXXX syntax to klips-spi-sanitize.sed

commit dd1ccbc6433488b2f2c4b39fda8e0925401b9eb6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 26 01:29:52 2013 -0500

    * testing: cut out kernel AVX/padlock detection messages in kern-list-fixups.sed

commit e29b8a5c04fb14a26c79db59f8919f4596ea4e3d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 26 01:29:06 2013 -0500

    * testing: add EST and UTC timezones to ipsec-look-sanitize.sed

commit 17891b5bff97a4e77a6cd8c3859f8e6f6090377c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 25 22:59:36 2013 -0500

    * testing: fix dotest.sh to properly find functions.sh

commit 5bee229727e8b59fb85b25d829893e8c7a03048b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 25 22:58:30 2013 -0500

    * testing: libvirt: generate X509 certs, fixup libvirt net create, nic vm

commit b0332e34e0a704604ce9c02765e6c89d80bbcae1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 25 22:58:04 2013 -0500

    * testing: add host entries to VMs for north/west/east/road/nic

commit 80683a439e5190ba94c9556997c7b3a0f152ab7d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 24 17:26:50 2013 -0500

    * testing: flat.conf fixups

commit e7aaedcd1ec1cf6f0a0a169ce874bb70bfed2796
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 24 17:24:55 2013 -0500

    * testing: swan-prep needs glob and pexpect

commit 501596dfec6d4692030c9a39c39cc8a4bec0879d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 24 17:24:28 2013 -0500

    * fixup ipsec.conf.common path

commit 7fe25c551be7566d25437495b0ed70e6861176c4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 24 17:06:02 2013 -0500

    * testing: initialise the nss database in swan-prep

commit 6c7a6a400579a235b9ffe9d7238a09467a0bee88
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 24 17:05:16 2013 -0500

    * testing: add north to sanitizer

commit d38ad8a048a9ca3a93f7349474feb6ee53718c4c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 24 16:38:53 2013 -0500

    * testing: remove default testname from swan-prep for autodetect, fix typo

commit 2fb6cd5073abd23633f8429cd42d246127341695
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 24 16:35:57 2013 -0500

    * testing: support north as initiator

commit a5872b4fb00435df924079ca674ba4bc2ad395b0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 24 16:30:17 2013 -0500

    * testing: fix all occurances of ipsec.common.conf
    
    Fix them to point to /testing/baseconfigs/all/etc/ipsec.d/

commit 3df2893c9a3330762abd033269ee33745df00e2a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 24 16:21:08 2013 -0500

    * testing: add pexpect to VMs for Fedora 17

commit 77ee60ec235fbace1748d558ede4914c24c0f708
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 23 22:20:50 2013 -0500

    * testing: pull up nat-pluto-01 from addresspool branch

commit 4dde1771e5e89cd80c60f97683659d6d1e3671b3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 23 22:17:07 2013 -0500

    * DPD: Do not allow dpdaction=restart/restart_by_peer for rekey=no
    
    Do not allow DPD to restart/initiate a connection when the policy is
    rekey=no. If this is configured by the user, log a message and use
    the default dpdaction of "hold".

commit 62e53fd9a384c1b2faac2d066522864fe2e35520
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 23 21:38:55 2013 -0500

    * NAT-T: Added more debugging lines in DBG_NATT category

commit f5b7db1472324b74bded8e73bb0b834eed6c6dbf
Merge: 087f529 211996f
Author: Antony Antony <antony at phenome.org>
Date:   Fri Feb 22 13:07:56 2013 +0200

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 211996f47a2efce92d656ddb95e85d967cc48254
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 22 00:27:07 2013 -0500

    * testing: remove obsoletd netjig documentation
    
    netjig was used with uml in the past, but the current kvm setup
    does not use it anymore.

commit e1dfe1ad49caec945a439d1e158f302a9676f820
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 21 20:50:24 2013 -0500

    * testing: filter STP from tcpdump

commit 23a4c0d9e497fe7875558e63a5b7624e9a5878bd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 21 16:15:23 2013 -0500

    * testing: Fix north's IP address and east's nexthop for east-north cases
    
    The configuration and documentation (testnet.png) mismatched and caused
    nat-pluto-01 to fail as north could not orient itself to its bogus IP
    address.

commit 9c32f2fec0f77aafc198019ee30001fe7206feb4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 21 16:02:37 2013 -0500

    * testing: fix paste error in gateway setting for north's baseconfig

commit d6bd8efb010727aaa3bb918f1ecad8545ea77d68
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 21 15:04:21 2013 -0500

    * testing: swan-prep tries to determine testname on pwd if not specified
    
    This saves us from needing to set/export TESTNAME and makes copying
    test cases easier.

commit 3612a6dd5abd5b683bac41dc8094f99b2af9fc67
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 20 23:29:19 2013 +0200

    rhel: fix debug package creation

commit 737734f8e2fd25180056936e78f915e97539759f
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 20 23:05:09 2013 +0200

    rhel: libreswan.spec cleanup

commit 0b6b498f8f80782929583b7fe6a28daba058eae0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 20 10:53:51 2013 -0500

    * fragmentation: Remove spurious Racoon non-ESP marker
    
    During testing we found that racoon sometimes adds a bogus non-esp marker
    to the IKE packet. This confuses libreswan, because it causes the ICOOKIE
    to not match to an existing state.
    
    We assume now that if the ICOOKIE starts with 00 00 00 00, that it is
    such a bogus marker, and we use out_raw() to remove the 4 bytes from
    the packet stream. However, it still looks like racoon gets it wrong,
    because the ISAKMP header is still not properly formatted.
    
    We're still investigating

commit be27d31e1e9997d2d48cada82f2b1f9a45548e08
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 20 11:11:46 2013 +0200

    out_sa: fix syntax errors caused by 249fbd0eda68d71e466812ea8298dc28f6235d74

commit 9bcb72743bdd0b007ceb1873c4582f512985b1e8
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 20 00:08:29 2013 +0200

    update CHANGES for X509: Warn 14 days before certificates expire

commit 747190592b92a4383d7095637e28a9c6dd2034c0
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 20 00:06:01 2013 +0200

    checkpubkeys: warn 14 days before public keys expire

commit 62402104e4b280bf0deab23950d00ea0ed47cd06
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Feb 19 20:35:18 2013 +0200

    makerelease: fix git archive command to work with older git versions.

commit 2b997d71d48c9ed794aaebd25beea69a3e51871c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 16 15:25:11 2013 -0500

    * DPD: clarify log message is about a DPD event

commit 2ca5e969c230eabdf3aae14154ec8333e7568123
Merge: d992d7b 1e9faef
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 15 14:12:48 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit d992d7bb2ec313c63e77bd9de07af697b629ef5a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 15 14:11:45 2013 -0500

    * DPD: Don't try to delete non-events
    
    This happened only when we were just firing up the phase2. It was
    ignored, so this is mostly a cosmetic fix.

commit 1e9faef52b7b4cea87adc43a78a0985c2c59a428
Merge: 9ad72f1 e7bb0e2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 15 11:34:42 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 9ad72f16ccacd721c4c85d281843302a3594ea86
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 15 11:33:36 2013 -0500

    * IKEv2: narrowing used a wrong port range in determining bestfit
    
    This could lead to narrowed proposals failing.

commit 6f3c006ba72cecb30234264c01302126e73c2235
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Fri Feb 15 14:53:06 2013 +0100

    * removed redundant vendor id logging
    
    the used vendor id will be logged twice because of a removed return
    in 75269b8de30ae6368c41d5c53e25631ed2e20cc8
    
    e.g.
    
    received Vendor ID payload [RFC 3947]
    received Vendor ID payload [RFC 3947]

commit 738701a89b3e391b5773fcc4f8ac7b49203e9694
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Fri Feb 15 10:59:45 2013 +0100

    * IKEv1: fragmentation never fragment initial main mode packet
    
    If the first packet is fragmented the peer ignore it
    
    "packet from 10.0.11.203:500: received IKE fragment, but have no state.
    Ignoring packet"
    
    This can either happen with force on or when pluto
    changed the policy to force after receiving a fragmented packet and the
    initiator starts the phase one rekeying.
    
    The first packet exceeds ISAKMP_FRAG_MAXLEN fast with all the proposals
    and vendorids.
    
    10:05:15.519781 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 640)
        10.0.11.203.isakmp > 10.0.14.204.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie f7490449d6831ca1->0000000000000000: phase 1 I ident:
        (sa: doi=ipsec situation=identity
            (p: #0 protoid=isakmp transform=12
                (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp2048)(type=keylen value=0080))
                (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp2048)(type=keylen value=0080))
                (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp2048))
                (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp2048))
                (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1536)(type=keylen value=0080))
                (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1536)(type=keylen value=0080))
                (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1536))
                (t: #7 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1536))
                (t: #8 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024))
                (t: #9 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024))
                (t: #10 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024)(type=keylen value=0080))
                (t: #11 id=ike (type=lifetype value=sec)(type=lifeduration value=04b0)(type=enc value=aes)(type=hash value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024)(type=keylen value=0080))))
        (vid: len=12 4f454e584468416b74625a76)
        (vid: len=16 afcad71368a1f1c96b8696fc77570100)
        (vid: len=16 4048b7d56ebce88525e7de7f00d6c2d3)
        (vid: len=16 4a131c81070358455c5728f20e95452f)
        (vid: len=16 7d9419a65310ca6f2c179d9215529d56)
        (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
        (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
        (vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)

commit e7bb0e20f3815d43c0cbbc4b973df1f59141a3a3
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri Feb 15 00:48:01 2013 -0500

    * in oakley_alg_makedb, gsp is already NULL enough (Coverity Scan)

commit f860cc7f360d34196c30ac408c275f608903b118
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Thu Feb 14 23:44:01 2013 -0500

    * fix type error in init_nat_traversal (found by Coverity)

commit e3570cae16ab9e6a111f0b12bafe2f96eb11d5f4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 22:06:11 2013 -0500

    * fix for printing a ";" in ipsec auto --status
    
    Introduced in 9ac4101f

commit 249fbd0eda68d71e466812ea8298dc28f6235d74
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 22:01:52 2013 -0500

    * pluto: more missing checks for failing out_raw() / out_struct() calls

commit 7adaad527de3a005a7bf989a6a6e8fee4a79ab25
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 19:42:02 2013 -0500

    * IKEv1: fragmenting comment out stripping non-ESP marker
    
    The code states "Strip non-ESP marker from first fragment", but
    it was only stripped out 1 byte, not 4 bytes. We expect this code
    is never triggered, so commented out for now.

commit d402bd16fb0c85f441dbaf2e0023d1dcf7665cba
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 19:39:14 2013 -0500

    * IKEv1: fragmentation non-ESP marker is 4x 0x00, not 0xFF

commit b67dbad175df9009a4bd4fb7c567a05956c4e9ab
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 15:37:47 2013 -0500

    * xauth: fix indentation of CISCO_SPLIT_DNS and }

commit 5ac0162adc886f713f600671029c66c57567cf09
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 15:12:44 2013 -0500

    * XAUTH: Added missing return code checks for out_struct/out_raw
    
    We were not always checking the return code of out_struct() and
    out_raw() in the xauth processing states. So we could have failed
    to construct a part of the packet, and continued without returning
    STF_INTERNAL_ERROR

commit 3782879b074c88dd1ea0dbae8de41ece28a5108f
Merge: 0df29df 02c3afc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 14:32:55 2013 -0500

    Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation

commit 5b5576f6299de8f0b2e3c7099942c4c6bf9d6a18
Merge: f1c2510 158a418
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 13:39:01 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit f1c25101e80783cf1625f47c5c8724e626a3770d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 13:38:06 2013 -0500

    * document the retransmits=yes|no option for the ipsec.conf man page

commit 158a418b7606b45f449c45df0815443d3668528d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 12:57:52 2013 -0500

    * IANA: Added note about our PEN number 41286

commit 02c3afcca6ac4bf5cb61ba179c3ef703826a3976
Merge: 1ddb6c8 e749530
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 12:38:47 2013 -0500

    Merge branch 'fragmentation' of vault.foobar.fi:/srv/src/libreswan into fragmentation

commit 1ddb6c8d500d8d6a2a1faf34392e2e3dd5939d41
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 14 12:24:02 2013 -0500

    * IKEv1: if receiving fragments, immediately respond with fragments too

commit 0df29dfd10401ec39e59d00310d17d8af29b9e4d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 22:02:18 2013 -0500

    * testing: import glob for swan-prep

commit e7495301464ef1aebb50691aab77a033bbc8a9a6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 21:53:43 2013 -0500

    * testing: add python expect to the guest package list (for swan-prep)

commit 2e388ba3fa4bf9a81029ea984cd3679e6a612c42
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 21:47:25 2013 -0500

    * testing: pexepect -> pexpect

commit cf47612b6417e782daa1059b797d70759079ea4a
Merge: dafcba8 55f1d3f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 21:46:22 2013 -0500

    Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation

commit dafcba8527cca0c78be1c8c799ab37abc68ffd55
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 21:43:57 2013 -0500

    * testing: swan-prep was importing p12 files without starting fresh
    
    It also caused it to prompt for a password when initiating the nss
    db files. It now runs it through pexpect to create it, then fills
    it in with the right p12 file.
    
    Currently it then imports the public certs of east, west and road.
    This is needed for rightcert=XXXX when there is no CA and certs
    don't come in over IKE. Test cases that want to use the CA should
    delete these public certs.

commit 55f1d3fb9225b823c38dcf6ae6dd2fd1e3f2277d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 21:16:02 2013 -0500

    * testing: not all filse were git add'ed for x509-pluto-frag tests

commit 972f233ebd348c3c128417646d382dda88ebb448
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 21:07:18 2013 -0500

    * testing: fix typo for "can't idenity INITIATOR"

commit 6ea2584c5886cca5d3ac6c14ccb6e26d3b245652
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 14:16:36 2013 -0500

    * remove temporary debug line

commit a27ab0914536f760e7207566d53dd6fcaf5bde02
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Wed Feb 13 12:15:47 2013 -0500

    * fix send_packet's packet length reporting

commit 6967f4e1aa1499d5499be5bfd047644342ec1118
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 00:37:48 2013 -0500

    * testing: add road to dist_certs

commit 6af094e7c1c50288a23d99e9fdd8f5e05f155eed
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 13 00:37:07 2013 -0500

    * testing: updates testcases for fragmentation support

commit 087f5293b82fe46e4eb23db1aeb3255b02c21637
Merge: a580f91 94669a3
Author: Antony Antony <antony at phenome.org>
Date:   Wed Feb 13 03:30:51 2013 +0200

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 65b49c0f7852f3ea463727c61e5d3a4470d1f34a
Merge: d0099d5 94669a3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 12 16:49:18 2013 -0500

    Merge branch 'master' into fragmentation

commit 94669a3ead39c02ca91a10f313345f0a585d4540
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 12 16:46:36 2013 -0500

    * XAUTH: MODECFG and MODECFG_DNSWINS defines did not make it into lib/
    
    This caused some modecfg code in the parser to not actually load
    left/rightmode{server|client} parameters properly.

commit 4cc68a54ed8402462eeff10fe05e801a1f6fde7b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 12 16:34:36 2013 -0500

    * XAUTH: improve ipsec auto --status for xauth/modeconfig
    
    Now shows all xauth/modecfg info

commit d0099d52f2bfe4538bdcc50ad272d5f83a8cfc5a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 12 16:28:38 2013 -0500

    * added comment with xauth draft name

commit 30da6123acd345efcbfe4fdd76fe3ff5ea6a6108
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 12 11:48:31 2013 -0500

    * testing: swan-prep did not handle multiple daemons matching for kill

commit a580f917eff48c97f759f750a6ac797655904064
Author: Antony Antony <antony at phenome.org>
Date:   Tue Feb 12 09:14:56 2013 +0200

    *testing :  add road dist_cert
    	    runkvm won't run shutdown it could be in final.sh

commit 2999cad7acd808bfb02b7872bb69f81133ba94d6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 10 22:30:08 2013 -0500

    * added iphone5 success log for reference in the future

commit a04aae69304b86579ac47f555402194629118229
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 10 17:52:59 2013 -0500

    * fragmentation: store seen_fragvid in md first, fix force policy
    
    When reading vendorids on the first packet, we don't have a state
    yet, so apparently we store things in the message digest (md) first,
    then copy it into the state for persistence.
    
    Hugh's reformatting/refactoring missed the check for checking for
    having seen the fragmentation vendorid at the peer, and used the
    wrong policy flag to check for the "forced" scenario (where we send
    fragments despite not having seen the vendorid)

commit 9cca3bfb55674a1eea8f77d0e822701c42e4d68c
Merge: 2ad979a 3a61bbf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 10 16:53:55 2013 -0500

    Merge branch 'master' into fragmentation

commit 2ad979a67da4fdfe597eb78c3293e461440c51d5
Merge: 07bec55 a6a380d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 10 16:51:13 2013 -0500

    Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation
    
    Conflicts:
    	programs/pluto/server.c

commit a6a380dd257d296bd10ec25c22a565cbec194618
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Feb 10 11:15:53 2013 -0500

    * improve send_ike_msg logic
    
    Simplify handling of keepalive.
    Make fragmentation logic only work for IKE V1.
    Clarify that resend_ike_msg is only for V1.

commit fff9986fb2c187c2323050a0abd75dedea6aec8e
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Feb 10 01:26:46 2013 -0500

    * refactor send_packet
    
    Renamed send_ike_msg since that is what it actually does.
    Variants resend_ike_msg and send_keepalive created to capture relevant distictions.
    Broken down into layers, simplifying complex and buggy logic and reducing duplication.
    Touched up source formatting, again.
    
    (Added a couple of consts missed due to bad makefile dependencies.)

commit a023b4cba4b06f3a1e8b08de0ac72dc16dc11953
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sat Feb 9 21:52:01 2013 -0500

    * improve vendor.c
    
    Eliminate leading _ from _vid_tab and _hexdig.
    Make out_vendorid and out_vid return bool, as they are declared to do.
    Clarify and simplify out_vendorid and out_vid.
    Shrink the scopes of i and j in handle_known_vendorid.
    Replace two memsets with two simple assignments.
    Add const to pgp_vendorid's type.

commit 75269b8de30ae6368c41d5c53e25631ed2e20cc8
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sat Feb 9 21:01:25 2013 -0500

    * tidy vendor.c
    
    Rename vid_usefull as vid_useful.
    Change code to reflect that vid_useful is a bool.
    Make initial value of vid_useful TRUE to reduce code.
    Eliminate confusing early returns from handle_known_vendorid.
    Regularize some formatting.
    Narrow the scopes of some variables.

commit 511a02ebd2992baf7bd5b9e84c3e96495b4389f5
Author: root <pwouters at redhat.com>
Date:   Sat Feb 9 16:14:39 2013 -0500

    * WIP: Store FRAGMENTATION vendorid and fixup resending logic

commit 3a61bbf9ca3f26e68dfb4155d676db303438b5ac
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 9 16:13:22 2013 -0500

    * XAUTH: More elaborate logging of error conditions in do_pam_authentication()

commit 071a8c6de9ff03e2163cfa1e5965f2044ba5ce61
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sat Feb 9 14:07:44 2013 -0500

    * improve frag code
    
    Detect when marshalling cheat will fail.
    Simplify and clean up code.

commit 07bec55dc7fde0a60ec990471432174235c05ac2
Merge: 298724d 3789f66
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 9 13:53:39 2013 -0500

    Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation

commit 298724d671abb2492764c9dcef7372a56e1e478a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 8 13:35:37 2013 -0500

    * remove dead code in kernel_mast that used to configure mast0
    
    It was triggering a checking script for "ifconfig" usage despite
    it being ifdef'ed out.

commit 90d774516467ed15e74d74161b528110d181ba70
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 23:35:23 2013 -0500

    * ike frag: document ISAKMP_FRAG_MAXLEN and ISAKMP_FRAG_FLAGS

commit 251296bba18fd33964246f34782762fc8785e214
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 23:33:31 2013 -0500

    * ike frag: fixup logging calls and add pointers to online documentation

commit 3789f664446e6be4d48099a5b1e380d32be2dc9b
Merge: dc05619 eaeb0a7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 23:14:11 2013 -0500

    Merge branch 'master' into fragmentation

commit eaeb0a735d08e17ae46fb424cb30230190d433a4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 14:21:05 2013 -0500

    * XAUTH: Example file to authenticate against PAM over HTTPS (eg FAS)

commit 0824fa962a9c10d70877350eef82a4a927b579e6
Merge: 648fc1e 6bee4c2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 23:02:28 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 648fc1eed4decbfe3520f69927e12ad4af34b3e3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 23:01:39 2013 -0500

    * XAUTH: Added xauthfail=hard|soft option
    
    Also some minor fixes of #ifdef XAUTH

commit 2626f3254ff002f6a50f605e9ffb44dd7e537b18
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 23:01:31 2013 -0500

    * updated changes

commit dc0561989f4d031af6907d2b6cf69095550aaa18
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 14:21:05 2013 -0500

    * XAUTH: Example file to authenticate against PAM over HTTPS (eg FAS)

commit 4cd596ffa85ada225328725747567f837d34f2d5
Merge: 0413b15 6bee4c2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 09:56:20 2013 -0500

    Merge branch 'master' into fragmentation

commit 0413b15545c06d4dd555298189390f7c1d7a263f
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Thu Feb 7 14:17:19 2013 +0100

    * fragmentation: revert the changes at the state_microcode_table
    
    Revert the first change from commit
    f0dce92c26df14561bac81ab0e530fb6794fa5d9.
    
    It is no longer needed with the latest changes.

commit dd2ef476a663954d59ba75bf299d7956985fcba5
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Thu Feb 7 14:12:57 2013 +0100

    * fragmentation: changed behaviour when fragments are sent
    
    The query in ikev1.c is no longer necessary, the decision is
    completely made in send_packet (server.c).
    
    Maybe an additional state check is necessary.

commit 6bee4c2f0603e8e7aca6d5fa8c3fbf2c03714415
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 02:59:59 2013 -0500

    * testing: swan-prep tried to kill pluto twice, instead of charon

commit aa6b33a32261da156ea158d05574848d61b4ebfb
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Thu Feb 7 02:12:43 2013 -0500

    * IKEv1: ike fragmentation should not use st->st_suspended_md
    
    This code is based on racoon code, which strongswan also uses, and they
    all make the mistake of using sizeof(struct ) and offsets for wire format.
    
    Simplify the handling of the non-ESP Marker using NON_ESP_MARKER_SIZE
    
    Rename and moved variables to reduce their scope
    
    Don't rebuild the ISAKMP header for the IKE fragment from scratch, but
    use the existing IKE header, with small changes.
    
    Retrieve the stored unfragmented IKE packet from st->st_tpacket not from
    st->st_suspended_md.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit f70a8b95a38208a5056842212d95198bbc745302
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 7 00:21:06 2013 -0500

    * pluto: send_packet/send_frags mixed architecture/wire formats
    
    It was using size(u_int32_t) instead of 4 octets for the RFC-3948
    Non-ESP Marker. So instead, define NON_ESP_MARKER_SIZE and use that.

commit b109e580725f4e1f8b8fe070b80e12d2a529dab1
Merge: f350553 a4e9e16
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 6 23:12:23 2013 -0500

    Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation

commit a4e9e16e8a2d3fdf6fa6a4b1e2ad674447fe042e
Author: D. Hugh Redelmeier <hugh at redsquare.mimosa.com>
Date:   Wed Feb 6 23:10:04 2013 -0500

    * check for impossible buffer overflow

commit 562df17d161c4d27bce75b2bbb898daffac8e2c2
Author: D. Hugh Redelmeier <hugh at redsquare.mimosa.com>
Date:   Wed Feb 6 23:06:58 2013 -0500

    * remove unused variable "env" from lsw_conf_setdefault()

commit c0b6f35116123c66b58b07bfaf3d90da74a121ab
Merge: 3b03abe 076839a
Author: D. Hugh Redelmeier <hugh at redsquare.mimosa.com>
Date:   Wed Feb 6 22:26:14 2013 -0500

    Merge branch 'master' into fragmentation

commit f3505532c6bb6eb7242b451d4086966785714785
Merge: 3b03abe 076839a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 6 22:24:12 2013 -0500

    Merge branch 'master' into fragmentation

commit 076839aee85d4ba84950f69c933bfd60fa7ae6fc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 6 22:21:11 2013 -0500

    * Somehow TAGFILES got deleted, breaking make tag

commit 9237371195c1227bd02abd417d9f10dd7a210ac4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 6 20:45:28 2013 -0500

    * disable x509 check in dotest.sh

commit a32ff76095b100f9c0fdd4e98a15803ffec30866
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 6 16:42:31 2013 -0500

    * pluto: remove unneccessary and incomplete check for msg.xauthby

commit 79a86c3ecf6b10c034164c7645392c6e0b1acf30
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 6 16:41:34 2013 -0500

    * whack: add labeled ipsec options to whack usage

commit 0d059db5cdb639d8f1869a70ab9ad5941b1c1a3f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 6 16:38:50 2013 -0500

    * pluto: Show labeled IPsec information in ipsec auto --status

commit a7966d0db6311022a69671b4cd46409f6d6f745d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 4 22:44:05 2013 -0500

    * mtustr was capped at 8 chars, not 16
    
    As the compiler wisely told us:
    
    In function ‘snprintf’,
        inlined from ‘show_one_connection’ at /source/programs/pluto/connections.c:3458:10:
    /usr/include/bits/stdio2.h:65:3: warning: call to __builtin___snprintf_chk will always overflow destination buffer [enabled by default]
    
    This cannot be exploited other than by whomever can edit the local ipsec
    config, at which point you can already set leftupdown=/some/script that
    runs as root. Still, not good :/

commit abddae19625495f5de4d8a8e56cbd45ed9a96a22
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 6 16:31:51 2013 -0500

    * plutomain: factor out pluto_init_nss() in static function

commit 967e300896d74986b7d59a45f7f2481418814bd0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 6 16:25:36 2013 -0500

    * X509: Allow CRLs to be on TLS/SSL resources
    
    We were initiating libcurl without SSL support.

commit 3b03abe786296f30d8e81128aac249a926d6be5f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 5 13:35:40 2013 -0500

    * describe IKE fragments better now we know the fields

commit 0042cc156e14712fa0da00d8ee716357765ee22e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 5 10:39:03 2013 -0500

    * send_frags can be static, fill in a little more of packet format.

commit 976ef3b1ee9430a107509a0a4f42f02596d1aa53
Merge: 3eeb304 f0dce92
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 5 10:31:10 2013 -0500

    Merge branch 'fragmentation' of vault.libreswan.fi:/srv/src/libreswan into fragmentation

commit f0dce92c26df14561bac81ab0e530fb6794fa5d9
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Tue Feb 5 15:11:32 2013 +0100

    * fragmentation: fix for libreswan <-> libreswan  interoperability
    
    When libreswan communicates with libreswan the ike fragmentation will
    not start, because SMF_RETRANSMIT_ON_DUPLICATE is not set in case of
    retransmission MAIN_I3.
    
    Only call send_frags when send_packet is called for ike fragmentation.

commit 3eeb3047634c586c8ca69e46c7676dc6382c679f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 4 22:44:05 2013 -0500

    * mtustr was capped at 8 chars, not 16
    
    As the compiler wisely told us:
    
    In function ‘snprintf’,
        inlined from ‘show_one_connection’ at /source/programs/pluto/connections.c:3458:10:
    /usr/include/bits/stdio2.h:65:3: warning: call to __builtin___snprintf_chk will always overflow destination buffer [enabled by default]
    
    This cannot be exploited other than by whomever can edit the local ipsec
    config, at which point you can already set leftupdown=/some/script that
    runs as root. Still, not good :/

commit 7cf0ba6ab21d858145de298490bc298f78464767
Merge: e65eafa 8cae519
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 4 20:21:28 2013 -0500

    Merge branch 'master' into fragmentation

commit 8cae51971c52925384f93c9a56b4ad765573b377
Author: Antony Antony <antony at phenome.org>
Date:   Tue Feb 5 02:44:49 2013 +0200

    *testing : basic-pluto-11 good output

commit 9fa23bcf910d2f4a6f5464bccd243713099b03bc
Author: Antony Antony <antony at phenome.org>
Date:   Tue Feb 5 02:38:38 2013 +0200

    *testing basic-pluto-01 fixes. need a bit more sanitizing. an output for reference

commit fb5d299c8eb1f0fac60477c6b0094a9ee6882c00
Author: Antony Antony <antony at phenome.org>
Date:   Tue Feb 5 02:34:32 2013 +0200

    *testing : use san-build and isntall

commit 7d5904abf3027db6af0924c0257e77a17f88d1de
Author: Antony Antony <antony at phenome.org>
Date:   Tue Feb 5 02:13:51 2013 +0200

    *testing : xauth-pluto-12 final.sh add shutdown

commit 63d97568110a4acfb6c5eb1e735f7bec87606b43
Author: Antony Antony <antony at phenome.org>
Date:   Tue Feb 5 02:12:17 2013 +0200

    *testing : fix auth-pluto-12 (almost, modecfg works. However, i see packet loss 1 packet?
    	   host-ping-sanitize.sed allow variable packets in and out

commit e244e7df64ed8b73ab43762ea2b2d1c2da9547aa
Author: root <pwouters at redhat.com>
Date:   Mon Feb 4 13:19:22 2013 -0500

    * updated changes

commit 361a04404523ce632018b359e04db0aef304e017
Author: root <pwouters at redhat.com>
Date:   Mon Feb 4 13:17:52 2013 -0500

    * starter: auto=route and auto=start only performed auto=add [Wolfgang]
    
    We only loaded the connections, we did not route or initiate these.
    This was previously done by the shell script _plutoload, which was
    obsoleted in libreswan 3.0

commit e65eafa3634d3bf8815390d712a919c2d65d27cf
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Mon Feb 4 16:41:02 2013 +0100

    * XAUTH: remove modecfg* from sa_policy_bit_names
    
    They were only removed from pluto_policy in commit c015d1a038546a5c32d9a36d16462d490108e254.

commit 8f1839f315211eb24fda3d6e86ae23082367b49c
Merge: 829065e b6f2854
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 2 15:59:06 2013 -0500

    Merge branch 'master' into fragmentation

commit b6f28549c2dea311ea80491993d50f17f4780bc8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 2 15:58:06 2013 -0500

    * repair previous commit
    
    It is st->st_connection, not st

commit 829065e85e857f6d87c76e724ab2b8211ffe3b7c
Merge: bcaf1b7 c78e93e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 2 15:44:54 2013 -0500

    Merge branch 'master' into fragmentation

commit c78e93e7d9a2b3f25d5380af59015307cd532b2d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 2 15:44:21 2013 -0500

    * XAUTH: Only try to update resolveconf/restoreconf when XAUTH client

commit 86c1242a6440d751ae1c3d6dd114b0f73ecff4ec
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 2 01:58:03 2013 -0500

    updated changes

commit c015d1a038546a5c32d9a36d16462d490108e254
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 2 01:41:04 2013 -0500

    * XAUTH: modecfgdns* parameter was broken, modecfgwins* removed
    
    The modecfgdns1/modecfgdns2/modecfgwins1/modecfgwins2 were never
    properly working using libipsecconf. They only worked when you used
    whack directly.
    
    Someone (properly me) put these in as KSCF_MODECFG* instead of as
    KSF_MODECFG*, so the parser was looking for left/rightmodecfgdn1 etc.
    
    While fixing these, I removed support for XAUTH WINS, as that died a
    decade ago.
    
    We had defined POLICY_MODECFGDNS1 etc apparently as policy bits that
    would determine if we would send these options, but then they were
    never queried ever, so I removed them. It's quite obvious when you
    need to set these, namely if we are an xauthserver and modecfg_dns1=
    is set.
    
    libipsecconf got compiled without XAUTH because it was not being
    added to the CFLAGS when USE_XAUTH was set. So none of the parsing
    code was reading the code I wrote to read these options.
    (the only reason xauthby= ever worked was because it was _missing_
    and #ifdef XAUTH)
    
    Parsing of the modecfgdns1/modecfgdns2 keywords as kt_ipaddr also
    gave some problems because ipaddr processing was really only done
    for the left/right parts of the connection. The easier fix was to
    change these into kt_string, and when reading the struct starter_conn
    information into a struct whack_message, do the tnatoaddr() conversion.
    If the IP for this option is bogus, we ignore it and continue.
    
    modecfgwins1/modecfgwins2 is now kt_obsolete, and they were removed from
    whack, the xauth sending xauth attributes code and the man pages.
    
    The ipsec auto --status was updated to show the xauth information better:
    
    000 "test": 76.10.157.69<76.10.157.69>[+XS+S=C]...5.6.7.8<5.6.7.8>; unrouted; eroute owner: #0
    000 "test":     oriented; my_ip=unset; their_ip=unset;
    000 "test":     xauth info: my_xauthuser=pwouters; their_xauthuser=[any]; dns1:1.8.8.8, dns2:3.8.8.8;
    000 "test":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
    000 "test":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+XAUTH+IKEv2ALLOW+ModeCFGDNS1+ModeCFGWINS1;
    000 "test":   prio: 32,32; interface: virbr0; metric: 0, mtu: unset;
    000 "test":   dpd: action:clear; delay:0; timeout:0;
    000 "test":   newest ISAKMP SA: #0; newest IPsec SA: #0;
    000

commit 16548119c880df68971f382751d584e3a60f51a9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 1 22:22:58 2013 -0500

    * libipsecconf: remove another leftover used for manual keying

commit c298aa30aa4bff596210f2f3b5364ae9d012eda9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 1 11:41:35 2013 -0500

    * updated changes

commit 187cee68e25547102699afbe522eaf081261a017
Author: Matt Rogers <mrogers at redhat.com>
Date:   Fri Feb 1 11:38:59 2013 -0500

    * #53:  ipsec auto --status does not show phase2 parameters
    
    when using (unspecified) defaults
    
    Not specifying phase2alg= leaves c->alg_info_esp NULL so the rest of the
    information was being skipped, when c->alg_info_esp was only needed to
    determine the pfsgroup in whack_log. Relocating the pfsgroup determination
    outside of the whack_log functions will let us see the rest of the info
    even if the pfsgroup is unspecified.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit b9994a9657f7b847cc66fb1ba6cf2f482c5d0542
Merge: 31645a3 8a2a75d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 1 11:14:09 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 8a2a75dbaeadc606e0f8c7bd53e193992734db98
Author: Antony Antony <antony at phenome.org>
Date:   Fri Feb 1 10:10:50 2013 +0200

    Revert "*debug: add debug lines in set_cur_state macro"
    
    This reverts commit 3b0d6c99385d8b97efc75e5be52231353fdf0652.

commit 31645a3f77a0d71855e14fa6c51fc6bffd720c85
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jan 31 22:04:21 2013 -0500

    * fixed typo in log message

commit bcaf1b74b984ab831c1c47e102b8269925afd522
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jan 31 14:48:03 2013 -0500

    * testing: updated testcase psk-pluto-01

commit 916d033154971eec2774913b70c5cf6b443e0bf7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 30 22:39:03 2013 -0500

    * fragmentation: when we cannot access the md, pretend we sent it.
    
    That way, on the next retry we have access to st->st_suspended_md

commit f301123d377c3eb0252b31498466349d40c8dd87
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 30 22:33:50 2013 -0500

    * testing: added more x509-pluto-frag-0* tests
    
    x509-pluto-frag-00 is used to confirm filtering UDP fragments
    will cause problems. Both ends have ike_frag=no
    
    x509-pluto-frag-01 is using the default policy of ike_frag=yes that
    should send/receive ike fragments by both west and east.
    
    x509-pluto-frag-02 uses ike_frag=force on west and ike_frag=yes on
    east, so it should send out MAIN_I3 in fragments on the first go.
    
    x509-pluto-frag-04 has ike_frag=yes on west, and ike_frag=no on
    east, so west will not see the VID and should not send fragments.

commit c959ed4f730d22d6f05d15682c6e2315391eeba8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 30 22:30:33 2013 -0500

    * testing: added more x509-pluto-frag-0* tests
    
    x509-pluto-frag-00 is used to confirm filtering UDP fragments
    will cause problems.
    
    x509-pluto-frag-01 is the default policy that should send/receive
    ike fragments
    
    x509-pluto-frag-02 uses ike_frag=force

commit 2cb636012906a02133e487d7456f7ff8b8b71675
Merge: d53aaa1 4dd3f22
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 30 10:50:01 2013 -0500

    Merge branch 'master' into fragmentation

commit 4dd3f22621e839a668520829fb682a13eb0b8f28
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 30 10:48:32 2013 -0500

    * nat-t: add DBG_NATT debug line before send_packet()
    
    because send_packet is called with verbose FALSE

commit 7ba8d8e15f10d8c36bdd890873e9161dc9c6cb0d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 30 10:46:21 2013 -0500

    * pluto: log ikev2-responder-retransmit in send_packet like IKEv1

commit d53aaa18c97c8284983d3502abc35ec5ac6c8bfe
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 30 10:48:32 2013 -0500

    * nat-t: add DBG_NATT debug line before send_packet()
    
    because send_packet is called with verbose FALSE

commit 9ca9fabee9101d9650338ed71d057683e320b44f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 30 10:46:21 2013 -0500

    * pluto: log ikev2-responder-retransmit in send_packet like IKEv1

commit 148db9aeaa77d6b4b06b1593faa7756847adf677
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Wed Jan 30 13:59:04 2013 +0100

    removed unneeded debug log entry

commit db441734c920eb0fb2fd1d728abb4dc2a1a181f7
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Wed Jan 30 13:55:03 2013 +0100

    - also send VID_IKE_FRAGMENTATION when we are the responder
    - increasing numvitosend must be done before adding the first vendorid, otherwise it never adds the rest
      (alternative put the always sent dpd vendorid at the end and set next=ISAKMP_NEXT_VID on all vendorids before)

commit a6950dc2f22b8db605514ddab40251eab0205acc
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Wed Jan 30 13:49:16 2013 +0100

    removed duplicate ike fragmentation vendor id, racoon called it broken Microsoft ID: FRAGMENTATION

commit fc4d8a23d3e604b9804d5ffd24423e19611b8cab
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 29 23:53:58 2013 -0500

    * testing: x509-pluto-frag-01 test case

commit ef813c5bf39f2e778b105e0ce8923a009af56036
Merge: 19c89df 347eb50
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 29 23:49:14 2013 -0500

    Merge branch 'master' into fragmentation

commit 347eb5024267bb6b32289e5b547aa4e209d6a7d1
Merge: b0b75ac 140d85a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 29 23:48:55 2013 -0500

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit b0b75ace1bca3b3274b2956235a57a4e5e238a88
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 29 23:48:34 2013 -0500

    * testing: add fragmentation test to list

commit 140d85a0ea607c1e39d82573f493984c98191bcb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 29 15:58:54 2013 -0500

    * pluto: Don't print empty XAUTHuser value in IPsec established

commit 08a719c28180371b051034751f3a3ec18fa7cb01
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 29 14:27:24 2013 -0500

    * testing: x509-pluto-01 was missing secrets files to load cert keys

commit 82fbbebbe2cb7355286fee1d5449dea921a653f8
Merge: 49cb8a8 02418cc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 29 14:00:56 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 49cb8a8869fd6a3d8deceaebc99c908ddc9b78de
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 29 14:00:29 2013 -0500

    * testing: add missing config files for x509-pluto-01

commit 19c89dfcd2ae43f0f88b649ca5576afbd19f7ca0
Author: Copyright (C) 2013 Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Tue Jan 29 13:40:09 2013 -0500

    * IKEv1: Support for sending IKE fragments
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 02418ccfaea8c1cf86af890fb01200e467bf342c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 29 00:04:08 2013 -0500

    * WIP: testing:  started to merge testing/libvirt/install.sh into Makefile
    
    - So we can call it using "make check".
    - testing/utils/lswan-check is using the libvirt python module
    - testing/utils/virtinstall-base is broken of into a shell script for better
      (unbuffered) viewing
    - networks and vms slightly removed to make python code easier
    - Only add networks/vms not already in existence (unless --force)

commit 91e0e001530a485cf61bd9afd5f580bf6f0c208a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 23:42:13 2013 -0500

    * testing: Added generated testing/x509/* content to .gitignore

commit 39bcf9919ac3537ff76107f77045b19279cda2b5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 23:39:49 2013 -0500

    * testing: dotest.sh aborts when dist_certs has not been run

commit 072ab86c96187dd8a8d151ea44c4bf41b449561a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 23:36:12 2013 -0500

    * testing: swan-prep Load the other side's public certificate
    
    On east,west and road we import the public cert of the other two
    machines. This ensures we can run leftcert=XXX and rightcert=XXX
    for the X509 tests that do not use the CA.

commit 11d07dfcaf7833859bbb1337bbb80adb88ebf221
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 23:06:09 2013 -0500

    * pluto: don't try to load non-existing AA certs
    
    This removes an error from startup:
    
    Could not change to directory '/etc/ipsec.d/aacerts': No such file or directory

commit 3406966c3f21e2a591696f4eccdb64543b47d36e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 22:55:40 2013 -0500

    * testing: dist_certs was not generating PKCS#12 files for special cases

commit b406ac60d903cab951d53945a2a87201d669c0ca
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 22:54:35 2013 -0500

    * testing: swan-prep fixes
    
    - Import certs from /testing/x509/pkcs12/mainca/
    - Convert pidof string to int for os.kill()

commit a0d60b6756c48a6ed1fd5b640b1f5d7aa7a38955
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 22:53:39 2013 -0500

    * ipsec look: display NSS certificates

commit b02f2fb8d38f8d2533523061b8575fd4862dd339
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 22:27:06 2013 -0500

    * testing: dist_certs  Fix PKCS#12 generation, work with any cwd
    
    - pushd / popd into the directory containing dist_certs so it can
      be run from anywhere.
    - The CA friendly name apparently cannot contain spaces or openssl pkcs12
      just fails with a usage error.

commit c06224afd4f28c5f8639e56ca94f272ea05121b7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 22:19:40 2013 -0500

    * testing: runkvm.py support for --x509
    
    Read testparams.sh to see if X509=yes, if so pass --x509 to swan-prep

commit ebf7be3be679acc2dd6a76e9e8b4425e46e97de7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 22:16:45 2013 -0500

    * testing: fixes to dotest.sh
    
    - Typo fix for LIBRESWANDIR
    - Use the presence or absence of *run.sh to determine INITOATOR
      (and not *init.sh because responders have an init.sh file too)
    - Set the testname based on the pwd of the test using basename()

commit 754d12d3b40c97f34f5a9c3386efd1adf567ebcd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 22:13:58 2013 -0500

    * testing: CA rename and no longer copy generated files into testing/baseconfig/
    
    We now read the files from testing/x509/* so they don't get into git
    
    dist_certs now calls the main CA "mainca" instead of "ca", as the Friendly
    Name of the CA was "ca" which was getting confusing, especially because
    the country is also ca.

commit 844a92b21baed175466336a9ab4821dfe52f03eb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 22:13:15 2013 -0500

    * testing: updated x509-pluto-01

commit 86488332c58e7d68f46414eee7cb5f9a3b6a97ae
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 22:10:02 2013 -0500

    * testing: swan-prep functionality extended
    
    - kill all IKE daemons (strongswan, racoon, shrewsoft as well as pluto)
    - unload NETKEY and KLIPS stacks using _stackmanager stop
    
    The above no longer needs to be in the individual test case *init.sh files.
    
    - added --x509 option to force adding x509 certs into NSS
    - testparams.sh is checked for X509=yes and if so certs are added to NSS

commit 163a8c36707a282c2eb0ba20e38157044cfb4f59
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 17:53:55 2013 -0500

    * testing: cleanup X509 generation and output

commit b78c10ed3dc0b718b50766578a4ab613e5a372f2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 27 11:40:33 2013 -0500

    * put find_ifaces() back to where the testcases think it should be

commit bd04be397fbfb4c7049919121833e8a4e61df039
Merge: 6dd4196 b47b6c9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jan 26 19:51:02 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 6dd419682c44117fc5dc4cb83b73659da9393d4e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jan 26 19:14:20 2013 -0500

    * testing: two configurations to compile pluto for testing
    
    minimal: disable everything but NETKEY
    everything: enable everything except taproom and dmalloc

commit b47b6c97f7a11ff73f6f77bb0dece52bec0f9ac1
Merge: 6969ded 48cb493
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 27 02:13:29 2013 +0200

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 6969ded5e123f1dcf56ac4ceee74db729e05bbe1
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 27 02:12:50 2013 +0200

    * testing: cleanup test basic-pluto-11 good

commit 4fa3a57ece83dfefa57543bb4123b84c388add7b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jan 26 19:11:43 2013 -0500

    * taproom: minor fixes to taproom
    
    Fixed some missing "goto" statements for taproom. Ifdef'ed the
    TCL calls in IKEv2 as they have never been tested or run (taproom
    predates ikev2) - but programs/pluto/tpm/ needs to be fixed or
    removed. (I think removal is best - code hasn't compiled or run
    since about 2007, no one uses it)

commit 562a433a4719b4f556ba0e201f84980d656d60d8
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 27 02:10:41 2013 +0200

    * testing: ping-sanitize.sed fix

commit 7e10c81840750c3a76b209e401a9a029ad069c83
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jan 26 18:53:51 2013 -0500

    * XAUTH: missing ifdef's around two blocks dealing with XAUTH

commit 48cb493736a9672d3c96cf1a74eeb6a17d5c7c94
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jan 26 18:35:51 2013 -0500

    * testing: runkvm.py aborts on all missing python modules now

commit 5c336c8c3620e8e72ad26bfdfb0f3b34caf609c7
Merge: 1bd333a 9ac4101
Author: Antony Antony <antony at phenome.org>
Date:   Sat Jan 26 22:13:25 2013 +0200

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 9ac4101fe819d73dac1097bf88396452dd2169ee
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 26 11:59:20 2013 -0500

    * status: slight change in output of ipsec auto --status
    
    We used to only display metric and mtu when one of these were set.
    We now always display these. The prio and interface were moved on
    their own line with metric and mtu. This gives us more space for
    our ever increasing list of POLICY bits to be displayed.
    
    old:
    000 "redhat":   policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG; prio: 32,32; interface: virbr0;
    
    new:
    
    000 "redhat":   policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG;
    000 "redhat":   prio: 32,32; interface: virbr0; metric:0, mtu:unset;
    
    For OE, the DNS policies (+lKOD and +rKOD) are added to the policy line, but after the ";"
    to avoid confusing thinking these are c->policy bits.

commit c4b8b3dd170f7b80458be857dfa8d18c24971af0
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 26 11:56:45 2013 -0500

    * libipsecconf: Do not set key_from_DNS_on_demand = TRUE per default
    
    For RSA connections, the OE settings turn this to TRUE if OE was
    used, and false otherwise. However, for PSK connections this was left
    at TRUE as well. Although it caused no harm it could confusingly
    state "+lKOD+rKOD" in the policy for PSK connections.

commit a769227f37e8c320a3276e311aeb2b4c58b2abd2
Merge: 9ea8310 3b0d6c9
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 26 11:04:50 2013 -0500

    Merge branch 'fragmentation' of vault.foobar.fi:/srv/src/libreswan into fragmentation

commit 3b0d6c99385d8b97efc75e5be52231353fdf0652
Author: Antony Antony <antony at phenome.org>
Date:   Fri Jan 25 14:59:46 2013 +0100

    *debug: add debug lines in set_cur_state macro

commit 84172f1a521f778f72f69bb0f4e1ed83409b18d5
Author: Antony Antony <antony at phenome.org>
Date:   Fri Jan 25 14:59:05 2013 +0100

    *plutodebug: add debug lines debug racoon MODECFG situations

commit 93454a6630726e35df3f57c80b798e4e957bce2a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 23 21:00:12 2013 -0500

    * ike frags: Only log for controlmore, define MAX_IKE_FRAGMENTS 16

commit 5b7a8c3b8868be619742362c02b81820ecb2b203
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 23 20:58:52 2013 -0500

    * ipsec: Add "ipsec start|stop|restart" as aliases to "ipsec setup"

commit 9ea831051e3aa50b3a8a23bf36ac6aa028d725e7
Merge: b29ddb4 6d27b65
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 23 17:11:46 2013 -0500

    Merge branch 'master' into fragmentation

commit 1bd333af35fe20cef79d6093224c9c8f4a3d258d
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 23 21:54:39 2013 +0200

    *testing forgot to commit with xauth-pluto-12

commit 6d27b6565b8c2cd9cc182630e166c10ca3b048d6
Merge: 16c37ae 9046a7d
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 23 21:05:57 2013 +0200

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 16c37ae41b54d8284ac723fa5663668a30d03316
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 23 21:05:06 2013 +0200

    *testing: to sanitize manually sanitize.sh . run from the test dir

commit ae81539a050ed110aa909eb3844e96e873c2562c
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 23 21:03:55 2013 +0200

    *testing: known good output for xauth-pluto-12

commit 9046a7d3fc9d56760d0edc01d5f6c0f6e2543336
Author: Kim B. Heino <b at bbbs.net>
Date:   Wed Jan 23 14:32:10 2013 +0200

    dist_certs: fix expect to wait until spawned child returns
    
    Previous version waited for nothing and then killed the child, resulting
    empty certificates. This fixed version waits until child returns, or
    maximum of 10 seconds. Use "set timeout 60" if you need bigger timeout.

commit e919be630dc412afd249446d76ab183f7410485f
Author: Kim B. Heino <b at bbbs.net>
Date:   Wed Jan 23 14:27:30 2013 +0200

    dist_certs: it's not year 2011 anymore, fix future date calculation

commit 304ff5b77f44d17d1b725482040e863e119838bd
Author: Kim B. Heino <b at bbbs.net>
Date:   Wed Jan 23 14:19:00 2013 +0200

    dist_certs: remove tailing whitespaces

commit 7b7f32f107497dc938c53627e2981442f1d0fd8d
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 23 01:12:18 2013 +0200

    *testing: more fixes to sanitizers timzone and kernel messages

commit 0f757eb3f0971fcc2270005dbe4e33b0559bf32f
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 22 20:42:57 2013 +0200

    *testing: change output file names

commit fe27d8b9e002bf453ffb738ad4642d135501a528
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 22 20:41:50 2013 +0200

    *testing: good output for psk-pluto-01

commit 0840c0c27b225cfbff37613668214fba2947b2d5
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 22 20:38:55 2013 +0200

    *testing: reame output files

commit 6a891802852671fe19203122adc010a2d9b30831
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 22 17:29:01 2013 +0200

    *testing: fixing psk-pluto-01 for sanitizing

commit fc84a75fd7fdeb2f61585cd42ebae25a49133493
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 22 17:28:01 2013 +0200

    *testing: consolediff sanitizer after a run

commit db9d010c01c16a7871e507f59b262647deb1c009
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 22 17:26:34 2013 +0200

    *testing: update sanitizer to cope with kvm

commit b29ddb46a32acee5523a806f9c3dcde476aa7dad
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 23:54:25 2013 -0500

    * updated changes

commit b9d8758fc681b317e92bcce49e5956a6d0e6902f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 23:23:21 2013 -0500

    * testing: added interop-racoon-iphone5-nonat
    
    This test, once completed, will test interop with iphone5's racoon
    using the Apple default of ike_frag force; on the racoon side.

commit 88e33b64be8a5c439d51ac75f5a243bbabf989e4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 23:16:36 2013 -0500

    * IKEv1: Support for receiving IKEv1 fragments (not RFC)
    
    added support for incoming fragmented ike packets to solve iOS6 (iphone)
    problems. This is often the case when large X.509 certificates are used.
    
    Some third-party vendor devices, such as firewalls configured for stateful
    packet inspection, do not permit the passthrough of User Datagram Protocol
    (UDP) fragments in case they are part of a fragmentation attack. If
    fragments are not passed through, Internet Key Exchange (IKE) negotiation
    fails because the intended responder for the virtual private network (VPN)
    tunnel cannot reconstruct the IKE packet and proceed with establishment
    of the tunnel.
    
    This feature provides for the fragmentation of large IKE packets into a series
    of smaller IKE packets to avoid fragmentation at the UDP layer.
    
    This feature provides support for Cisco IOS in terms of being a responder in an
    IKEv1 main mode exchange.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 326d7fa345c73eae94041c2db634290688153ffe
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 22:54:06 2013 -0500

    * pluto: Add support for ike_frag=yes|no|force keyword
    
    This adds the option to the parser, along with two policy flags
    POLICY_IKE_FRAG_ALLOW and POLICY_IKE_FRAG_FORCE
    
    We send the fragmentation vendorid except when ike_frag=no
    
    Processing of fragments and sending of fragments are not yet
    implemented with this commit.
    
    VID_MISC_FRAGMENTATION renamed to VID_IKE_FRAGMENTATION

commit 4e78b421379a9c34f78a015b328395230c199374
Merge: de2f1f5 a38479b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 22:18:01 2013 -0500

    Merge branch 'master' into fragmentation

commit a38479b931dcf4b000a3ba7fe0ead353c9978e17
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 22:10:32 2013 -0500

    * libipsecconf: policy misuse due to type change from int to lset_t
    
    Some code is still using policy as if it was an int, but it is an lset_t.
    This would cause problems for every policy bit > 31, which up to now was
    only the SAref tracking policy bits:
    
      POLICY_SAREF_TRACK    = LELEM(32), /* Saref tracking via _updown */
      POLICY_SAREF_TRACK_CONNTRACK    = LELEM(33), /* use conntrack optimization */
    
    But I will be adding the IKE fragmentation policy flags, so this
    became an issue in confwrite.c.
    
    The assumption that c->policy is of type int is probably all over the
    code and needs a thorough review.

commit 777f76e74487c7446290fbdaab7387e4397a54eb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 22:04:23 2013 -0500

    * whack: C is not python - cannot do switch() over non-int

commit 6593c9c9a68ececaf7d1ebda1a8163e1c7ac0576
Merge: c330b64 22da35c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 21:55:35 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 22da35cb1df8b2c6b49af881fa7251a89d054fa5
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 21 20:56:08 2013 -0500

    * XAUTH: expose xauthby=alwaysok to "ipsec whack"
    
    ipsec whack  [...] --xauthby XXX did not yet support "alwaysok"

commit c330b64f19235d511d65f8f9703ce62174dfd9d3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 18:16:13 2013 -0500

    * clarify a break statement with a comment

commit de2f1f5dc3d6ef9dccb3fdffad976a115b9b9f0d
Merge: 7c3ba62 32dc901
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 17:14:43 2013 -0500

    Merge branch 'master' into fragmentation

commit 32dc9011475009f7731f1ba405e91f7554a08ed5
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 21 14:49:42 2013 -0500

    * man page: added note on systemd to plutorestartoncrash=

commit 83e5a088d5437b971fd4293151cb326b89894177
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 21 14:33:09 2013 -0500

    * pluto: Do not attempt to open a logfile if none is configured

commit 953da179c961aa1e77c7439affaba1a5b24337bd
Merge: 608d435 18eb872
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 21 14:12:40 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 608d435ce5f39403d7f0182b7f0310a2d77dc3b1
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 21 14:11:26 2013 -0500

    * testing: net.ipv4.conf.eth0.rp_filter was missing from sysctl.conf
    
    We disabled rp_filter in testing/baseconfigs/all/sysctl.conf for
    all but eth0.

commit 18eb872e6d64256d3a4b5002912529195ce063a8
Author: Antony Antony <antony at phenome.org>
Date:   Mon Jan 21 02:44:53 2013 +0200

    *testing: cleanup basic-pluto-01 to run final.sh

commit fe757536dfffd05cf69f95a0c4363ba47671080b
Author: Antony Antony <antony at phenome.org>
Date:   Mon Jan 21 02:43:32 2013 +0200

    *testing: run final.sh

commit 0f36fe2f89faca0c3b65c35dc842206e4fa85f2c
Author: Antony Antony <antony at phenome.org>
Date:   Mon Jan 21 01:03:29 2013 +0200

    *testing: paul's changes ping sanitizer

commit 4f5186a00e8bb5780ea5b478de44896002f93529
Author: Antony Antony <antony at phenome.org>
Date:   Mon Jan 21 01:01:42 2013 +0200

    *testing: don't send emptly lines from *init and *run

commit 6c98431c9e94c141d926d6c85bb7ca701fb5bdc0
Merge: a5668a4 3ed96dc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 20 12:26:53 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit a5668a45b2778ac9050996db427a739490731227
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 20 12:25:17 2013 -0500

    * updated changes

commit cf4343357b22a484c1f441eddebe6bd5d786340f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jan 20 12:24:24 2013 -0500

    * addconn: If no protostack= is configured, return "netkey" as default

commit 3ed96dcb3030905c4109c7da5042a5e0cc46b3d8
Merge: cb2ffa7 1001e39
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 19 18:40:47 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit cb2ffa7ee4b04f602889f5c0f88770985c3b04ae
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 19 18:36:01 2013 -0500

    * pluto: show orientation with ipsec auto --status
    
    When a connection is not oriented, the display of such a connection
    in ipsec auto --status is 'undefined'. One side is called "left" without
    any real proof. As such, one could not see the difference between a
    properly oriented connection, and a unoriented connection that just
    happened to look the same. This adds an entry to the output that will
    state "oriented" or "unoriented", eg:
    
    000 "redhat": 76.10.157.69[@RH-standard,+MC+XC+S=C]---76.10.157.65...66.187.233.55<vpn-rdu.redhat.com>[MS+XS+S=C]; unrouted; eroute owner: #0
    000 "redhat":     oriented; myip=unset; hisip=unset;
    000 "redhat":     xauth info: myxauthuser=pwouters;
    000 "redhat":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug: yes
    000 "redhat":   policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: virbr0;
    000 "redhat":   dpd: action:hold; delay:30; timeout:60;

commit 1001e39467063126362df7f869f60e9bf870b618
Merge: 49edd0c de7c4a4
Author: Antony Antony <antony at phenome.org>
Date:   Fri Jan 18 16:00:28 2013 +0200

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 49edd0c0f097881e71369a392855fb8b437d110a
Author: Antony Antony <antony at phenome.org>
Date:   Fri Jan 18 15:59:39 2013 +0200

    * testing:  use stty --echo in runkvm.py

commit de7c4a4ce86f4b730dad94b1fd7d63a63eb04f38
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jan 17 17:45:59 2013 -0500

    * manual: Remove last remnants of manual keying from man pages

commit 7c3ba626f9fee80e08ecdc28f226b4445acb79a6
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 16 13:22:13 2013 -0500

    * IKE: Add cisco IKE fragmentation next payload pointer
    
    This also renames the NAT draft payloads in their proper name,
    and clarifies the 'relocation' comment, which is really about
    the payload number change between draft (130,131) and RFC-3947 (20,21)

commit 3930ef11a43baf3b765c87c19580452bc3e3e32f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 16 11:26:30 2013 -0500

    * updated man page for compress= and regenerated it

commit 8cecd371007e9c5d8c9df5ccd7909e9ff282e576
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 16 11:16:00 2013 -0500

    updated changes

commit 7cf80a87d4d7f1e13ce0bff7d855f7707b3ca863
Author: Matt Rogers <mrogers at redhat.com>
Date:   Wed Jan 16 11:13:30 2013 -0500

    * #8 honour compress=no option
    
    Due to increased security concerns of mixing compression with encryption, in
    light of the BEAST like attacks, we no longer always accept ipcomp as we
    did before. It needs to be explicitely set using compress=yes
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit f3a57a1ab4bd66bbb6df0198ee1e750e9b6cb82e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 15 23:22:16 2013 -0500

    * Missed a KLIPS -> KLIPS24 reference in make output

commit a6610e143bfe94aa79258ba59cbdbbc5cff7f09d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 15 23:21:49 2013 -0500

    * updated changes

commit 635ad927c648a2a26c79d4df6eb306e66f29f4cd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 15 23:17:34 2013 -0500

    * XAUTH: Added xauthby=alwaysok option
    
    Setting xauthby to alwaysok causes the XAUTH authentication to always succeed.
    This is useful to supoprt clients that require XAUTH, but for which no real
    XAUTH usernames/passwords are provisioned. This is valid for some certificate
    based deployments of devices.
    
    The static function do_md5_authentication() got renamed to do_file_authentication(),
    because it is using the crypt() call, which supports more then just MD5.
    
    The man page has been updated to reflect this, and also adds a note about MD5 not
    being available in FIPS mode.
    
    A separate bug has been opened for a feature to set the xauth password file name,
    instead of hardcoding it to /etc/ipsec.d/passwd.

commit f0f95e1465ac65a3b97794e3adc0cd806060ff6b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 15 21:59:45 2013 -0500

    * KLIPS: makefile switch some more "26" vs "24" strings
    
    module26.make -> module.make
    module.make -> module24.make
    
    There are still some occurances of "26" left (which are misleading because
    it is really "2.6 and higher").
    
    While we need packaging/makefiles/module.defs I don't think it is actually used,
    because per default we use MODULE_DEF_INCLUDE=[..]/packaging/linus/config-all.h
    (perhaps with make kpatch?)

commit 27ff91db99fb969f9418ed5473bc449865dc4abe
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 15 21:57:51 2013 -0500

    * enable crytoapi in packaging/makefiles/module.defs

commit 529779a83462a4d52f630bc214de58618d6df4f3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 14 17:47:18 2013 -0500

    updated changes

commit 1565fdc5c9c4963a0a052fac86d961bd38d34c42
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 14 17:46:29 2013 -0500

    * pluto: log XAUTHusername in the "established IPsec SA" line
    
    i.e.:
    
    004 "redhat" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x7aacc5fa <0xa46a8a1f xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none XAUTHuser=pwouters}

commit 5f188f90317d0275e0136527f68b9db40f686126
Merge: 62661d8 fe5a7bf
Author: Antony Antony <antony at phenome.org>
Date:   Mon Jan 14 22:06:40 2013 +0000

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 62661d8be946f3087f8348d32b7470a21a17ce11
Author: Antony Antony <antony at phenome.org>
Date:   Mon Jan 14 22:05:02 2013 +0000

    *testing: TERM=dumb expect get less ANSI escape caharacters

commit fe5a7bf9eeeb96aeb2bfe3ca38b1f2dc66902bb5
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 14 15:48:45 2013 -0500

    * testing: fix calls to swanprep to swan-prep

commit 051efa54ee0a3543a5308943a35c213ab001ea38
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 14 15:29:26 2013 -0500

    * testing: missed swan-update softlink in /usr/bin/

commit b8410d2cb81c1e2ff841c47a08c91aa385a5ddf7
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 14 15:20:37 2013 -0500

    * testing: softlink swan-* binaries in /usr/bin/ to avoid PATH issues
    
    also rename all to be consistent with "swan-" prefix.

commit f5868559d64579649586dccda85a49267d0d758c
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 14 15:20:10 2013 -0500

    * testing: swan-prep should first copy in baseconfigs then specific test files

commit 83bf302d261300dd7d2b7a0aeb31d41fb3e2eb10
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 14 15:18:52 2013 -0500

    * testing: swan-install support for disabled service and selinux
    
    - disable systemd from restarting pluto on crash
    - restorecon /usr/local

commit 6b4074e986f36170073f8223fc326a50d8552c07
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 14 15:17:55 2013 -0500

    * testing: swan-build deletes modobj* as well as OBJ.*

commit 64eec39b92b0d83dc22ede07b03f300094b92e11
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 14 14:58:11 2013 -0500

    * systemd: Added RestartPreventExitStatus= line to ipserv.service file
    
    Added a commented line:
    
    This mimics the old openswan _plutorun script that read
    plutorestartoncrash=no and if set, would not restart pluto when its exit
    code was 137 (term) or 143 (kill)
    
    This is not the default, because if we crash, we _do_ want to
    get restarted.

commit e3a8d972f80124dde4b31ee87331b882f98b693d
Author: Antony Antony <antony at phenome.org>
Date:   Mon Jan 14 17:48:29 2013 +0000

    *testing: start nic if there nicinit. reboot before init.

commit 2430ea35fe155418d3442b304ca4e1bd86e15644
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jan 13 14:11:00 2013 -0500

    * testing: Added testcases netkey-psk-vhost-0[1..4]
    
    These test cases investigate the behaviour of subnet=vhost:%no,%priv
    versus subnet=%vhost:%priv,%no with and without NAT on nic.
    
    They also use a virtual_private=%v4:!192.0.2.0/24,%v4:192.0.0.0/8
    which should NOT cause rejection.

commit a11921e1158b1199b3d9ebf3d63d3a94de0eef0e
Merge: ed88209 7376fee
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jan 13 12:15:10 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit ed8820992b3a8e3be3a46b789ab82b06a9b602a0
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jan 13 12:14:42 2013 -0500

    * testing: added netkey-psk-pluto-06

commit 7376feedbe157f783ae9a9af8241439ffbd7f2a4
Merge: f720c79 7c9d8c5
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 13 17:37:48 2013 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 7c9d8c5c7eaa47aae821991a1e6b507291283be1
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Jan 13 14:36:52 2013 +0100

    Adding EOL when an EOF at EOL

commit f720c7923846d926e37aaa61f85e7e71ee4042b3
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 13 13:56:02 2013 +0100

    *testing: road need 192.1.3.254 as nameserver

commit c7b217ffb4d1409a9cbbe1393a9b96b1b3d78b96
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 13 13:54:48 2013 +0100

    *testing: runkvm.py namespace collision.

commit a4eb285b0d2f7f59c36b2f7fac8fc85ebc6ef93c
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Jan 13 04:11:11 2013 +0100

    find_ifaces() call moved from rcv_whack.c to server.c - Reason : for my roadwarrior test to work

commit a9037fbf620029f1989150985f54ff37454afe2b
Merge: 988551c 3660560
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Jan 13 03:21:32 2013 +0100

    Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan
    
    Conflicts:
    	lib/libipsecconf/parser.l
    	lib/libipsecconf/parser.y
    	programs/pluto/rcv_whack.c

commit 988551cded876cd20eb2733df82e92424baeaa47
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Jan 13 03:14:59 2013 +0100

    Fixed up (not found) printf when addconn --verbose

commit 02a0d794787d6a526ca23436ffb644f6b18965f3
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Jan 13 03:12:34 2013 +0100

    find_ifaces() call moved from rcv_whack.c to server.c - Reason : for my roadwarrior test to work

commit 8ce117a706cfa4b1cfc3884f583fc26fada3df22
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Jan 13 03:08:35 2013 +0100

    Adding EOL when an EOF at EOL

commit 36605602d4681ec6343128d66d92f834f5338ad9
Author: Antony Antony <antony at phenome.org>
Date:   Sat Jan 12 22:27:07 2013 +0000

    *testing fix test cases. support running rw tests

commit 5bfd3b7623bf0d70fe3d7c0433a95e9ff161a33b
Author: Antony Antony <antony at phenome.org>
Date:   Sat Jan 12 21:56:51 2013 +0100

    *testing: improve runkvm.py compile and install options

commit 4b409089bbe9b64bd0fdf4372612d642b83fc447
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 12 14:49:24 2013 -0500

    updated changes

commit 06e49a26ff8ef1b03ba0e8fb5a87d9bd1072f539
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 12 14:44:05 2013 -0500

    * libipecconf: Improved missing EOL bug in parser.
    
    This fix by Philippe improves the parser, so it no longer requires
    read-write access to the file for parsing which was introduced in
    the previous fix to avoid a segfault when parsing a file with no EOL
    on the last line.
    
    This was testing with pluto, addconn and readwriteconf, including the
    relevant tests in itesting/scripts/readwrite*

commit 2bb6aca0e056db0bb5375eb0ff72c80c272c22ed
Merge: 45ac59f 4f1fa2c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 12 14:37:45 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 4f1fa2cf06beb9d418e1a17c8417178990c30ebb
Merge: 9e11cd7 f9b1bef
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 12 14:33:19 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 9e11cd71ab6e16bf2875d1b18fc122c69b93b4da
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 12 14:31:12 2013 -0500

    * pluto: move call to find_ifaces()
    
    This implements Philippe's resolution for correct connection loading
    at startup with the changed timing as a result of the new addconn
    thread that pluto starts to load the connections that used to be
    loaded using the _plutoload script started separately.

commit 45ac59f254de1d74eb4ec535af9375d9104d0ad1
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jan 10 20:53:07 2013 -0500

    * testing: testcase readwriteconf-26 has no neol.conf

commit f9b1bef31d65c4c9d02d15aef7b7ff9006e6e85a
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Thu Jan 10 22:22:15 2013 +0100

    addcon doesn't exit on EOF at EOL

commit 7fb81cf80b14b502181af27eb68547c83bed960d
Merge: e91c6a6 5eb2b6f
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 9 16:16:50 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit e91c6a6f028ca4c80c08f4282d0693699c76bcb2
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 9 16:14:05 2013 -0500

    * testing: added iphone 4s racoon config within testing framework
    
    This test is incomplete. But contains the racoon config extracted
    from an iphone 4s. It is likely modified for using the apple keychain
    to obtain certificates, so we will need to use the stock racoon
    method for specifying the certificates.

commit 5eb2b6f06de240104cdf4dee4853f3a7aaa0fc3a
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 9 17:08:29 2013 +0100

    * testing: removed eth3 from swanhosts.

commit 1d9067f16bb65141501435fbfd634cd4a2a1f752
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 9 16:47:52 2013 +0100

    * testing: fixed an roadwarrior test psk-pluto-01

commit fdcf2fec989440a486dc33fe032b6ad0232d8048
Merge: 52aa7df c970c6f
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 9 14:46:24 2013 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit c970c6f0c9438b3267c3faa6e5262fbf51ac3629
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 9 11:42:05 2013 -0500

    * bump default IPSECBASEVERSION in git to "3.0"
    
    So git builds show up like: v3.0-66-gf3dd213-master which means
    66 commits past version 3.0.

commit ee43c8d31f36865557d099a4c608d5ed5b77d9d9
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 9 11:38:45 2013 -0500

    * Addded @BINSH@ variable to Makefile.inc (default /bin/sh)
    
    This is used when building the systemd service file. This addresses
    the issue of Fedora 16 not having /usr/bin/sh, which was the value
    used in the systemd ipsec service file.

commit e72a77a38b2814fd05d2bd87f77e170cf28893a5
Merge: 41c6459 590ec24
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 9 11:32:52 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 41c64592b2dd6766fdd2073e71259e00a099ff60
Merge: 18b7f2c d0a13fe
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 9 08:47:57 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 52aa7df2a43a5c529697a6f896b5d5b8d2bb0ca8
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 9 14:45:15 2013 +0100

    *testing: fix typo, dumplicate mac in swan13

commit 590ec24ddc945e10ac128b1bcfd4c16831fa3181
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 9 14:14:47 2013 +0100

    *testing: add nic vm config for roadwarrior tests

commit d0a13fe3001cc34504f69837913a8e34bd790b5f
Author: Antony Antony <antony at phenome.org>
Date:   Wed Jan 9 10:03:27 2013 +0100

    * testing: adding compile on east

commit 18b7f2ca7433623c3e4e3e615186fa234c48252d
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 8 19:02:24 2013 -0500

    * documentation: better document HAVE_OCF in Makefile.inc

commit f3dd21396c7b3383290bf06454f7dbda7a1c53e7
Merge: 83bdac7 2217bf3
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 8 17:49:31 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 83bdac7932097526ff5063614787fdb6cb6195f2
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 8 17:48:56 2013 -0500

    * testing: add testcase for no EOL on last line

commit 99513b380392ff58b77a982d2035909fba174a39
Merge: ae49483 2e1e0db
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Jan 8 22:01:53 2013 +0100

    Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan

commit ae494838dfd124cedddd74bf9e6f775606bd5bea
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Jan 8 22:01:06 2013 +0100

    EOF at EOL condition; even better fix. Could SIGSEGV

commit 5ac8c4b45fd2b54d873668e77d85146f1c4e28d4
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Jan 8 21:19:33 2013 +0100

    Revert "To be checked by Paul with redhat connection"
    
    This reverts commit 026705c5be4d3ed6958fa51d03ad6f9901bf548f.

commit cec871e3ca536880978c7c4ed1f536e8a1846f86
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Jan 8 21:19:00 2013 +0100

    Revert "This should fit Paul's redhat connection and match my roadwarrior tests"
    
    This reverts commit dcbbbbc23e678aed68f95bdfbdcc81c4bc81b5d6.

commit 41abe31889f93cb1e29602156cb1c4656e8d37c2
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Jan 8 21:18:22 2013 +0100

    Revert "To be checked by Paul with redhat connection"
    
    This reverts commit 9368dfa89508985b7c3ad4c9e1f2e263f81d45e6.

commit 30b22084a56c19fbabd036e8d8adc2d0a594671e
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Jan 8 21:17:20 2013 +0100

    Revert "* addconn: do DNS(SEC) lookup for case KH_IPHOSTNAME"
    
    This reverts commit bfa4b9d76f19e7dd8d3736827f93f86a493eebca.

commit bc187be34fe05faff16b5c7f31588a8bbb664f31
Merge: 947ca83 da4c16f
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Jan 8 21:01:21 2013 +0100

    Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan

commit 947ca838b3836ea0ef690c9c79d6ed7334b7d5f2
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Jan 8 21:00:18 2013 +0100

    EOF at EOL condition; best fix

commit 31d2694e9283f86ab75509acae7a507dfdb4e99e
Merge: 6e6d76a f3dd213
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 8 20:53:30 2013 +0100

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 6e6d76a53a5dc06cd691fc8ad3179c44b1b58599
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 8 20:52:57 2013 +0100

    don't ipsec setup start instead pluto ...

commit 2217bf3513781bf89009ea7038d81e141c81f487
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 8 20:51:57 2013 +0100

    begining to add compile option

commit 2e1e0db6ae7a48dc2992f095e375b77cf79435b7
Merge: 32d9313 bc187be
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 8 18:47:35 2013 +0100

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 32d9313cc33ed24c2b5d4cec458ecc26f5b0ca40
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 8 18:45:31 2013 +0100

    python swanprep instead of
    source /testing/pluto/bin/eastlocal.sh

commit da4c16f95a38bf20bf6c55c39330b4400e48b9ba
Author: Antony Antony <antony at phenome.org>
Date:   Tue Jan 8 16:32:53 2013 +0100

    copy host specific ipsec.secrets

commit 905d4b6756d9c050275c429ff03c076ad4dab37c
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jan 7 15:35:51 2013 -0500

    * testing: suppress warning on ipsec setup stop with no ipsec.conf

commit e5d4355651a1ffdabaa807d1f08820bade3120df
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jan 6 17:12:24 2013 -0500

    * testing: enable core dumps for pluto

commit 978eddd32a1a17f052e18cc636eafb384dca0cbb
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jan 6 16:43:42 2013 -0500

    * testing: we need yum update to get the latest nss (on f17)

commit 8a2238c8278b27822058e2e24be697909a59e798
Merge: c5dab95 e082c05
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jan 6 16:24:43 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit c5dab95adaf99a96299607fc0d1743ba4cb2c96c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jan 6 16:24:15 2013 -0500

    * testing: ensure pluto does not get restarted by systemd on crash

commit e082c05539e86485cfdbba97704b78bfe4215927
Merge: 75aa6e8 597cb26
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 6 19:16:55 2013 +0100

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 75aa6e8acbb7ff2c74af1b0cd528604262fb35b7
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 6 19:16:15 2013 +0100

    add strace to fedorabase.ks

commit 597cb26a3165e6ad15d15a341f51ae4a4775137a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jan 6 12:31:40 2013 -0500

    * ipsec status worked but also said "unknown command" due to missing exit 0

commit ff5c9c22ab8fcb069f10f95d0b86d71aaaa3810d
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jan 6 12:28:26 2013 -0500

    * ipsec setup restart on systemd calls stop+start, not restart
    
    because systemd refuses to run the start part of restart when the
    system is already stopped.

commit 1d2635cb14d719515a306e1049b0b72b959b5580
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 6 17:06:10 2013 +0100

    fix the test. weired thing east also need up for PSK to work

commit 3d7a29f6500ad19affd0c2e0691da5bc06c93ccb
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 6 16:40:34 2013 +0100

    link /tmp/pluto.log /testing/pluto/<test>/OUTPUT/pluto.<host>.log

commit 72d254d580c83e73d294b18a48204486aab8c8ed
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 6 15:44:45 2013 +0100

    a basic ikv1 psk test without including all/etc/ipsec.d/ipsec.conf.common

commit 987b8c863eec4f9d4497e14b1efea593b594ec64
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 6 15:42:56 2013 +0100

    copy general ipsec.secrets  not specific one exist in the test dir

commit 76594a6d4e5cecdc8f608188143ef076221c7c6c
Merge: d079adc b8a6115
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 6 11:52:23 2013 +0100

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit d079adc7e6cf5831deb6a35a1f9c2ac61f0adfaa
Author: Antony Antony <antony at phenome.org>
Date:   Sun Jan 6 11:49:16 2013 +0100

    added test case ikev2-11-simple-psk without any includes.

commit d2e9dfaf4fa1245bc1ce3a291c6e1eec23b5064b
Merge: 5dde459 b8a6115
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 5 19:32:33 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 5dde459768c3c803e465c5cc93f5a0a9595298d7
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 5 19:17:56 2013 -0500

    * updated changes

commit b3251e764c31f670cc40cca1cf65f3d47148ae01
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 5 19:09:06 2013 -0500

    * SAref patches for Ubuntu kernel 3.2.0-33.52 [Simon]

commit b8a611540148b5d3c8a589ff8ef4a2ca9af61d1c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jan 5 03:02:42 2013 -0500

    * remove log_with_timestamp_desired and add comment about _desired vars
    
    We don't need the two-step setting from log_with_timestamp_desired to
    log_with_timestamp, as there is no risk of using this before the
    logging system is ready. As the comment explained:
    
         * We read the intentions for how to log from command line options
         * and the config file. Then we prepare to be able to log, but until
         * then log to stderr (better then nothing). Once we are ready to
         * actually do loggin according to the methods desired, we set the
         * variables for those methods

commit 0b04fc41f88a1c98f1f771d2252ab052db707d1b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 5 02:29:43 2013 -0500

    * remove pluto loglog() function from showhostkey.c
    
    Still needs some stubs due to other issues in lswlog.c but no
    longer needs lswlog.h

commit a072b9fbaae120fa89db3cb2792104a12741f5b3
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 5 02:17:29 2013 -0500

    * spi: cur_debugging has no place outside pluto/whack

commit 6077002d4c12290629216f4d1f7a66a1485241b4
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 5 02:12:17 2013 -0500

    * plutoalg.c leakage of libreswan_loglog()
    
    pluto uses loglog() while the rest uses libreswan_loglog()
    loglog() needs programs/pluto/log.h but libreswan_loglog() needs
    include/lswlog.h. Someone mistakenly did the reverse in plutoalg.c
    and fixed it by including the wrong include file.
    
    (note the logging drama goes much deeper, but the diffs I have to fix
     that are not yet ready to push)

commit a5a4de54650ba38a076acd79e846513589bbc665
Merge: d3ebcb1 8c11315
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 5 02:08:40 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit d3ebcb111dbc6f86b82440e1330f04419857b07a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 5 02:07:23 2013 -0500

    * pluto: was not logging all messages to file since libreswan 3.0
    
    plutostderrlog= was not fully ported in, and not all logging
    functions inside programs/pluto/log.c supported log_to_file.

commit 9e4a140daf7d43e43c76a297e130b88b9c5237b9
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 5 01:43:10 2013 -0500

    * logging: vendorid leaked some info which should be under DEBUG only

commit 8c113159e19bfcc508ca1c5b281535313001159d
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Jan 4 11:36:57 2013 -0500

    * Ensure the debian/ directory gets updated version numbers too

commit 491d38d625d2af9fb0d2a51329242d4c30f1d783
Author: Antony Antony <antony at phenome.org>
Date:   Fri Jan 4 14:05:32 2013 +0100

    added nss and unbound dependencies

commit 3a49276fb7d9d8edf8b1a2ca0d3752a256041851
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jan 3 14:05:06 2013 -0500

    * update changes

commit dbf0e5be02ed7a214894c00275e867a1ca5fec03
Merge: 3bccac8 b0673a0
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jan 3 14:02:43 2013 -0500

    Merge branch 'sa-stats'

commit 3bccac842565ae2e17915c629a356af2180ea23e
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jan 3 13:43:30 2013 -0500

    * increase number of ike_info/esp_info entries
    
    The alg_info_ike struct needed a bigger number in some cases
    when 1DES was enabled (requires explicit recompile) causing a
    crash. Bumped alg_info_esp while at it just to be safe.

commit 319bbfa0218e7151099555b64e2fa6f299b26775
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 2 01:32:01 2013 -0500

    updated changes with release date

commit 35f5d410ef858429f5ad8adaa840ce134af14641
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 2 00:54:41 2013 -0500

    * export IPSEC_CONF from the ipsec command

commit c00211359b44bf51a436a7189624843a7d14d4f1
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 2 00:05:37 2013 -0500

    * install: sysvinit changes for non-default install

commit e9be5ea898425cfbd7f0bc3c76c1697c277789c0
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 1 23:43:21 2013 -0500

    * setup: also calls addconn and needs --config for non-standard install

commit 5b07bf26b4dd79cb5f3e2d2f761b96766ba5767b
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 1 23:37:16 2013 -0500

    * second call to addconn was missing --config for non-default install location

commit 27f9f668edfda3285e5e1377e15b0d65027f371d
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 1 23:09:48 2013 -0500

    * install: fix non-standard ipsec.conf installation issues.
    
    addconn needs to get passed the --config option, via the ipsec
    command. The same for _stackmanager which needs the location to
    find the stack type. And the same for the systemd service file

commit 85964c8e47376baee57b4fa65af6e1efaeca8b9b
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 1 21:48:29 2013 -0500

    * packaging: minor cleanup of spec files. Fixups new stable URLs

commit 0077791721cb81106e71f19c3d713a5845f4a6df
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 1 20:09:02 2013 -0500

    updated credits

commit f5de082b7cfaff96655983f1d3517bca40c5d621
Merge: a691bb0 e6b466a
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 1 19:53:29 2013 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit a691bb00933d47b82a730dc327da727f102af725
Author: root <paul at libreswan.org>
Date:   Tue Jan 1 19:52:09 2013 -0500

    * add note on AUDIT in changes

commit bfa4b9d76f19e7dd8d3736827f93f86a493eebca
Author: root <paul at libreswan.org>
Date:   Tue Jan 1 19:50:18 2013 -0500

    * addconn: do DNS(SEC) lookup for case KH_IPHOSTNAME

commit e6b466a5ab01398245600b571dec1434648d7d87
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jan 1 16:29:24 2013 -0500

    * update example sysctl.conf with some ipv6 settings

commit 71ce7ed8f6496560653a835508ba91e048cd429a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 30 12:55:40 2012 -0500

    * disable USE_LINUX_AUDIT in main branch

commit 0eba202091d2962dc7e87d3640bcc97bfbf806eb
Author: Antony Antony <antony at phenome.org>
Date:   Sat Dec 29 08:10:02 2012 +0100

    fix typos and use distutils.dir_util.copy_tre

commit 6af4cfde44717ef431d457c0d3a042e97b4865f9
Merge: dcbbbbc e6ef9d1
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sat Dec 29 01:22:37 2012 +0100

    Merge branch 'master' of vault.libreswan.org:/srv/src/libreswan

commit dcbbbbc23e678aed68f95bdfbdcc81c4bc81b5d6
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sat Dec 29 01:21:19 2012 +0100

    This should fit Paul's redhat connection and match my roadwarrior tests

commit e6ef9d159a06f620920ff3abf3f4a94743168c67
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 13:30:19 2012 -0500

    * testing: ported ikev2-05-basic-psk to new swanprep testing setup

commit 6cd9251b1dadb39c40107e7592ecc04a009c9928
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 13:28:46 2012 -0500

    * testing: swanprep: use -H for hostname, -h is builtin help with argparse

commit 62352c6649a617189c13a0efd361b4def542126f
Merge: 7a3d372 6d1a557
Author: Antony Antony <antony at phenome.org>
Date:   Fri Dec 28 17:07:00 2012 +0100

    Merge branch 'audit' of vault.foobar.fi:/srv/src/libreswan into audit

commit 6d1a55763fd15a435ca46aeb80b7418642d072ec
Merge: 6039d55 075fe44
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 17:37:30 2012 -0500

    Merge branch 'master' into audit

commit 075fe4472f490f7c2fd28eb41388de5bfc8cbc41
Merge: 0c96eca f6b0288
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 17:37:19 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 6039d557dcbccd5c18c8d727f05ed69785d6f2bc
Merge: 97239a5 41ac859
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 17:36:57 2012 -0500

    Merge branch 'audit' of vault.foobar.fi:/srv/src/libreswan into audit

commit 97239a5132c29684c550ac0265d068554f29b1bf
Merge: e9f5b59 0c96eca
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 17:36:21 2012 -0500

    Merge branch 'master' into audit

commit e9f5b59fd936b065e929d33168277fbb393ac85e
Merge: 1a550e0 e8012e0
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 16:25:52 2012 -0500

    Merge branch 'audit' of vault.foobar.fi:/srv/src/libreswan into audit

commit 1a550e0df67ed7ff1146e4e520e30759fd6d437b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 16:19:23 2012 -0500

    * audit: for now, let's not abort pluto on startup at audit failures
    
    We will re-enable this once we have written mode audit code

commit 0c96eca4ab2d5870166906536944ba0a80b3e43e
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 16:14:48 2012 -0500

    * Remove obsoleted IPSEC_EXECDIR env support

commit 6f5e0c485c1eb62fbbae35a6b9aac3f948811b13
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 13:11:18 2012 -0500

    * Remove obsoleted $IPSEC_CONFS

commit 138ec347a2a0782b31c3056e028146f7c268ffca
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 12:57:45 2012 -0500

    * Removed obsolete env var IPSEC_CONFDIR_VAR

commit c875af2274955285504ed4baabb5d46af49b20ab
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 29 12:54:27 2012 -0500

    * removed obsolete $IPSECsyslog

commit f6b02885ac4368c20fc482c36c2133935497b41f
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 23:30:50 2012 -0500

    * updated changes

commit 579494e03d5fbf1359742075cf264795eb943f3b
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 23:21:45 2012 -0500

    * pluto: honour plutostderrlog= natively now _plutorun is gone
    
    plutostderrlog=/some/file was implemented by the _plutorun wrapper,
    which redirected pluto --stderrlog output to the named file, obtained
    from awk/sed calls on ipsec.conf. pluto itself had no concept of this
    log file location.
    
    This introduced the log file location to pluto, and adds the --logfile
    argument to the pluto daemon. It also processes plutostderrlog= from
    any config file given with --config

commit e8012e0863cb484ae3bb32b144ab5d6cf3d312c0
Merge: acb0b41 6af4cfd
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 21:35:08 2012 -0500

    Merge branch 'master' into audit

commit acb0b41b563ddc362c6b2866ab456b4df6341382
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 13:30:19 2012 -0500

    * testing: ported ikev2-05-basic-psk to new swanprep testing setup

commit 7529be5cc53ead4e27a0e6bf7a34dddcae4d2b9f
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 13:28:46 2012 -0500

    * testing: swanprep: use -H for hostname, -h is builtin help with argparse

commit 8ca77f767df5b8562baae7a0c4b582613921fd30
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 01:16:57 2012 -0500

    * testing: run "swanprep" to copy testfiles to proper place in VM

commit dc2929575a2bb3b367ef9c6f8137f088ad48d97f
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 00:05:26 2012 -0500

    * testing: source testparams.sh, not tparams.sh

commit 0f6dd6a0a4276a64be0bc844a1e5905ea194187f
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 26 17:02:53 2012 -0500

    * fix override for using sysv not upstart for rhel

commit 92dd28a38206c264740676a130ae0e894b7a99e7
Author: Antony Antony <appu at phenome.org>
Date:   Fri Dec 28 13:42:58 2012 -0500

    * audit branch: do not enable fips and labeled ipsec

commit 7a3d372ab8bfabcc87f5646240717f4fe67b9c79
Author: Antony Antony <antony at phenome.org>
Date:   Fri Dec 28 17:05:22 2012 +0100

    testing linux audit call

commit 026705c5be4d3ed6958fa51d03ad6f9901bf548f
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Fri Dec 28 16:42:00 2012 +0100

    To be checked by Paul with redhat connection

commit 9368dfa89508985b7c3ad4c9e1f2e263f81d45e6
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Fri Dec 28 16:26:57 2012 +0100

    To be checked by Paul with redhat connection

commit b9656a3a6c0a1a1cdf2687c508ac9cae38000a4d
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Fri Dec 28 16:22:13 2012 +0100

    improve diagnostic for loglog(RC_ORIENT, connection must specify host IP address for our side)

commit 91a973a3849f4b84f2bfae079fab74dd4eb41b90
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Fri Dec 28 16:18:32 2012 +0100

    resolve_defaultroute_one was wrongly setting parse_src=0 when no {left|right}nexthop

commit 41ac859014d5cb540c3473abc7dffa41624c7cb3
Author: Antony Antony <antony at phenome.org>
Date:   Fri Dec 28 16:07:18 2012 +0100

    add audit-libs-devel

commit 94dc00b84aa6fc88c2a99ee1dee2376f01df470a
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 01:16:57 2012 -0500

    * testing: run "swanprep" to copy testfiles to proper place in VM

commit f2c216bd7f3d1db12b1c2c47bc9ba99304f4ae1f
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 28 00:05:26 2012 -0500

    * testing: source testparams.sh, not tparams.sh

commit 76b8eb7c61590dfbe1fe1b8f14cd608027db7aa0
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 26 17:02:53 2012 -0500

    * fix override for using sysv not upstart for rhel

commit b0673a022e3c4295ba12989f211d36c22b26065d
Merge: fa036c8 524be4e
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 25 15:23:08 2012 -0500

    Merge branch 'master' into sa-stats

commit 70403b646233a58e855949e3ec4b363be920e768
Merge: 70bf68d 524be4e
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 25 15:22:30 2012 -0500

    Merge branch 'master' into audit
    
    Conflicts:
    	packaging/fedora/libreswan.spec

commit 524be4e245715f7675f2ec097c611ac8e6b027e5
Merge: cd577dc 4074677
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 25 13:54:01 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit cd577dce9baacb6adae07e584048fc425cd49a6f
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 25 13:44:24 2012 -0500

    * verify: missed replacing on SSCMD - spotted by Philippe

commit 4074677e3579b069580949a71f12614397a5c019
Merge: 8a0165b 5739e0d
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 23 20:49:31 2012 -0800

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 8a0165bd09ce2e7328abbc95dfab14b855f84526
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 23 20:46:47 2012 -0800

    build the .8 and .5 man pages for the pluto dir

commit 5739e0d6f38269b80dde76b7726c931765223717
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 23 23:32:39 2012 -0500

    * add regenerated ipsec.conf.5 man page

commit 3c06bb41012223fd440623d3479c7eb168a26048
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 23 23:28:31 2012 -0500

    updated changes

commit 2ac4d6a68a2e86323f3b95e66fba672f1f1a3bcc
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 23 23:16:41 2012 -0500

    * ipsec verify has been extended with more checks
    
    It checks ipsec.conf and ipsec.secrets for syntax errors.
    Obsoleted ipsec.conf options are displayed as warning
    The OE checks are back, and check FQDN/myid and IPSECKEY in the forward DNS.
    The command now return the number of failed tests in text and as exit code.
    
    Man page updated to reflect removed --host option

commit 68d68c6516d1534d8aaab3b45019666d45b40931
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 23 23:13:03 2012 -0500

    * Obsoleted global nocrsend= option
    
    This global option was already obsoleted by the per-conn options
    leftsendcert= and rightsendcert=
    
    The boolean no_cr_send has been removed, and the parser now warns
    the option nocrsend= is obsolete. pluto no longer accepts the
    option --nocrsend or -c

commit fa036c88e3f807a3101509dc220c8682bf211041
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 22 10:44:13 2012 -0800

    print ah and ipcomp data too

commit 786aee35df273dd3e0903c172dcd7d390c4a7424
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 22 09:43:23 2012 -0800

    log ah and ipcomp data too

commit ed1ca2c23ba0f296f535dc732f92e5122c2000eb
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 22 09:31:50 2012 -0800

    only log down info on ESP usage

commit 292123162b1db9e7d31f507a5e8bc5105034d585
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 22 09:26:22 2012 -0800

    humanize the down output traffic information too

commit e2fff38821a2ba81e8cffe3ff38d13556870ec37
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 22 09:19:28 2012 -0800

    print humanized numbers for in/out traffic on auto --status

commit 68aaf930e51f9cf075ce2c07bf53d112d95a5b1a
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 22 09:04:39 2012 -0800

    Print in/out/max bytes properly

commit 3392d69dc0eb6851286dc48c3d04e65db6d02216
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 22 08:50:41 2012 -0800

    log traffic information in a better way

commit f3c27c57095adfcbaaa6a45556637c69e13ddc3c
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 20 09:01:34 2012 -0800

    initial stab at printing statistics

commit cc7800c327e2bb5d3e1044a9543bdc7f66443700
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 20 10:41:43 2012 -0500

    * fix for commit ae4701f35207
    
    It circularly defined pluto_shared_secrets_file to itself, resulting in:
    
    root at bofh:/vol/home/paul/git/libreswan ((2b872a9...)|BISECTING)# ipsec secrets
    003 unknown glob error -1

commit b283bf03200e4403c0e70d442cce8d80a0f15d5c
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 20 09:03:38 2012 -0500

    * pluto.8 pre-generated man file missing

commit 39b7891e50fae053e8acebdc1f55af6408f8fdad
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 20 08:53:09 2012 -0500

    Revert "Revert "Revert "Always use XFRM_MSG_UPDPOLICY instead of XFRM_MSG_NEWPOLICY. This avoids"""
    
    This reverts commit f81203faff29490157c6ef1cbc75d476a902bb63.
    
    This was accidentally pushed

commit 81412f80dae9732431baed3c03caed00a2d93b1e
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 19 22:30:07 2012 -0500

    * updated changes

commit 74ac957ef9e7d6450f45014cbb8f0f64cef0177b
Merge: f81203f 939850d
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 19 22:21:56 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 939850da225d242820f64f173c60bf4db7088f84
Merge: 6ca2edb 80717d4
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 19 18:58:44 2012 -0800

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 6ca2edb045895bbcbf116d19492c43949104956e
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 19 18:58:23 2012 -0800

    Rewrite the EOF parser to at least warn on an EOF at an EOL

commit f81203faff29490157c6ef1cbc75d476a902bb63
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 19 16:31:41 2012 -0500

    Revert "Revert "Always use XFRM_MSG_UPDPOLICY instead of XFRM_MSG_NEWPOLICY. This avoids""
    
    This reverts commit 15d27b8ad4a2f0d1fb252e608cfeafe6b7121773.

commit 80717d46751bb96b64ffba255c2272ea12443b3c
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 18 19:01:21 2012 -0500

    * XAUTH: pam example using secureid token

commit 6029093845b37daa541a4b3ab1b9c5580960682d
Merge: 0df9a46 f684308
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 18 17:34:39 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit f6843080e2b00ea154b7a615425cbd1e26921b84
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 18 17:12:22 2012 -0500

    minor updates to INSTALL

commit 9bd14cfca07c9a31b31071594ceca33a0e934f2f
Merge: f87fa6e 74c4c45
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 18 17:02:32 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit f87fa6e21630b5082829b342a7e7019056b9609c
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 18 17:02:09 2012 -0500

    * remove misleading comment in updown.netkey

commit 1987ac98f81d161e2bf6a34ceef77cb09335ad55
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 18 17:01:24 2012 -0500

    * sleep 1s in the addconn thread on startup
    
    It seems on my laptop, things start too fast and pluto isn't ready
    yet to accept connections to load.

commit 74c4c456488db37f11bc14ef06d246186f8ba3cf
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 18 17:00:17 2012 -0500

    * updates changes

commit 0df9a46f79000c2ce3262bc8898941aaeb44671a
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 18 14:05:01 2012 -0500

    * man page: don't use "secret" as a connection name example. too confusing

commit a2b9ef4648337f9dbd0263930d5a680f7564bd1c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 16 20:13:07 2012 -0500

    * fixup pluto man page

commit 0543effbefac84f81e4dacbb73bdfb13a2a5c9dd
Merge: 4e39b53 3c9c5bb
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 16 01:07:03 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
    
    Conflicts:
    	programs/_realsetup.bsd/ipsec_realsetup.8
    	programs/addconn/addconn.8.xml
    	programs/ipsec/initnss.8.xml
    	programs/ipsec/ipsec_import.8

commit 4e39b53f4b4b72e5a689c6879e11f9bf41852934
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 16 01:05:03 2012 -0500

    * realsetup.bsd man page

commit 3c9c5bbc0dc78409580d0bd75e396e9575344ece
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 16 01:00:04 2012 -0500

    * fixup man for addconn

commit 4953605ad6e5f0bda0bf9ec867a27283ca3acf7c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 16 00:58:41 2012 -0500

    * fixup xml/man in programs/ipsec

commit 2cdef37289008fcd63c99f0b404dbc45ac334456
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 16 00:49:06 2012 -0500

    * fixup more warnings in man pages
    
    Note that man pages get build from xml file into OBJ.* so they
    don't automatically overwrite our old man pages.

commit 686aa8b3b3213372c2c70a4e1e18eedc99dc725d
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 16 00:45:43 2012 -0500

    * fixup xml files for lib functions. Actually generate man pages.

commit 2b872a9fe5ac998cce0d5ec47f54e21ef54d995b
Merge: ae4701f 18df7f9
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 15 20:23:41 2012 -0800

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit ae4701f35207b8464d7fec5eab3b7b7f1e56f534
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 15 20:23:08 2012 -0800

    Squash many warnings
    - addrbytesptr() was accepting a double pointer and modifying the
      pointer, but the pointer was labeled 'const' and this caused
      many warnings higher up.  The input is now a non-const uchar **.
      (some C compilers may let you do better const declarations, but it's
      not portable)
    - Added a new DISCARD_CONST macro to discard a const qualifier without
      a warning if it really must be done.  Use with care and sparingly.
    - Added a new START_HASH_PAYLOAD_NO_R_HASH_START() macro when the
      r_hash_start variable isn't needed.
    - misc other small warnings fixed

commit 18df7f9efa658119022f2f31a316e446f16f6e24
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 14 13:59:18 2012 -0500

    * systemd: run -listen on reload instead of --rereadall
    
    Because listen does a rereadall AND looks for new interfaces/addresses

commit b688af50fd089cbdfde74d86cd2292ef3436eeb9
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 14 12:08:50 2012 -0500

    * ipsec initnss/import now runs restorecon -Rv on the ipsecdir afterwards
    
    This resolves an issue for me when I got:
    
    Dec 14 10:53:52 thinkpad pluto[24834]: NSS initialization failed (err -8015)

commit 4b18191a796e4624e5ac265d03f4040146a6f1d5
Merge: 8c8e995 92cc873
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 13 20:54:36 2012 -0800

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 92cc87318be06fae146c8fe60eb457a923272053
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 12 22:45:49 2012 -0500

    * manpages: fix all but one xml warning in man page generation
    
    The only one I haven't managed to fix is:
    
    Warn: meta author : no refentry/info/author                        ipsec secrets
    Note: meta author : see http://docbook.sf.net/el/author            ipsec secrets
    Warn: meta author : no author data, so inserted a fixme            ipsec secrets
    
    I'm confused where/how they seem to want this author entry.

commit 5edb54ebb5a7c75c9fee60373d423ab752afd811
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 12 22:45:27 2012 -0500

    * confread needs to include interfaces.h

commit 8c8e9950b2c9b9e776b1633076de88571db4a9da
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 12 18:23:09 2012 -0800

    check the USE_XAUTH variable before installing the pam.d file

commit 70bf68deda87ee6ea9fc72057839d3ccb48fe76d
Merge: ed2ac56 1d7ff88
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 12 19:04:41 2012 -0500

    Merge branch 'master' into audit
    
    Conflicts:
    	CHANGES
    	packaging/fedora/libreswan.spec

commit 1169d9312794081b49cf14d101e8e808a874b653
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 11 21:49:02 2012 -0800

    Install the pam.d pluto file or warn that we're not going to.

commit f3be070c35141aa56c5f9d432be4401d4fc80e8b
Merge: ffff8a0 1d7ff88
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 11 15:43:38 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit ffff8a08cff656dce41415e58729ca92f6646e4f
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 11 15:42:48 2012 -0500

    * packaging: fedora spec file copied into one for f17 and f18
    
    This is due to f17 missing the systemd macros

commit 1d7ff882a721bbf244bfe46945d933b4472fc41a
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 10 16:20:50 2012 -0500

    * fix check for systemctl daemon-reload call on local install

commit 3822386f3e9819290d993b31e2df8e02b691a9ec
Merge: 8064af1 fb3ba0e
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 10 08:49:36 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 8064af1040812a0ad25f74521fc0a0c4e245188b
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 10 08:49:16 2012 -0500

    * note about SElinux in "make install" with some hints

commit f9a657ff6c1477afe0dde9b4bf4fbd8763443fc2
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 10 08:33:22 2012 -0500

    * verify: drop hint for rp_filter and man page for help

commit d1d43f71446b961a93d9138d183feeccab2d0bb1
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 10 08:21:11 2012 -0500

    * verify: fixup trying alternative locations for ipsec.conf

commit 952821ec8243e23e0c137f68a85f94fe6df95a75
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 10 08:11:55 2012 -0500

    * verify: the ss command lives in /bin/ on Debian

commit fb3ba0ecaeda8ab9b36e89b2a2e70217a6fa5d22
Merge: 82bccaa 8d86669
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Mon Dec 10 13:56:56 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 82bccaa9bf44b511e9dd311241e066941b005745
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Mon Dec 10 13:55:35 2012 +0100

    No longer getting "warning: NETKEY/XFRM in transport mode" messages in /var/log/secure

commit 8d866691627d8bb2902f1123b0abebf8d0eb35b6
Merge: 5ef0da9 c00ae62
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 10 07:51:16 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 5ef0da94bf92ec4636ade11e11aff732f66d8abc
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 10 07:49:45 2012 -0500

    * building: add note in Makefile.inc about not using -O3

commit c00ae623f1674e2b812a9b84ae33f7619b4d7d83
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Mon Dec 10 11:27:43 2012 +0100

    With this isatty test, # systemctl stop ipsec.service no longer fails

commit 96d1084f7dfb0f8cab6979bac5736b33ba5ccd33
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 22:19:07 2012 -0500

    * close if, need sleep

commit b6be3d1882add38f38de69eb88d6094ab78be722
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 22:14:24 2012 -0500

    * lswan_detect: override initsystem for rhel/centos to sysvinit

commit 3df8b641a79e4886ef33d60cc3a98e6d82335d6f
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 21:55:56 2012 -0500

    * setup: override to sysv for rhel system that detects upstart

commit fc9d1acc2590adf4dd99d959a242f570ce54b5a9
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 21:51:20 2012 -0500

    * Wes forgot a "then"

commit b9aa9c4e913d36ae573fb1c57ca7928e92d6f11f
Merge: bdfd660 6d0df4b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 20:24:45 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit bdfd660f72703d0a46d22aab00c1c33653cf74c9
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 20:24:16 2012 -0500

    * fix name in README.Debian

commit 6d0df4bcc4f98ad24c44e96b739de95e337df09f
Merge: 9f044b9 e4dc613
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 16:58:12 2012 -0800

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 9f044b9e59bf29d7b5f9cca4e2e68b67e8ca5345
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 16:56:12 2012 -0800

    Add support for upstart

commit 7782cd9d3e6bfd60f13d200bdbc144416cdc94f1
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 16:49:42 2012 -0800

    use --version instead of --versioncode

commit e4dc613df142a349e9a37aab8f85defca4181339
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 19:49:12 2012 -0500

    * debian: some scripts use ipsec --verioncode, so alias added to --version

commit fd73a9deb32ed3c198059f8b0e7d686e2cadb50b
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 16:47:11 2012 -0800

    check for /sbin/start to signal upstart is being used

commit 8860919c93a6ba0b5681371c41502a83068da02e
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 16:46:57 2012 -0800

    add /etc/init

commit e18cfb8beaf3a34e6dcc8336a2e3b6f4737f7578
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 19:10:56 2012 -0500

    * updated changes

commit 04920ceb3f4f20f03c8eb480ffb924449b6da1ad
Merge: 6a78096 d02baee
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 19:10:31 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 6a780967b3fe3a9ee04fcdd3de473780b87d481e
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 19:10:04 2012 -0500

    * stack: if we find stack is "auto", use netkey

commit d02baeea25fb5559b40567eaa41ef97861d7ebbc
Merge: 775d963 5c3fd7e
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 16:08:09 2012 -0800

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 775d963a608db2fc84db1ed23ed6d81f1cb16d46
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 16:06:37 2012 -0800

    start the stack manager

commit 93d2bd22e60c7ad8f18a12b786a026d76459e457
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 16:04:41 2012 -0800

    use protostack=netlink since auto is no longer supported.

commit f7e63d1121aa58b59c1b4025680236054945b5da
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 16:04:18 2012 -0800

    make the init script more portable across multiple system types

commit 183c8e729a5df9ef3024be0e6ddcb298dcb24b1e
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 19:01:58 2012 -0500

    * don't print \n with echo

commit 5c3fd7e9b524667988d426ae7b283b1c01b7e5f8
Merge: 630b02b b1902cc
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 18:55:25 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 630b02bd5534d80206f01a523f8a9e9199857a28
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 18:55:11 2012 -0500

    * updated ciabot.pl

commit 3cd993ade964279dcde7d1b17c3c333119e24988
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 18:50:11 2012 -0500

    * packaging: rhel spec file updated

commit b1902cc609295cb2b4560d8c3cc85526b7c0df9a
Merge: 9639500 3207408
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 15:46:59 2012 -0800

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 96395006b43a2ddaa8e8dbb3522dd16dd902cbfb
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 15:46:11 2012 -0800

    install the ipsec init in rc.d/init.d

commit 499247ffde70d6c43e95841d37f218368a3ec0c2
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 18:35:15 2012 -0500

    * allow override for initsystem detection (needed for RHEL)

commit 91c23c8a646436f99231aed20a270cee99d40e9b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 18:09:22 2012 -0500

    * phased out /usr/lib{64}/ipsec - moved contents to /usr/libexec/ipsec

commit 3bc5f72657d65621fded4cf0ae2cda11e699eeb5
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 18:05:50 2012 -0500

    * put all our helper programs in libexec, no more /usr/lib{64}/ipsec

commit 3207408545d9e7f941154fa1f2bc350f8af17be2
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 16:56:04 2012 -0500

    * we no longer have init.d/ipsec

commit 1c258453fb87e19b37d2fa507cce85c5366b70b6
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 16:44:28 2012 -0500

    * libreswan.spec: last cleanup and removal of ghost for /var/run/pluto

commit de79363de7e1d170145e1ef8f5ba41b0d202f78d
Merge: d1f91bf 7093005
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 16:33:05 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 7093005f9ea17e09ec4baf3d758baf8955b0abd3
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 13:33:25 2012 -0800

    remove double DESTDIR variable usage

commit d1f91bfded168b224e5810365fe8a28ee5fd76a2
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 16:32:39 2012 -0500

    * systemd macros for libreswan.spec

commit 3473e553d57828b6544141a04e61de02a3dd0013
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 13:31:57 2012 -0800

    add back in the silenting @ sign.

commit 009d2ad58f3c2ac7bc7394ba49c6bc226141d48f
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 13:30:50 2012 -0800

    remove accidental second test keyword

commit 03567c62005eff2516719d8355b35e7a39bac800
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 16:17:37 2012 -0500

    * updated to spec file

commit 0bbf38223bc2db530536ae290077731f39391216
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 16:11:34 2012 -0500

    * use pkg-config for systemd unitdir

commit 4ad8d7d26cbd4fa03c1883c7f63e9aa6033764bb
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 15:54:48 2012 -0500

    * systemd: missing DESTDIR for installing /etc/sysconfig/pluto file

commit 0f757e11625e4fc1ec300604ee71a93a34c9b246
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 15:44:50 2012 -0500

    * missing ;

commit fec60f2307161146f231578f61d0f795f580f82b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 15:43:01 2012 -0500

    * systemd: only call systemctl daemon-reload when installing on live system

commit e683d512e43b2f14a1fd7e911575afdddbcbe06c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 15:38:55 2012 -0500

    * commit lingering ipsecdir.xml

commit 703c9b0097de9d8b6d65aa9db7980a9941b5485a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 15:33:23 2012 -0500

    * cleanup fedora libreswan.spec file

commit bf21d057a7fef1b40f76287eca6210f5333c44b6
Merge: 5c90248 8860348
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 15:29:33 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
    
    Conflicts:
    	packaging/utils/makerelease

commit 5c9024821d7b6b25a6dab987d9ceb65f4585e019
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 15:28:22 2012 -0500

    * NSSFLAGS no longer passed via USERCOMPILE

commit 493f30f106868fc75fdbada0414632bfffae1833
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 14:50:21 2012 -0500

    * fixup make release target

commit 88603487a28861c6356eb6343b1c6abbf417ac8f
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 14:50:21 2012 -0500

    * fixup make release target

commit c1abc72f40a41b1b8bffeeb37bdb8bf8d719af61
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 14:46:23 2012 -0500

    * fixup Makefile.ver

commit ba1303d25b08028230bc63cc67507c9d6f4516ab
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 13:53:13 2012 -0500

    * systemd: the eval wrapper is needed for the pluto start

commit ee0597d1b409445bdcdd1a20823b9c6f827a263b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 13:48:42 2012 -0500

    * systemd: let the admin know if they need to enable or restart the service

commit 4f898560f7c679d14dd722f3c9ef388031489cef
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 13:30:59 2012 -0500

    * List the current mode of SElinux when warning

commit 00d37a0ca5c08f37a4dbbdf594541db327f15cbb
Merge: 8ea5cbf 7db6c4b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 13:09:10 2012 -0500

    Merge branch 'master' into systemd-initd-install

commit 7db6c4b83cf886bd2bcceac6482d21106d4775a0
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 13:08:32 2012 -0500

    * xml: d.ipsec.conf/ipsecdir.xml was missing from the ipsec.conf man page

commit 42840a57d890963072017f73278b5fb598ef0b86
Merge: 301a3ed 1b3782f
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 9 13:07:44 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 8ea5cbf7c6bae32fe4a669f8f73347dec9cf822d
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 09:17:51 2012 -0800

    Add the sbin director to the PATH so the ipsec program can be found

commit b30dda4e494995938dc957877d065c38bdf7b59f
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 07:45:32 2012 -0800

    remove the no longer needed eval wrapping and start the _stackmanager

commit 101b282b491c97cc8428bfa8ed24c03d60eacf74
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sun Dec 9 07:26:03 2012 -0800

    don't overwrite sysconfig and similar config files

commit 70882e68c5b795308c5c46352629373dcfdac804
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 19:41:56 2012 -0800

    assume only a single init file and drop the foreach loop

commit 1b3782f7c58ee3d5efab3af9ca25a54197a6e12e
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 22:40:53 2012 -0500

    * verify: ip xfrm output is different between iproute 2.6 and 3.x

commit 667e8e53e600a8797b3b60d4e8d22f3d9767b8d9
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 19:34:08 2012 -0800

    set the default pluto options to blank

commit d405123ea17d99a4b2d04126b70bc60266b5282c
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 19:34:00 2012 -0800

    add back in the PLUTO_OPTIONS

commit 75b26ff3ed39ce2e148e6fe33d7c691eb6bd26c7
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 22:05:12 2012 -0500

    * verify: fixup check for UDP listening on port 500/4500 with ss
    
    Use slightly different arguments to work around ss bug, see:
    
    https://bugzilla.redhat.com/show_bug.cgi?id=829630

commit 366a7bfb3524b5641dee256920df2a648be31bc5
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 22:00:01 2012 -0500

    * verify: document known bug in /usr/sbin/ss with UDP listening sockets

commit c37f04df26ae7f15bc5888f8e36558562911cea4
Merge: 3a24121 9482067
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 16:08:49 2012 -0800

    merge of changes from test fedora system

commit 9482067bca19da168a81b21bb7984645d1a2ab0a
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 16:07:34 2012 -0800

    fixes for upstart systems

commit 4cdd5f9e42a0b37034b85c42d1a54d39b685367d
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 18:40:50 2012 -0500

    * ipsec initnss had a bogus space in it

commit 3a241219dec9c4422da37fdd8c7c3a60017f4b84
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 15:30:21 2012 -0800

    move the config-all.h file back to fedora where it accidentally came from

commit 06963c3a7d47c20f86c8fa7ebb1a9402561a9454
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 15:21:25 2012 -0800

    Don't add in the PLUTO_OPTIONS since the variable doesn't get expanded

commit d5e62676c910a7a7f8a83595cf3627cdb759d88d
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 15:05:50 2012 -0800

    use the right directory without a double ipsec/ component for pluto

commit 98c5ca0979f5a0f6070a5b124ed6602181a68bae
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 17:58:29 2012 -0500

    * remove SECRETS= define from _plutorun.in

commit 55897bb1d5153eb2478cb1d3fe5ffe2468f9e280
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 17:48:37 2012 -0500

    * _plutorun: don't pass --secretsfile /etc/ipsec.secrets
    
    The default is set inside plutomain, and we allow secretsfile= in
    config setup in ipsec.conf to override the location.

commit a7ff6da16b1366a5282b34bc2d6c1ccfb942b3cd
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 17:23:44 2012 -0500

    * OCF: _stackmanager tried to tune KLIPS before the module was loaded

commit a29f6556f60df87d1c239cd61b6f808a365e7480
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 17:17:02 2012 -0500

    * NSS: Use pkg-config --libs nss to find proper nss/nspr versions

commit 380de4f526c86b03cdb7fa58b7af0d2aaa191c8c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 15:09:03 2012 -0500

    * compiling: Update standard compile options to be more hardened

commit 5ea78a977b92cb2c2771ab04cd115e58562f73d8
Merge: 2c7ca0a 9768583
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 11:42:54 2012 -0800

    Merge branch 'systemd-initd-install' of wjh.hardakers.net:/home/hardaker/src/nohats/libreswan into systemd-initd-install

commit 2c7ca0af0724a37c8f86bcb3fbd5587d2e6c7ce8
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 11:42:48 2012 -0800

    move all init based files and install process into the initsystems directory

commit 9768583e9711dfe98e9ff26ac5363784b65a5315
Merge: 7f4c56e f39f5da
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 11:40:11 2012 -0800

    Merge branch 'make-man-pages' into systemd-initd-install

commit f39f5da012ad19195768f4c3c2efffda6b3cf46c
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 11:37:33 2012 -0800

    keep the ipsec.conf.5 man page in the repo for xmlto-less install

commit 29f9b10aa440d86b55f620542fd6e4d4eeb33a2d
Merge: 616a509 c1886aa
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 13:43:33 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 616a5096bf1d310ef2996d7388b5149f6c128d40
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 13:43:14 2012 -0500

    updated changes

commit 15d27b8ad4a2f0d1fb252e608cfeafe6b7121773
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 13:41:48 2012 -0500

    Revert "Always use XFRM_MSG_UPDPOLICY instead of XFRM_MSG_NEWPOLICY. This avoids"
    
    This reverts commit b5fa5eb1033ee3b73f7121a8ba3e593be21f8226.

commit efbf79e862921999d1163a0f69bc65eb1cc177cd
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 8 13:38:15 2012 -0500

    * updated changes

commit c1886aa176d89aaa9b1f588c1f3c85bcae7cf523
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Sat Dec 8 10:22:24 2012 -0800

    document that you need the unbound development environment

commit ae8aafc0786d8ae3076b013b2af6aa83f4fef875
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sat Dec 8 12:06:50 2012 +0100

    Undo all my changes - Bug non reproducible at will

commit f87c7b25e75587728d7f5cedd0b8e8e27c093870
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Fri Dec 7 21:57:30 2012 +0100

    Undo change from PK11CertListCA to PK11CertListAll - Bug was in gcc at -O3

commit 301a3ed46c22bad5d6c704b51848de8ca36f2ebf
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 7 13:37:40 2012 -0500

    * add man page for secretsfile= in config setup

commit 7f4c56e38b60d8998f9d71a57df821013320d39c
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Dec 7 13:12:32 2012 -0500

    * Remove all options in sysconfig.pluto.in that can be set in ipsec.conf

commit 21e0c5093e6008ca84be0496b42c4975c481afe7
Merge: d9cd695 e88f232
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Fri Dec 7 13:54:26 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit d9cd695024280d2acd29a4ae708ee3f0bd404689
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Fri Dec 7 13:53:38 2012 +0100

    Undo the test on %defaultroute - The root cause was _stackmanager not activated by /lib/systemd/system/ipsec.service (wrong syntax)

commit a8aed174a2128ffde9ef820aa522575d1d84ea82
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 21:32:43 2012 -0800

    Use variable replacements for the /var and /etc directories

commit ab120bb7bba4a16cba663d77d7ece4431c3c1436
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 21:31:48 2012 -0800

    make sed replace all instances on a line, not just the first

commit 0e91c57939c84642c2d849cbcc9e40cecd0204cf
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 21:29:01 2012 -0800

    build the sysconfig.pluto files

commit 5bf9f4f518cf68d8d86b1c6c860f10517a6e71e8
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 21:24:47 2012 -0800

    install the systemconfig pluto file

commit 135180565254b65725f0b7940fbaba5c5c1238e3
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 21:24:15 2012 -0800

    fix line-break escapes

commit a7f77643fc0406f69eb1ce4548c972ea2872a818
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 21:20:11 2012 -0800

    break the installation process into multiple targets

commit 78e54d2e31022dd1a60bee376a0d7d9de7275512
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 21:18:34 2012 -0800

    install the sysconfig pluto file if not present
    (and break the installation process into separate rules)

commit ca3bc0ed127536164a8e57de5a7846501319b688
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 20:52:24 2012 -0800

    test to see if the service is enabled and warn if it isn't yet.
    Note: the current init file is 'ipsec.init' and it may be desired to
    name it 'ipsec' instead in the long run?

commit f07164bed0dd411b9a3f3908f86911c9b089b5f7
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 19:18:33 2012 -0800

    check if selinux is enabled and maybe print a big warning
    ie, if the install path is not /usr then policy needs to be updated

commit d2386e12fbd63d507c261d07c5154bbc43e8cc95
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 18:31:20 2012 -0800

    fix the src directory names

commit a203397da264178bcd60330da5f76716094d8f41
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Thu Dec 6 17:45:49 2012 -0800

    remove (or at least warn about) SYSV init style ipsec files

commit e88f2323f13a211260296d51679d94041284b5bb
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 18:41:55 2012 -0500

    * NSS: added 'ipsec import' and moved 'ipsec initnss'
    
    ipsec import is for importing PKCS#12 files into the nss db
    ipsec initnss moved from its own shell script into the "ipsec"
    shell script itself (like "ipsec import")
    
    man page for initnss put into programs/ipsec for lack of better place
    Changed README.nss to remove instruction on how to enable NSS

commit ba58432f10de4b20cf8314e5049017acfc897664
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 18:27:08 2012 -0500

    * testing: fixup X509 certificate generation

commit 543ff94ee6c5bdaa7309e645010104c90d6b0358
Merge: 50f12b4 56397dd
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 17:39:12 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 50f12b48ead3384e245c96be1e95a6b09d901193
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 17:32:37 2012 -0500

    * fixup nat_t_spf/disable port floating
    
    The variable is TRUE for yes, but --disable_port_float is set for FALSE
    
    This was introduced a week ago when disable_port_float=yes|no support
    was added. This caused NAT-T for non-XP clients to fail

commit 56397dd92ea9ff29c9ae6be69e097397dda6962d
Merge: 7de58a9 697d3f2
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 11:17:04 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
    
    Conflicts:
    	CHANGES

commit 7de58a95e91b1c20060ec25c00f0d4cb944a3822
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 11:08:05 2012 -0500

    * updated changes

commit bebdc58d9cbc95530ad2d1dd374b25f39fbfad73
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 11:07:47 2012 -0500

    * Fix compile when NAT_TRAVERSAL=false

commit 24a4ba9dc9b5c1310eafb43e6123ddf6c97bac9c
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 11:05:12 2012 -0500

    * DPD: We did not send DPD VID in aggressive mode with NAT-T disabled

commit 8ea1ad46da5b884ee4c9dacf8ee82c59c4f0da96
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 10:46:49 2012 -0500

    updated changes

commit 7d0182972f247899e4eda224e1f51c77ebea4a8c
Author: Antony Antony <antony at phenome.org>
Date:   Thu Dec 6 10:42:57 2012 -0500

    * spdb_v2_struct.c needs demux.h (shows up when disabling NAT-T)
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 697d3f272765707569560861394639cbca22dc93
Merge: 90a28fd ee59361
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 09:40:34 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 90a28fd34ddf45e1d511330d1c5f0a2346a7db0b
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 09:33:31 2012 -0500

    * addconn: set resolvip to true on init, instead of a few lines lower

commit d0574d638b6f69af1c438127da6f00dc9c5b1adb
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 09:32:19 2012 -0500

    * added some debugging to confread.c

commit ccffe4e4f92ca0dee862cd7242cbcfc559461ce4
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Dec 6 09:31:43 2012 -0500

    updated changes

commit 22f498701b923dc980e1477797cb21dd75d6459a
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Dec 6 09:30:04 2012 -0500

    * DPD: dpdaction=restart can cause full phase1 timeout after DPD
      (rhbz#848132)
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit ee5936186f0b2b9a4e8b4f29a44cb4bcec73241c
Merge: 8e6080d 4c55a98
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Thu Dec 6 14:58:59 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 8e6080d4e630f37e4d9c3e544ebc36399036a760
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Thu Dec 6 14:58:19 2012 +0100

    Changed PK11CertListCA to PK11CertListAll - Bug in NSS library

commit 78b1b19d0bb6a258086882aab4ea091f2694d227
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 5 21:34:17 2012 -0800

    separate packaging (.spec) files from systemd/init files

commit 470651a34384e3e645963409ad52e0983c792121
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 5 21:05:50 2012 -0800

    move the SED replacement definitions into the safer .inc file

commit d2e294ec9f24f2780fd233943c3c7d64ab8be408
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 5 20:53:52 2012 -0800

    use a forced /etc in the likely always-/etc places

commit 7736ea89a2f505b711c029cfdc8ca1b004c42a20
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 5 20:48:43 2012 -0800

    assume ip is always in /sbin

commit 3213273d6250f56bc295db989197bbef7d6a9e29
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 5 20:47:28 2012 -0800

    assume sh is always in /bin

commit 0a733b75acef30f21fbf3532bb732936d6f0e0cf
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 5 20:46:52 2012 -0800

    remove top-level definitions of files to install since they're in subdirs now

commit 5326a9d6cd996cb9d2d762c52979cb643df14cd4
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 5 20:42:29 2012 -0800

    always use raw /etc path for resolv.conf files, per PaulW

commit 28e00628aa50a66d442896a08345c9611a7326c5
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Wed Dec 5 20:30:25 2012 -0800

    set the default man list based on the current program name
    (if there is one)

commit 4c55a9843856289b7cec7cc7d14d2faa67f69d09
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 5 21:10:53 2012 -0500

    * add note to pluto man page

commit cc24a3379587543af1e6c865dfbc47d37a5a5319
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Wed Dec 5 22:25:55 2012 +0100

    In refine_host_connection, test psk != dpsk if initiator - Shrew tests with Preshared key passed

commit 398ae1eaf206f9dabfb21b1658e827c269615f3c
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 5 16:08:25 2012 -0500

    * Remove module goo leftovers from freeswan

commit ef8103fd23431ec4a04f5082112334b005935ce5
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Dec 5 15:36:51 2012 -0500

    * remove buildlin.sh

commit 858f174df229f1bfebae98c3714f3495cf1cb234
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 23:27:18 2012 -0800

    use proper variable expansion for system-specific values

commit 41619e11a01dae8155dead7b97279fad2bec6654
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 23:26:46 2012 -0800

    add some more needed variable expansion rules needed by system files

commit 020e4f5118170395caf8726e160b2aeff6995c25
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 23:12:09 2012 -0800

    link to the new os-type-based directory names

commit 4272381aaeccc948a7a3638bdaaa29dc4911f5e0
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 23:11:44 2012 -0800

    fix shadow-tree building

commit dda661238899696034be13684a415fa442af46f0
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 23:07:01 2012 -0800

    initial work to do builds and installs of system files

commit f5b0898ef2c59aaa54ed566f973095a120bc3376
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 23:05:00 2012 -0800

    Moved the sed definition into the Makefile.top file

commit 82fe823d1dbb11ea8f9c077c7de02271774481f5
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 22:30:37 2012 -0800

    renamed the init and service files to .in files for proper path building

commit f7f8d5081edce9ee2e11a01c1ac8053b618de0bb
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 21:44:59 2012 -0800

    move the lswan_detect.sh file into the utils subdir

commit 007ee62b2c481344142be45a8e5cc3bfae373258
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 21:28:05 2012 -0800

    Add 'man' and 'config' targets so they can be built independently

commit 71ec5c443d1dcffcddf106ed1d86d6e2ccfe7261
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 20:58:51 2012 -0800

    allow other arguments to be passed (e.g. -j5) to the building process

commit 60cead8b100ea7314d336a4104ce2f32da06079c
Author: Wes Hardaker <opensource at hardakers.net>
Date:   Tue Dec 4 20:52:37 2012 -0800

    build man pages and config files during 'make programs' instead of 'install'

commit 5b5b5192f3f0772131c20eb705450079baff36fa
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Wed Dec 5 16:02:59 2012 +0100

    handles %defaultroute

commit 35c8b26a97087279ed2622c8eb898a2eaf4304fb
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Wed Dec 5 13:45:46 2012 +0100

    Missing  in file

commit 425e50a0873c2f1e7fd9cc478d93ea751d8ddac0
Merge: f5245f0 1573989
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Wed Dec 5 13:38:28 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit f5245f0f0a3d5d74a154d4a5cfdd5a1978bf65eb
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Wed Dec 5 13:32:32 2012 +0100

    No longer producing Bad file descriptor on stdout

commit 157398947b8de79d18fef0bd590069328f84f64a
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 18:40:21 2012 -0500

    * systemd: It's ExecStopPost= not PostExecStop=

commit 1ddee8dee7b98846c393e9b81b89084ffe635494
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 15:02:32 2012 -0500

    * empty stub sysconfig.pluto

commit 4a568ec82ea28696aa9918d7ff23eca1b3d73be1
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 14:59:55 2012 -0500

    * generalised ipsec.service file - should get easier for make install

commit 70800c9ee74f56b4920403667f7ee0169dcd58b4
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 13:45:14 2012 -0500

    * move packaging/lswan_detect.sh to packaging/utils/lswan-detect

commit dd1dd8d194ef4c0308370fd5617739a79eeed3f2
Merge: 979fae5 574c211
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 12:43:58 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 574c21175f21b8326a76fd493f522b65195528f4
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 12:27:03 2012 -0500

    * Fix to eclipsed() function introduced in freeswan-2.02
    
    Related changelog enttry from freeswan:
    
    	pluto can now have wavesec and OE coexisting.

commit 203fbf84468b48bd822d595f1cb25e37266025e1
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 11:23:47 2012 -0500

    * pluto: no longer warn about reaping the addconn child process

commit 979fae5aacaa0dbbd1c2334ed0b5886806c47db0
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 09:40:03 2012 -0500

    * Don't set XAUTH as policy based on receiving XAUTH VID
    
    As some ipsec clients (eg strongswan) send these vendor id's
    even when they are not planning or allowing XAUTH in the
    connection. Instead, we rely on our loading of the connection
    to set the XAUTH policy on the connection.

commit ed2ac56ce6e71b0c4537dfffaa1e5b1b981826a6
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 09:42:30 2012 -0500

    updated changes

commit c225588ab32093336be30caa4a25961c98a52924
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Dec 4 09:40:03 2012 -0500

    * Don't set XAUTH as policy based on receiving XAUTH VID
    
    As some ipsec clients (eg strongswan) send these vendor id's
    even when they are not planning or allowing XAUTH in the
    connection. Instead, we rely on our loading of the connection
    to set the XAUTH policy on the connection.

commit 3111464867ae74e8ccef4f6f0cc59db0ca88e87d
Merge: 655f0b2 54c516c
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 21:47:53 2012 -0500

    Merge branch 'master' into audit
    
    Conflicts:
    	Makefile.inc
    	programs/pluto/plutomain.c

commit 54c516ca1c6de08c54c2a9864cf3ed619a10fa79
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 21:42:44 2012 -0500

    * _stackmanager: for KLIPS without interfaces=, assume %defaultroute

commit c107c86c67ba3fca7e23533ce9705cf9bbe2426e
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 21:26:17 2012 -0500

    * make logging regarding interfaces consistent.
    
    Added note that we don't need to call use_interface.

commit 84faa82b909f7b568320b8a4ec693b0d1a55bcd6
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 21:25:32 2012 -0500

    * _stackmanager: whitespace fixes, throw errors to stderr

commit 284f9e4bc48a31ac8aa818f31fe70cb218030fef
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 20:15:13 2012 -0500

    * interfaces.h was needed for one function

commit 45338432178e1afe9f47a1438ca4953856792770
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 20:10:58 2012 -0500

    * remove virtif.c related functions - it was not used

commit 3ce0d9a3d171862328bf0a01a6fe449516331673
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 19:39:57 2012 -0500

    * argv for execve() was missing NULL termination, so addconn did not run
    
    This caused the new "helper" to load connections on boot to not run properly,
    and no conns were loaded.

commit 4295d23161687d80839aac1d3da1f77735503b3a
Merge: 26ca0c3 38064d0
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 19:12:04 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 26ca0c3fe933f05e52d4ca30edebb5102bad4a07
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 19:06:21 2012 -0500

    * remove code we never used (/var/run/pluto/dynip/<iface>)

commit 38064d0a10910e0ddf4675d1fe6096b436b32021
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 18:32:48 2012 -0500

    * ignore interfaces= line for NETKEY

commit 9fe0ea0712dae207259f935309f3855393b47416
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 18:17:28 2012 -0500

    * a minus was accidentally introduced in refine_host_connection()
    
    An added minus accidentally added a comma, causing compiling to fail

commit 62013807c57cc5ad52a24dae4647b5f26b3b24af
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 11:14:15 2012 -0500

    * Set POLICY_XAUTH when receiving XAUTHInitPreShared / XAUTHInitRSA

commit 655f0b20fc7492c415e2d5dcf95f149bf128db28
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Dec 3 11:14:15 2012 -0500

    * Set POLICY_XAUTH when receiving XAUTHInitPreShared / XAUTHInitRSA

commit 77bfb4f52ad9afcb5f4789fcaf7e6ffa86bb3f26
Merge: b53d636 8aefa2e
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Dec 2 22:04:59 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 8aefa2ea36f3fa1ce1ad7f91f2bc15297484144d
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 2 15:33:19 2012 -0500

    * fix typo in order.txt for ipsec.conf man page generation

commit 0faa950af2d25de3111eb12b65d79d07dc9bcbd2
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Dec 2 15:25:19 2012 -0500

    * updated changes

commit b53d6360b55bcf157cfd9039baed8ace33ddc53a
Merge: adb63a6 9e545e3
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Dec 2 20:08:16 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 9e545e367f4ca7368daf23bbcd3f361490053268
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 1 19:14:50 2012 -0500

    * disable fipscheck and labeled security for now on default build
    
    because debian/ubuntu does not have the fipscheck headers, and
    the labeled security seems to cause some netkey problems.

commit d828ecda974ef4d5d07e5248ac1de9fd83e68f6a
Merge: b421167 d619145
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Dec 1 14:35:27 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit d61914508cbf339a5fe57c376d67279474b0f339
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 18:37:21 2012 -0500

    * fix hunk
    
    Conflicts:
    	programs/pluto/plutomain.c

commit 6ce3b201fb32aab9f94e16e7d7fe8387352e8e55
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 17:35:22 2012 -0500

    * add "FATAL" to error when failing fips mode and aborting

commit 273e611a1ab883940112aabbb6e2b50c5ffc217d
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 17:29:33 2012 -0500

    * Log NSS success via libreswan_log(), not via RC_LOG_SERIOUS
    
    This prevents a spurious message by pluto at startup

commit 6151f47821b0577092842cc8c503e55849da2993
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 18:37:59 2012 -0500

    * Initial Linux audit support and test message

commit df2ccdd849e78116f38e341e3ce90058d054c6ee
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 18:37:21 2012 -0500

    * fix hunk

commit b421167bee7544d7a3930a5a35bf537ae29079f0
Merge: 4b25b74 531b9ec
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 18:33:23 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 701512a3ba98e1503dee705734c2fe23a28b4aea
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 18:10:04 2012 -0500

    * forcebusy.xml > force_busy.xml

commit 4b25b746072681429779908d008e4e823677009d
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 17:42:02 2012 -0500

    * un-nest the fipscheck/nsscheck
    
    I'm not sure why these were nested, as they are unrelated and run
    one after the other.

commit 523aa3ef556939d39f99eef0c59f7d83b3747d6a
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 17:35:22 2012 -0500

    * add "FATAL" to error when failing fips mode and aborting

commit e5c7ed9f43ec23f3ed69ef2df7823fdddeb454b3
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 17:32:34 2012 -0500

    * Display whether fips support is compiled in on startup
    
    Similar to the other USE_XXX options.
    
    Also, display when support is compiled in, but pluto is not running
    in fips mode.

commit 2ad672346ea108d54331b58c3f27ad5b30ae4646
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 17:29:33 2012 -0500

    * Log NSS success via libreswan_log(), not via RC_LOG_SERIOUS
    
    This prevents a spurious message by pluto at startup

commit 531b9ec41cc7d02c28a2f4d70daf37cfa5d5d11a
Merge: cc4b685 c523a99
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 30 17:14:45 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit c523a9989239755d437c01dd2fa280feed59bbef
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri Nov 30 21:45:06 2012 +0200

    addconn: parse %defaultroute to IP address using kernel's netlink

commit 21c84032943b348ffb027091ec5accf7756e941c
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 23:06:47 2012 -0500

    * added some build/testing requirements in INSTALL

commit 09bfed953f9c261d0ae2d2827264a955a81f3f52
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 23:00:12 2012 -0500

    * more occurances of umlsetup.nl and NJ (netjig)

commit 40cb9b48e81b65fd71261f8f8f41c60bcefe8e04
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 22:56:15 2012 -0500

    * dotest.sh was expecting umlsetup.sh instead of kvmsetup.sh

commit 8294c79a7e3aff42d13a0ab6feaa92d3498336aa
Merge: 96bcb05 f979759
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 22:19:53 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 96bcb05eb8af7cd851cc01096fca27be94d237c2
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 22:19:21 2012 -0500

    * testingL fixup creation of KVM's via install.sh

commit f979759f639054fbc58d3197284a8c42d276ed6b
Merge: c5df821 b69f1fe
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 19:01:55 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
    
    Conflicts:
    	testing/libvirt/install.sh

commit c5df821e01db73c27f4aac0c95ad298335f5fc05
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 19:00:42 2012 -0500

    * Check that we can write to /var/lib/libvirt/qemu/
    
    It's needed for the serial consoles

commit b69f1fef7ca5a165e6b2000a1e9bce91bb5812a4
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 13:28:40 2012 -0500

    * updated kvmsetup.sh.sample

commit a31218c6fabb30d79312ad07e8fcc139f2008763
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 13:08:49 2012 -0500

    * create pool space directory and set +x so qemu-kvm can find disks

commit ad40f24dfbed9f02f1a42dd957b4fd18ed924db9
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 13:03:41 2012 -0500

    * virt-install was fixed to no longer require the disk image to exist

commit 81d38bfc6d45c76d6bffa662a760f9da7ab8231b
Merge: 840bfcf e206dc7
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 12:05:19 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 840bfcfa4a0154b16c0aafacf1c7633a79471ff6
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 12:05:03 2012 -0500

    updated changes

commit 250ea98890ec1b46a1d87c34ef468134714e605a
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 12:03:18 2012 -0500

    * pluto: support for secretsfile= and ipsecdir= in ipsec.conf
    
    Matches pluto's --secrets and --ipsecd options

commit e206dc7f705ceb542485fda0fb6d3f9f89d1c6e3
Author: Kim B. Heino <b at bbbs.net>
Date:   Thu Nov 29 18:12:45 2012 +0200

    addconn: remove tailing whitespaces

commit 03f76a270b514ac63c8ebe820c7773e8f3dc25b8
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 11:03:02 2012 -0500

    * updated changes

commit 614b5f3d35c3e6143ad829ca662039eae05e7694
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 29 11:00:41 2012 -0500

    * addconn/pluto: ensure conn names are always treated case sensitive
    
    This was implemented inconsistently, so when defining conn CaMelCase,
    you would end up being able to do "ipsec auto --add camelcase" but
    not "ipsec auto --delete camelcase".
    
    consensus was that connections should keep there case sensitivity.

commit cc4b6850f1d4eacf173d66cca3ed9c85ecb61177
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 28 18:30:05 2012 -0500

    * document force_busy=no|yes config setup option

commit adb63a6d4ab4a1e411eff9a17f42b5f90abbd693
Merge: c432cd3 5f04b1d
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Wed Nov 28 11:46:47 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 5f04b1deee52a6d853123e3f604997409ad6ab0d
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 23:27:21 2012 -0500

    * remove old comment

commit a00edcc7ddf3c05823d0eab9f3e697c29e9e3559
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 23:27:11 2012 -0500

    * updated changes

commit d64de3f22a930e04f3c9bd68bcffd81479509e2b
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 23:06:39 2012 -0500

    * pluto: added ikeport= and nat_ikeport= options, and --natikeport
    
    There was already an --ikeport option. So ikeport= is the config setup
    equivalent. It changes the pluto_port variable.
    
    For the NAT-T port, the code used a define NAT_T_IKE_FLOAT_PORT throughout
    the code. This has now been rewritetnt to use a new variable a new
    pluto_natt_float_port, similar to pluto_port.  The --natikeport option
    was added to pluto

commit 4ff953206395807b8dd0fb249a32553fc4a08114
Merge: 8365137 e445618
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 22:54:55 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit e4456182de79995d860101c1e68c0eb326bd56b1
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 22:54:53 2012 -0500

    * man page sections for perpeerlog/perpeerlogdir

commit 8365137400b391ac4ec6faba6c79de426419d3c3
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 22:35:37 2012 -0500

    * dont need a default for KSF_PERPEERDIR

commit a6286e19cbf598f1b9441c4a29d0c6ff07c36bd1
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 20:59:12 2012 -0500

    * update changes

commit 413e72353fcbf0bfd7c431d96e443d98aeb36dc1
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 20:58:11 2012 -0500

    * pluto: added plutofork=yes|no to match pluto --nofork

commit 09faf5c5721bd28be8897a933fdd2917e9060964
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 18:40:26 2012 -0500

    * updated changes

commit 55fe81ba411b6a2a2c28769c66e472a009c67218
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 18:39:29 2012 -0500

    * pluto: added retransmits=yes|no config setup option
    
    This matches up with the pluto --noretransmits option

commit 644f8ff9827a1823fe8deec8443f062f7979e77e
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 18:19:25 2012 -0500

    * ipsec.conf: Added perpeerlog=yes|no and perpeerlogdir= options
    
    Added perpeerlog=no and perpeerlogdir=/var/log/pluto/peer/ options.
    These translate to the --perpeerlog and --perpeerlogdir pluto daemon
    options.
    
    Note that the default location for perpeerlogdir used to be a compile
    time option depending on ${FINALLOGDIR} so this could change the
    default for some people.

commit dd17c836c7ea50a28c0070ba780c47bdf4b69311
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 18:18:45 2012 -0500

    * no longer print the "version 2" via readwriteconf.
    
    We want to silently eat it and phase out its use

commit 0e1c2f71eb0c80d7f577086a88f15d51c517ffc0
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 17:19:07 2012 -0500

    * add comment

commit 6fa230154409efdd9ad5b33dcc4d6f349bf5d25f
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 17:18:36 2012 -0500

    * remove lwdnsq mentions from xml

commit ecdd6cbcf7ca22d9728bb0c677172a839a1c22b3
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 16:34:54 2012 -0500

    * renamed osw to lsw prefix

commit 1534a10899784a3e8375a7b5f7e5f00d4852862b
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 16:31:15 2012 -0500

    * missed testing/liblibreswan -> testing/libswan

commit d10853498cbcfb8a8bf0e56e113d7436bd249536
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 16:03:17 2012 -0500

    * KLIPS: build module in "modobj" instead of "modobj26"
    
    All 2.6 and 3.x versions now build in modobj/". The 2.4 version now
    builds in modobj24/

commit 38d495611cf550f041f385d7969d6f033564d9a8
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 27 15:53:06 2012 -0500

    * rename liblibreswan to libswan
    
    It's too difficult to type, and confusing regarding libres (resolver lib)

commit 4dad80224be1fa1b33ff7a6fda903d854650a575
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 26 15:12:12 2012 -0500

    * testing: removed old uml related scripts, utils and netjig code

commit 5e21968cdf5dbceba171158dc2f19d9250c0ab32
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 26 14:50:33 2012 -0500

    * packaging: Removed freeswan release scripts from packaging/utils/
    
    Also removed some openswan cruft for releasing and cvs handling

commit 862581310bc083e777a4aff5f4520930ff0446c0
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 26 02:28:15 2012 -0500

    * packaging/utils/makerelease: tar no longer needs to be verbose

commit f7bfecf125a7250e4ebe46e88b887f1edccbb5bb
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 26 02:27:35 2012 -0500

    bump to 2.91

commit 46cbfdd54ca07d3e67ff98ce72c25a0e61b0d13c
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 26 02:24:26 2012 -0500

    * check for specific release file, not the release dir

commit 8f5b74cd578e21688a94c6cb2d9e2b810f75bcfe
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 26 02:22:41 2012 -0500

    * added packaging/utils/makerelease

commit 601a32ff2414ae6d9533ea747c3df8af2cb574f3
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 26 02:12:21 2012 -0500

    * add make release target

commit 4bc2e6d4304c87bdeddfb7602d074846d77d9423
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 26 01:25:53 2012 -0500

    * CHANGES: release will be 3.0, not 3.0.0

commit d0b22f134757678874cf428a5fe2516c3470a137
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Nov 25 23:29:43 2012 -0500

    fixup readme

commit 537340a6e53567a31b212cc441d5d6714c709213
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Nov 25 23:28:14 2012 -0500

    * debian: updated debian build
    
    Experimental target: make deb

commit ac083e4fd94b6b7144d4ec159a81ece97f744c52
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Nov 25 22:11:10 2012 -0500

    * added version related make targets for easier packaging
    
    paul at ubuntu:~/libreswan$ make showversion
    2.9rc1-1-gb191401-master
    paul at ubuntu:~/libreswan$ make showversion
    2.9rc1-1-gb191401-master
    paul at ubuntu:~/libreswan$ make showdebversion
    2.9~rc1_1_gb191401_master
    paul at ubuntu:~/libreswan$ make showrpmversion
    2.9rc1
    paul at ubuntu:~/libreswan$ make showrpmrelease
    1-gb191401-master
    
    (I'll leave it to Tuomo to fixup the rpm to use proper -0 release)

commit d76b095bab5063386a651613e96b91e09e4d1d1d
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Nov 25 21:56:40 2012 -0500

    * remove some VENDOR remnants

commit 1587ee92e68f7e8723065efdb438ecf6c3978aef
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Nov 25 21:42:08 2012 -0500

    * version: slightly changed version building
    
    The version now shows the branch and tag instead of hardcoding
    to "master" and branch number hardcoded in Makefile.ver
    If there is no .git/ we assume this is a release and we pick the
    version straight from Makefile.ver (which also allows an override
    now using: make IPSECBASEVERSION=2.9 programs
    
    It now shows this if compiled from git using "make programs"
    
    v2.9-1-gda49099-dirty-master
    
    Meaning the latest tag is "2.9", which was "1" commit ago, we're at
    commit "gda49099" in the branch "master". And we are dirty (as in
    there are uncommited changes as well)

commit 247fa8f6bb79e00a637d3823a871453f0eaaea30
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Nov 25 21:38:24 2012 -0500

    * testing: include linux/include/ while compiling test stubs

commit dfd3936eb4e472f6c5cc37f4f14f6c471ac5c795
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Nov 25 21:38:06 2012 -0500

    * remove CVS log

commit 6eefb4e10c2fc3f2d72c68a21115001df1b7e99f
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Nov 25 12:08:44 2012 -0500

    * lswan_detect.sh: detect Foobar, lack of oracle support, default output
    
    Apart from errors on stderr, return "unknown" on stdout for 'make' to use

commit dc9a30808c78fdcecc9c6f16b89eeb1300c72cab
Author: Hugh Daniel <hugh at libreswan.org>
Date:   Sun Nov 25 04:31:44 2012 -0800

    This script now works cleanly on five (5) different Linux OS Distrabutions
    and all the current init styles.  It will do for now.
    
      I should note that I think the name should be changed to something more
    descriptive, and that the data should be returned in a different format, one where
    ONE type of data is returned on each line.  But that is for later, it now works.

commit 8b22019326b05397c86bfd0ec8027899adb0d254
Author: Hugh Daniel <hugh at libreswan.org>
Date:   Sat Nov 24 17:38:51 2012 -0800

    Change from Paul to fix extra output on Debian.

commit 348ca37ab25a797df44b7c5df55ceae04e3f49f3
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 24 19:56:21 2012 -0500

    * lswan_detect.sh: use version argument and add sbin:/usr/sbin to PATH

commit 6d93d52276f156f5221a24b87551fcd6ff63555c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 24 19:52:29 2012 -0500

    * fix upstart check to cover more ubuntu/debian flavours

commit e4b84556105df097baf62178e7a0d72644cee50d
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 24 19:52:07 2012 -0500

    Revert "* fix upstart check to cover more ubuntu/debian flavours"
    
    This reverts commit efb158f50c9733b41155e8252dfd67197998d02e.

commit efb158f50c9733b41155e8252dfd67197998d02e
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 24 19:49:18 2012 -0500

    * fix upstart check to cover more ubuntu/debian flavours

commit 0eed1ab7a546125893f96e50fe88bac46ccdb64f
Merge: 7c73661 4d82946
Author: Hugh Daniel <hugh at libreswan.org>
Date:   Sat Nov 24 16:28:06 2012 -0800

     Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan
    
    Conflicts:
    	programs/Makefile

commit 4d82946296c8c905f0e73149dde125d848d3928a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 24 16:54:36 2012 -0500

    * _stackmanager: abort early when not root - reduces slew of errors

commit 0d5b4e216cf5a15e426b60125cf1a97634a7e5a8
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 24 15:59:07 2012 -0500

    * packaging update
    
    packaging/lswan_detect.sh detects the distro and init system used.
    
    Added links for centos/foobar to rhel (they use identical version numbers)
    Added packaging ubuntu/
    
    We detect Arch Linux and OpenSuse but don't much for those yet.

commit 9a17d8fe004013498f924def6f159b9d9aef7848
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 23 13:16:56 2012 -0500

    * ipsec: added shortcut "ipsec status" to "ipsec auto --status"

commit 3df74fad80b217673dc8520d091ba464303363bf
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 22 01:32:20 2012 -0500

    updated CREDITS

commit 55aadef41ae5f4911bf637ef52e95ae50c7f882b
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 22 01:20:30 2012 -0500

    * update changes

commit d9d6d0ac890d347814ec54909db912b2e6ece9e0
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 22 01:18:54 2012 -0500

    * Added David's comment on KLIPS 20% speed gain on TX

commit 556c5e61adebfbbb9deea26247460b7e46db3b51
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 22 01:15:47 2012 -0500

    updated changes

commit 1f1bc91cee7d82cd12c89c7ec84cff69b6b1c023
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 22 01:15:16 2012 -0500

    * KLIPS: misc. fixes, mostly satot() related
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit aa8f1bca78eeeeb3d73545f84cc8aa558abac09e
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 22 00:53:22 2012 -0500

    * KLIPS: fix panic 'proc_dir_entry 'net/pf_key' already registered
    
    Nov 17 15:27:48 l2tp kernel: ------------[ cut here ]------------
    Nov 17 15:27:48 l2tp kernel: WARNING: at fs/proc/generic.c:590 proc_register+0x129/0x220() (Tainted: G        W  ---------------   )
    Nov 17 15:27:48 l2tp kernel: Hardware name: KVM
    Nov 17 15:27:48 l2tp kernel: proc_dir_entry 'net/pf_key' already
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 161d3f0b79865d86e3b19641953504dc27255676
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 19:51:49 2012 -0500

    * added packaging/rhel/sysconfig.pluto

commit 16f85de0386b556ba653df2b3b84f15f21181b15
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 19:48:24 2012 -0500

    * version: Use =? in Makefile.ver so we can easilly override it

commit a7f8949d5449f2f39c6fcf57c1942d218bac62c2
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 19:44:54 2012 -0500

    * Added some debugging in find_raw_ifaces4()

commit a0317677260113e56d11b662812774afede58f07
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 19:29:18 2012 -0500

    * initscripts: use -e not -f to test for pluto.ctl, as it is not a regular file

commit e60d3d5dea7858b5b328120caf0bc38632aea396
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 17:32:06 2012 -0500

    * added subsys handling to initsystems/sysvinit/init.rhel.in
    
    Also use rm -f for the subsys file in case it does not exist anymore

commit 93715fa74f9746a7b693cdbce02c847468000093
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 17:17:26 2012 -0500

    * _plutorun: silence startup to not affect output of sysvinit scripts
    
    It used to echo a startup line, this is now send via logger to syslog

commit ddc4e91a2a069809e6b5ebb900bde41c38fa37c9
Author: Simon Deziel <simon.deziel at gmail.com>
Date:   Wed Nov 21 17:06:29 2012 -0500

    * debian:  Copy SAref patches for Linux 3.2.0 to the module source directory
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 543bad4d77e23e1c277c6ce3f282583115794f7c
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 17:05:13 2012 -0500

    * updated changes

commit e93da68701e879703c0efceef4a264ef169bbba4
Author: Simon Deziel <simon.deziel at gmail.com>
Date:   Wed Nov 21 17:03:54 2012 -0500

    * SAREF: kernel patches updated to linux 3.2.0
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 0075466ab64816399147bf3e0c3f0727307f809a
Merge: 6038599 d0f6309
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 16:50:23 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
    
    Conflicts:
    	docs/CHANGES.freeswan.pluto

commit 6038599f56ed414ad23f3641f0ea703497efbc04
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 16:46:21 2012 -0500

    * fix spec file for RHEL(6)
    
    - fipshmac does not yet take the -d option and stores .hmac files elsewhere.
    - Enable copying in /etc/sysconfig/pluto
    - Enable USE_LIBCAP_NG
    - Install new init script from packaging/rhel/ipsec.init
    - Obsolete openswan so libreswan an be installed as an update

commit d0f6309295055d23377be7cb15e21225c82bdda4
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Nov 21 23:42:47 2012 +0200

    docs: convert CHANGES.freeswan.pluto to utf8

commit 378adfe320719c48e17d95171bcaedc4d963f0e8
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 16:23:29 2012 -0500

    * Support subsys in packaging/rhel/ipsec.init

commit 93197324bb9085c56f47989c31d50247a83e3bc0
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 16:22:54 2012 -0500

    * convert CHANGES.freeswan.pluto to utf-8

commit d072d1df107bc8f8b8a79f5dc7f6708446d0bb1b
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 16:00:25 2012 -0500

    * move rhel5/ to rhel/

commit c381a9be1f1a3891a07b889f224a68a9b65dea8e
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 21 15:55:29 2012 -0500

    * added updated init script in packaging/rhel/

commit ebd981745e27372e69616fb9b5e0e27f0eaf1c57
Merge: fff810d 801690b
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 21:50:50 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit fff810d38138c0f47c403b396fc8132c68e50d20
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 21:50:21 2012 -0500

    * added kvmsetup.sh.sample

commit 801690b618ce056cb5efb2c893fe8c9c3eb4f5c9
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 19:04:22 2012 -0500

    udpaetd changes with rhbz number

commit d0586f654b1655a9da01fd17ce0e0dc8a7889899
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 19:03:47 2012 -0500

    * updated changes

commit 233ec8ac709644bcaa5e5054378f34fb171b73bd
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 19:03:20 2012 -0500

    * update leftid.xml man page (though could use more love)
    
    Regenerated ipsec.conf.5

commit 9a2ce7936885775ba0f134f200469f34034429ca
Author: Matt Rogers <mrogers at redhat.com>
Date:   Tue Nov 20 18:50:17 2012 -0500

    * support comma's inside OID's by using ",," to mean "," inside the OID
    
    This ig rhbz#868986
    
    This one will allow the escape of a comma inside an OID field by using ',,'
    
    For example, an id that has the OU of "Global, Support, Services" can be specified as:
    
      rightid="C=US, ST=North Carolina, O=Red Hat, OU=Global,, Support,, Services, CN=hostname"
    
    Status will show the correct ID:
    
    <10.13.211.217>[C=US, ST=North Carolina, O=Red Hat, OU=Global, Support, Services, CN=hostname,+S=C];
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 2693c1b6b165ac99227210aeecc5ede53c3d376a
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 15:04:04 2012 -0500

    * fix quotation for /proc/modules in _stackmanager
    
    This caused us to try and unload modules that were not loaded

commit c1cb462c98d7c8cdcd5535072deb3f549c5c357f
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 14:48:10 2012 -0500

    * minor script cleanup
    
    re-introduce IPSEC_INIT_SCRIPT_DEBUG for debugging, be quiet on
    module unload, and don't be quiet on module unload fail. Also check
    for being root when running the ipsec command.

commit 48632095965748656ee028d4d27dc735ed4427d4
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 01:13:46 2012 -0500

    * nss: build was continuously calling pkg-config
    
    Makefile.inc was passing `pkg-config --cflags nss` which would get
    evaluated on each call. Instead, we now set NSSFLAGS using $shell
    and include the returned string instead.

commit d8c80a174a84abd8ebf308c8c238d1eb2f83debf
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 00:25:32 2012 -0500

    * ipsec version: cleanup netkey version
    
    For klips we show a nice clean:
    
    Linux Libreswan 2.9 (klips)
    
    but netkey we showed:
    
    Linux Libreswan U2.9/K3.2.0-29-generic (netkey)
    
    We now no longer show the kernel version for netkey, so it also becomes:
    
    Linux Libreswan 2.9 (netkey)
    
    But we now add the kernel version for both stacks afterwards, eg:
    
    Linux Libreswan 2.9 (netkey) on 3.2.0-29-generic
    Linux Libreswan U2.9/K(no kernel code presently loaded) on 3.2.0-29-generic
    Linux Libreswan 2.9 (klips) on 3.2.0-29-generic
    Linux Libreswan U2.9/K2.95 (klips) on 3.2.0-29-generic

commit 5cab54f58f82e3905d6908ad5e79c3974c2737fb
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 20 00:08:28 2012 -0500

    * setlocalversion: Add branch name to our version for manual compiles
    
    This gives us:
    
    $ ipsec version
    Linux Libreswan Umaster-2.9-1-gdfb22a7-dirty/K3.6.3-3.fc18.x86_64 (netkey)

commit dfb22a78bc3623cf01efc61d7f9265fb0ce22c9e
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 19 23:55:01 2012 -0500

    make version 2.9 for now, until we hit 3.0 as first release

commit 82afcc3eceec6c1090ae39819fafbd57e07cb093
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 19 23:51:30 2012 -0500

    * ipsec: give ipsec command a better help function
    
    ipsec help used to tell you to use --help, now it just calls --help
    
    ipsec help now lists the ipsec commands in two columns if the printf
    command is available.
    
    Tell use about "ipsec command --help" as well.

commit 01abe21974f74feffce1c8720ea895e00735c9eb
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 19 21:27:43 2012 -0500

    * updated README and removed obsoleted docs/RELEASE-NOTES.txt

commit 7c736613d032d03dca62ef8fd938d2e202ed0a0b
Author: Hugh Daniel <hugh at huron.shiphouse.net>
Date:   Sat Nov 17 20:42:02 2012 -0800

    Removed reference to deleted program (_realsetup) and it's directory.

commit d8540ed278a57564c8f1a29e299e9461882ee13a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 17:56:02 2012 -0500

    * abort when pluto died sooner

commit e5eb3844b78ff16767a7009f4a430b0f999d4ecc
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 17:53:10 2012 -0500

    * rhel init script: export IPSEC_SBINDIR and PATH to ensure we find /usr/local

commit 2522cb8b23f253bc23047fdcb83cd1e054bbd7b1
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 17:49:32 2012 -0500

    * rhel initscript: Improve handling of killing running pluto

commit 6c6042058b6695837cc115a5f13fe5a5842df3c6
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 17:38:22 2012 -0500

    * setup: no longer call _startklips stop, use _stackmanager stop

commit 0a78748c0c0e9df8ecb2cc1a524e8cdbaef5f37d
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 17:32:44 2012 -0500

    * setup: fixup systemd check on non-systemd systems

commit ae04e58d63442c437fbc3b13a1e64623add3e31c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 17:28:45 2012 -0500

    * _stackmanage:	modprobe does not like extension, fixup tncfg handling
    
    modprobe wants "ipsec" not "ipsec.ko", so check if @MODPROBE@ got
    configured as modprobe or insmod (the latter does need it)
    
    ipsec tncfg can detach all ipsecX, so no reason to loop. mast0 needs
    a special check to get removed, as it does not appear in /proc/net/ipsec_tncfg

commit 263a1c577919cb41bea4c55fb8fbf3f861dc0306
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 16:50:25 2012 -0500

    * remove some cruft from ipsec cmd

commit b19c6faed1ebae893e83e1bf7973fa40157c254d
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 16:50:09 2012 -0500

    fix check for loaded klips module

commit fc09346e30bfc81ce6c6fabee5944939bcc79352
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 16:40:13 2012 -0500

    * _stackmanager: remove bogus target 'start'

commit b58dd5c5b9a5013ea0f709c7ead74c07ac3177e2
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 16:22:02 2012 -0500

    * fix quoting in _stackmanager for stopping klips

commit 176e54efe5e3d38a4f3b41b241db8486482d4870
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 15:39:24 2012 -0500

    * ipsec version: remove distro.txt support that caused a 2 line version

commit d765966849677d2e6946e45b4eede0ce33fd4d1a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 15:31:36 2012 -0500

    * _stackmanager: missing ";;" in restart) case

commit e539c38a8b737571e1412c402c0963c13eafd7fe
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 15:26:05 2012 -0500

    * setup: compare with string, not integer for pid, incase it is ""

commit 6a6e6892b38713ac05aea3b1c801bb4b0e05be60
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 13:56:34 2012 -0500

    * _stackmanager: shell functions are not called with brackets

commit d49ffce010eea4c44d1eaed10ed8070688df90c4
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 13:54:15 2012 -0500

    * addconn: ensure --liststack is not too verbose and only returns stack info

commit 3f343c5a0dcf86763ddd9fcc773881803d4e6ca6
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 17 00:35:29 2012 -0500

    * _stackmanager: replace old calls to _startnetkey/_startklips

commit ef88ae5c32abd6c3dc6ec7ff37df6690e8ac2fe9
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 16 21:00:59 2012 -0500

    updated changes

commit 0a6e93963ff149a5edccfcaf0cb0437ec4d473ef
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 16 21:00:12 2012 -0500

    * _stackmanager: new script replacing _startnetkey/_startklips/_realsetup

commit 81354936e4c358a2686f94766faad9abbbdd74da
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 16 19:11:46 2012 -0500

    * addconn: only display debug info about routing with --verbose

commit 76f64fee78fbe25ae7371efbd3e95539d39a5b5f
Merge: 092d735 6ed125b
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 16 16:58:23 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 092d7352bed48c52181b7f27dc111451fc458a7c
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 16 16:58:03 2012 -0500

    updated changes

commit c0fbb92715a7b67ee7a0aa2f6d372b69e6938518
Author: Roel van Meer <roel.vanmeer at bokxing.nl>
Date:   Fri Nov 16 16:56:42 2012 -0500

    * pluto: incorrect free in scan_proc_shunts()
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 6ed125b0aefe0fee44baf41da3d56560f3813a84
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 16 15:47:52 2012 -0500

    * add commented vendorid from Solaris
    
    Solaris 10 has RF 3974 but also md5('RFC XXXX') whih is 810fa565f8ab14369105d706fbd57279
    (yes, the 'XXXX' are _really_ four times the letter X)

commit b0ffc58137b082c53b99434fc1d1d5ead99a43e9
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 15 22:39:31 2012 -0500

    * Remove _realsetup from the Makefile

commit 87cd553dfd716c2a8115a8ce04f5cbab0d3dc25f
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 14 14:50:07 2012 -0500

    * fixup rhel init script. spin off start of debian specific  version

commit 6a92a3a3e90b4ea66b33f0ac99796e83cc580acb
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 14 14:15:07 2012 -0500

    * Move programs/sysvinit (was programs/setup) to initsystems/sysvinit

commit 6bb1e8b88a39e9fcbbb55484ce04d711cb774dbf
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 14 14:03:12 2012 -0500

    * renamed setup/_realsetup
    
    "ipsec setup" is now a wrapper pointing to the right initsystem.
    
    There will be no more ipsec _realsetup

commit c432cd366539be2650e52b5be518247ac477ed46
Merge: e066e7a a38e4bc
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Wed Nov 14 12:20:05 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit a38e4bc5d1d110dd3412947973752ac1d1ec05d7
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 12 20:58:39 2012 -0500

    * _startnetkey: cleanup, added new rng kernel modules

commit 8aaa163afdc4f70808294ba1a085cce911b7de2c
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 12 20:50:12 2012 -0500

    * _plutorun: updated man page

commit af56b52808f21b9e393f2e492d9f68d34acf1495
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 12 16:15:29 2012 -0500

    * rhel5: spec file updated

commit f027c94e8f12dd029bc18fd48c9e3d06ab0c6bb9
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 12 15:41:51 2012 -0500

    * _plutorun: provide a default ipsec.secrets in case it was not specified.
    
    We really need to add a secretsfile= configuration option for config setup

commit 5dba564a5d22a043fa3d28762c8348176a1841ba
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Nov 12 15:12:32 2012 -0500

    * updated _plutorun - re-instated some logic

commit fb7829000c7520cacdd37609ef6fde295ab3cd76
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 9 22:27:59 2012 -0500

    * addconn: grab default route from netkey (not final commit)
    
    This uses "8.8.8.8" to determine default route until I figure out how
    to use 0.0.0.0 without getting 127.0.0.1

commit 0bd93b6fed0464ee85bfcd8cac6226b482f39398
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 9 22:27:39 2012 -0500

    * remove logger pipe

commit d45f5ec08a3d294880d852f3aa870417c5517400
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 9 22:27:08 2012 -0500

    * _confread/ now lives on as configs/

commit c3a81d631801ccc5b0002ac2dcf28772417f3f3c
Merge: 3977aa7 efb23ca
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 9 17:20:11 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 3977aa7844651faf15b2ce7a60e68c624bf4a6aa
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 9 17:17:48 2012 -0500

    updated changes

commit 543c40ca99d00081b33ae2de1eed02eb1db5b726
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 9 17:16:24 2012 -0500

    * auto: no longer pass defaultroute/defaultrouteaddr to addconn
    
    This is obsoleted and no longer needed

commit a26e4677d052257564c890f728a839f7b7bf23b1
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 9 17:15:22 2012 -0500

    * _plutoload: obsoleted

commit efb23cac50f33e67e599c60f26b5503407c3cb1a
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 9 00:36:31 2012 -0500

    * scripting: redid pluto startup and scripting.
    
    This involves _realsetup, setup, _startnetkey and _plutorun.
    The _startklips script still needs to be converted (tomorrow)

commit 123ea4cb36814f16138a3e1c2ad8ab5eeed7b6fa
Merge: c526b74 a276999
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 8 21:58:17 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit a276999df15e8b41fe5440c276a75f07d1e209b6
Merge: 86d8de3 a075826
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 8 12:34:54 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 86d8de3d5ac8a684839fab5ab28a7053670fe955
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 8 12:34:39 2012 -0500

    * updated changes

commit cc2697dc984bf020543a1fc5d8648dc506a5087d
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 8 12:33:41 2012 -0500

    * pluto: if started with --nofork, don't care about existing pid file
    
    Instead, remove it and write a new one.

commit c526b74e382a06c892c900484c3f9b7ca4d85355
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 8 11:55:59 2012 -0500

    * change version from 0.9.9 to 3.0

commit a07582686ce9632269dd003b6d317cbf44d67999
Merge: 2be0df9 facbc6b
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 8 11:55:10 2012 -0500

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 2be0df9580f13e4ef96e360ad26145c59c31c149
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 8 11:53:52 2012 -0500

    * fedora: systemd support in fedora spec file
    
    This uses the new systemd files and startup method.

commit facbc6b5bf41bdd1fcc8dadaecc892e77c168d6c
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 8 11:52:19 2012 -0500

    * auto: port defaultroute/address detection from _startnetkey to auto
    
    It handles the more complicated scenarios like PPTP with default
    routes into interfaces without "via"

commit a637551c31960ed3ff720cec0c29444b9665f772
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 8 11:33:55 2012 -0500

    * auto: ignore routes without gateway
    
    i.e. I have this one: default dev virbr0  metric 30000

commit 56c2c5f6db3c7cf5c7045cef33b5fd25e2562e7a
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Nov 7 18:32:54 2012 -0500

    * fedora: add sysconfig.pluto and ipsec.service files.

commit 6f13b4338c72951b62f6844dd3f6db299129421e
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 6 23:10:28 2012 -0500

    updated changes

commit 8c16da9d3920390c63c177876ca7958847bd5ac2
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 6 23:01:28 2012 -0500

    * pluto: perform whack --listen and addconn --autoall on startup
    
    pluto's call_server() code now runs the equivalent of wack --listen
    and addconn --autoall on startup. The latter is done using (v)fork()
    and actually calling the "addconn" binary with --autoall option.
    
    - This new child still needs to be reaped (it's now a zombie when done)
    
    - Doing this caused us to see a message that has always been sent to
      /dev/null before (because of pluto's closed stdin/stdout/stderr).
      The error happens when adding connections (file:lineno added with this commit)
    
        starter_log(LOG_LEVEL_ERR, "whack: write() starterwhack.c:124 failed (%d %s), and ignored.\n",
    
      It is harmless (and as said, was already happening but we never saw it)
    
    This now means that pluto on startup loads all connections that
    have auto=add/route/passthrough and starts all connections that have
    auto=start. It also means that the plutoload/plutorun scripts are no
    longer needed, except for the pluto "restart on fail" option.
    
    This requires the pluto --config /etc/ipsec.conf option to work properly.
    
    TODO: pluto needs to have an option to reread its files on
    SIGHUP. Currently, this is ignored. Although pluto can do tehe equivalent
    of ipsec whack --rereadall, this currently does not include re-calling
    the code that reads --config /etc/ipsec.conf.  This new code will also
    need to store the pluto optarg list because on re-read those will need
    to be processed after parsing the config file - just like on startup.

commit 8a8e054a34e9a187d5af8e312d12825a6b3c842e
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 6 16:38:57 2012 -0500

    * pluto: On startup perform equivalent of ipsec whack --listen
    
    Just before entering the infinite loop in call_server(), run the
    equivalent of the command "ipsec whack --listen". This was previously
    done in _plutoload.

commit e066e7af76cc57a99350f2a6f7a842f8853a0634
Merge: d478061 0a3a280
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Nov 6 10:32:53 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 0a3a2809b72ff1fb4952551cd4077cfaf7d88128
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 6 01:43:49 2012 -0500

    updated CHANGES

commit 8119995976ccfa553035d6d9f0111c324ad7b37c
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 6 01:41:44 2012 -0500

    * pluto: remove protostack=auto and --use-auto, netkey is the new default
    
    This option was always broken because it needed to be communicated
    through scripts and daemons, and caused problems, even when defaulting
    auto to klips.

commit 9b7fbb775cf325f468efdbc9b3b3fca6aea8fabe
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 6 00:43:24 2012 -0500

    updated changes

commit 2ea7241edba7d1dde1f91b3202155c5eed932dc4
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 6 00:42:43 2012 -0500

    updated changes

commit 64a278b669d9c7edc2acdb7a9b19bac941bc496f
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Nov 6 00:40:50 2012 -0500

    * mark some obsolete keywords as such. removed dead manual mode code
    
    Obsoleted keywords are pluto, prepluto, postpluto, plutoopts, plutowait

commit d47806178ce32806ba486cf3d521a23a838c1951
Merge: 22d39e2 69a756b
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Nov 4 22:06:33 2012 +0100

    Merge branch 'master' of ssh://vault.foobar.fi/srv/src/libreswan

commit 22d39e23e5a8f997783583ec6d3259a67917f30c
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Sun Nov 4 22:05:54 2012 +0100

    Philippe Vouters's comments in refinehost_connection following his experience

commit 69a756bd1a1e934feb1bd759045e4e79b4d19ab4
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Nov 3 22:12:39 2012 -0400

    * systemd: put working systemd service file for the pluto daemon.
    
    This is a native systemd service file that depends on the new --config /etc/ipsec.conf
    option that makes pluto read all its parameters from "config setup". This
    obsoletes _plutoload and _plutorun completely.
    
    What still needs to be finished is the replacement script for the kernel module
    preparations - currently somewhat drafted in stackmanage.in

commit 1cf6ccf6ba03477dfc94c55520e5a95f955f5b56
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 2 16:31:18 2012 -0400

    * pluto: dont stop processing after --coredir argument
    
    There was a "break" instead of "continue" statement.

commit 2b62cc38374c75c729b3316b9608a5bcc53309c8
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Nov 2 16:05:44 2012 -0400

    * pluto: only link with unbound when USE_DNSSEC is enabled

commit 4dfb001dc99a42c503a101d38a4dd224d8e94106
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri Nov 2 13:26:44 2012 +0200

    pluto: add --config parameter to read options from config file
    
    If --config is not specified, pluto works as previously using options
    from command line only.
    
    If --config is specified, it should be the first parameter to pluto. It will
    overwrite all previously set options. For example this works as expected:
      pluto --config /etc/ipsec.conf --debug-all

commit 8bf966b404493a26bff9f5c1d9b155ce9848e287
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri Nov 2 12:41:22 2012 +0200

    pluto: link with libipsecconf, unbound

commit a13a9ba5e1d801dcccca37bbb025a6425534f047
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri Nov 2 12:23:43 2012 +0200

    keywords: remove unused KSF_DPDACTION, fix writeconf test

commit 72ec977054ea4233a7ea3413a6d46ecdca121298
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri Nov 2 12:16:38 2012 +0200

    keywords: remove unused KSF_ACCELERATION

commit 548b7775dfbe5ddbb438cfad5ef0b9c05fa6e54d
Author: Kim B. Heino <b at bbbs.net>
Date:   Fri Nov 2 12:16:14 2012 +0200

    keywords: remove tailing whitespaces

commit ed72760215b8a13b13e0759e253d7cc3b3218942
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 1 23:53:48 2012 -0400

    * Updated README.nss to remove unnecessary configuration parameters
    
    these  are not required by default and are network topology specific.
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 717065a5e7caa5d9f0f13e06771a75069ca405b8
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 1 23:48:56 2012 -0400

    * isanat_oa_fields was using one 3 octet field instead of 1 plus 2 octets
    
      This is related to rhbz#834400
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 3ae77791c2f5e2df30a23c97fe3f4d1aec9f15e9
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 1 23:37:50 2012 -0400

    * add warning to odd unreachable code segment to fix later

commit d772f0287d7e2bad5e42fd64745ba27b0f34aa07
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 1 23:36:03 2012 -0400

    * partial fix for print_sa_v2_attr()

commit d2b435a5f4641354b992b01e2cf5ccdd8f828c1a
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 1 23:22:28 2012 -0400

    * include nspr.h

commit e047717c0f68b6aab40e845e46990963f4630c51
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 1 23:20:18 2012 -0400

    * crypt_dh.c: int k should be unsigned.
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 4d344046ed6374400016d70949c51bf417f123eb
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 1 23:18:19 2012 -0400

    * connections.c: eclipsed() always returns NULL - needs rewrite/removal
    
    Found by Avesh

commit 0d74f513eb7fdbae60ce3d6e67d4ca373f666ec7
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 1 23:15:34 2012 -0400

    * connections.c: Removed an #ifdf DEBUG that could never be unset

commit b7d2ae27f1475755a7c1904cea1781b425fe351a
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 1 23:09:12 2012 -0400

    * Fix possible leak in secrets parser
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit cf8f0d1f12a21a7a58542a10dec98b2abee18dbf
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 1 23:01:39 2012 -0400

    * pem.c: Fix blob copy handling in password prompting routine
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 7618b01fd683b4b6fcf357f5b5c930ec1ad6bcd6
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 1 22:55:36 2012 -0400

    * confread: Remove redundant check for alsos != NULL
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 1075df0066720565581efe5df0d6bd9fcd06bff6
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 1 22:52:35 2012 -0400

    * Missed two instances of  HMAC_BUFSIZE -> hasher->hash_block_size

commit 0cd362eca1e8a5790b7225d219222002551a8314
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 1 22:51:50 2012 -0400

    * Fixup on Avesh's patch for NSS supporting SHA2 384/512

commit 931579172443a1f24092443944a11a11e53e94e0
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Nov 1 16:02:21 2012 -0400

    updated changes

commit 6ef316d8b708a7c2d964ea89b5c54abf4d3f8962
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 1 16:01:37 2012 -0400

    rhbz#609343: pluto crashes when removing logical interface
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit bd38515b514702653ddc8964b4a7659c9de47054
Merge: a4b99eb 7777008
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 31 16:59:06 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit a4b99eb0ea1e881d6dd6df4a10087a0a04a7b33e
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 31 16:33:12 2012 -0400

    * addconn: don't print \n for --liststack

commit 77770086591e1509d78cabca526c81d833319360
Author: Kim B. Heino <b at bbbs.net>
Date:   Wed Oct 31 14:42:15 2012 +0200

    pluto: remove unused global_argv/argc variables

commit 0edf641d0228ab5557914c4c1b6f1901110da775
Author: Kim B. Heino <b at bbbs.net>
Date:   Wed Oct 31 14:29:15 2012 +0200

    plutomain: remove tailing whitespaces

commit f8af547a1c28d67666af4a0a32df95cb35a43a82
Author: Kim B. Heino <b at bbbs.net>
Date:   Wed Oct 31 14:28:48 2012 +0200

    pluto/Makefile: remove tailing whitespaces

commit 0bfed4f573ce5d77b991b6fabf5389f28a527ebd
Author: Kim B. Heino <b at bbbs.net>
Date:   Wed Oct 31 14:26:50 2012 +0200

    libipsecconf: remove unused passert_fail() function

commit 3c60a3add2158dc4bfddfb2b44107e04bd6c603d
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 30 18:25:10 2012 -0400

    * addconn: added --liststack option that only shows protostack= value

commit 96d08f4fb00e6d98cf4e0d5ec5071435b3610144
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 30 17:49:03 2012 -0400

    * addconn: Added --noexport option that skips printing the "export" keyword

commit 291877272f018784b154df3232dd049b56c87d6c
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 30 17:02:05 2012 -0400

    * moved programs/pluto/CHANGES to docs/CHANGES.freeswan.pluto

commit e58a8af2b8f14c06292f6f8ba3b899de6dd15747
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 30 17:01:46 2012 -0400

    updated changes

commit 3e42799e43f0654bc018e6a051021cb33cf2b60c
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 30 17:00:39 2012 -0400

    * testing: * Remove partial optionsfrom() test functions

commit 49d3906f7323487a48a508d78e525252158b521b
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 30 16:58:24 2012 -0400

    * Remove optionsfrom() support
    
    This could be used to be able to put "sensitive" options into a temp file,
    then pass it using --optionsfrom /some/filename

commit fa8cd1a8cca4d54c652a52121e0324d70ab36f32
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 30 14:46:52 2012 -0400

    testing: updated readme

commit 2a5785dfc2e76b2bc85f11eed4b7f50afa747ca3
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 30 01:07:12 2012 -0400

    * updated changes

commit 6881a0d52dd4bcec59ccffc108b7ceee6466267d
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 30 01:00:15 2012 -0400

    * addconn: mimic _plutoload, cleanup and fixup of functions
    
    addconn is used by _plutoload to load all the connections according
    to their auto= setting. While addconn has an "--addall" option to
    do so, this was not used because it wanted to load the conns in an
    order where first auto=route are all loaded (which could install %holds
    to block leaking traffic) before auto=start connections were loaded,
    which could cause delays.
    
    I changed the --addall option to mimic this behaviour. I also called
    the option --autoall to make it less confusing (it was not doing auto=add)
    
    _plutoload found about which were auto=route and which were auto=start
    by calling addconn --listadd and addconn --listroute. I added --listignore,
    --liststart. addconn used to abort when done with one option, now it
    continues so you can ask for --listadd --listroute to get both.
    
    I also found some undocumented options, which I documented. One of
    these, the --search option seemed completely broken. Nothing in the
    tree actually called addconn with the --search option, so I removed it.
    
    A systemd ipsec.service can now use PostExecaddconn --autoall and
    _plutoload can be removed from the call chain.

commit 23e559b246feb65ebc8c6ea247403afbc8db0a21
Merge: c35f942 61090ee
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 29 17:44:22 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
    
    Conflicts:
    	testing/libvirt/vm-libvirt.sh

commit c35f942565aae7003ab25b6a87e2377b4cc3f633
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 29 17:31:08 2012 -0400

    * testing: update of testing/libvirt scripts.

commit 61090eea5f62cf5bd4c070b8e3a5506395b5f2c1
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 29 14:42:17 2012 -0400

    * bump prerelease version to 3.0.0

commit 7ce8a8d2f07dc06829e99d65f416c62e5b6e67f2
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 29 14:41:46 2012 -0400

    * testing: group for VM needs to get numerical value of 'qemu'

commit 37ca04bd22c23ff318b2873aef1dcc8bea4d8240
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 29 12:59:54 2012 -0400

    * testing: Install KVM's to run under uid of user, not qemu
    
    This ensures all writes down by the KVM instances in the source
    tree have the same uid as the owner of the source tree.
    
    It still needs group qemu or else it cannot write to
    /var/lib/libvirt/qemu/vnmname.monitor

commit fdafee8605980debea29e0043a5c2de7acd22bea
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 29 00:16:26 2012 -0400

    updated changes

commit a83c2eccfb602200c5f8079476064630986766ef
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 29 00:10:22 2012 -0400

    * remove showpolicy from fipscheck list.

commit 7461272acc366fedabe837d083c7f0784e688dcb
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 29 00:08:02 2012 -0400

    updated changes

commit 68978220920ed878fc199c41ea71e14b90bf2ed2
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 29 00:07:43 2012 -0400

    * Removed unused libipsecpolicy code

commit 3f824b85e9523b32cca0f871c3872f17516437d0
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 23:58:41 2012 -0400

    * cleanup some Makefile cruft

commit 20f646a7db239b47351c071f7154b2f97ac10eae
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 23:39:52 2012 -0400

    * Remove "examples" target subdir from the Makefile

commit 49e69cd6627cf4d388f66acb8176c95f87b45d1d
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 23:37:34 2012 -0400

    * Remove half-baked "vendor" identifier that never worked
    
    It only caused lots of noise during build

commit c4fc86157fbfcbd3ee93c3149474697f36b7151a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 23:31:39 2012 -0400

    * spec files does not need to deal with examples/* anymore.

commit 5a60eaf0686ad4bf775fb5c1aafe63f468e7684f
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 23:30:33 2012 -0400

    * rename files, they dont need .in processing

commit e6fec880fa6f1c1f49a7f7974d6ff71fed43052c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 23:25:41 2012 -0400

    * rename some files/dirs
    
    programs/examples -> docs/examples
    programs/_confread -> programs/configs

commit bb1f9e9751a96fe95049b4965e78528201012b42
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 23:21:30 2012 -0400

    * regenerate ipsec.conf.5

commit 580392615938de05954e9f15f27a4dd9977b1596
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 15:05:04 2012 -0400

    updated changes

commit 036a9cc251b89f211a404bca91d4238599f4c570
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 15:04:17 2012 -0400

    * pluto: remove pluto=yes|no start option and manualconn remnants

commit e7c0faa291974e16adf53691564189d01708de09
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 14:58:07 2012 -0400

    * Removed obsoleted documentation README.conf.V2

commit 1c5038df49db35f808a52f0d320e218dea214abc
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 14:56:18 2012 -0400

    * pluto: plutowait= option removed
    
    This should be passed to addconn via /etc/sysconfig/addcon or
    /etc/default/addcon

commit a0fc4e9df23946e1bacf34996f1b2d54e58b96f5
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 14:46:34 2012 -0400

    * pluto: phased out prepluto= and postpluto= config setup options [Paul]
    
    Should be done via initscripts, systemd services, PreExec/PostExec, etc.

commit b9b90b963c8856e5ed20fa586357f16b8d3f874c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 14:18:03 2012 -0400

    * pluto: phased out prepluto= and postpluto= config setup options
    
    These options predate sane init systems and should now be performed
    there. On Fedora/RHEL, use a separate systemd prepluto/postpluto
    service file or use a PreExec/PostExec option in the ipsec service.
    
    In general, support for uncommon pluto options should go into the
    files /etc/sysconfig/pluto on Fedora/RHEL and /etc/default/pluto on
    Debian/Ubuntu.

commit 1063947b1777e690312fd9c17ecd78bb3beb2c37
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Oct 28 09:37:50 2012 +0200

    CHANGES formatting fixes

commit d2529ccde70ab12bd1a96628fef618cf840f7a65
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 02:19:08 2012 -0400

    * remove unused version variable

commit d04052e61e269930522f559cac2446ea34045029
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 02:18:17 2012 -0400

    * _startklips: fixup the syslog startup line.
    
    Also simplify detection of mast0/ipsec0 via /sys/ file instead of
    10 line inline awk script.

commit a2036d080a651083acd7ba0ece2b6f3517a3aa70
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 01:37:30 2012 -0400

    * readwriteconf: rootdir/rootdir2 variables could overflow
    
    There was an off by one error due to use of sizeof()

commit 17b4be190796a36fb7f26c74b9a889dc18c2a6bc
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 01:05:54 2012 -0400

    * removed unused pod2man perl hacking in Makefile.manpages

commit cac9c9a5c035105dcb0cf22d62d0795cf9b5c94b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 00:57:03 2012 -0400

    Updated changed

commit 7d7baf7ddb57590ce113cfdcaea1ca28ae778de8
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 00:56:10 2012 -0400

    * mailkey: Removed obsolete command. Was already not build or installed

commit d4d90db4aff745464208bc519cd126f0d887fb2a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 00:54:15 2012 -0400

    * policy: Removed broken 'ipsec policy' [Paul]
    
    It only supported mast, not klips or netkey. And even for mast it
    did not work in transport mode. And it was written in perl. It is
    not an "ipsec eroute" replacement we will ever develop or use.

commit 57af373a28e6efecb6eb108be97ba03b3746f298
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 00:41:47 2012 -0400

    * _include: Removed obsolete _include
    
    It's only left call was in ipsec barf, where it was used to dump
    the ipsec.conf and ipsec.secrets (filtered through a key censor)
    
    We now have readwriteconf that does that using our C parser for
    ipsec.conf (include file aware), so we use that.
    
    For the ipsec.secrets file, we don't have an alternative, as we don't
    currently have a readwritesecretconf type test that's run in "make check"
    like we do for the readwriteconf tests. So for now we use "cat". So
    we will miss the included secrets for now. But this is only a debug tool,
    so not very essential.

commit 512901108a9fc971d85d8414625bbeea64136292
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 00:36:12 2012 -0400

    * readwriteconf: was not being built and installed
    
    Also fixed to link against libunbound when using USE_DNSSEC

commit 0e7ceda3fd561edd3709d6e0bcb915279044983f
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 28 00:26:54 2012 -0400

    * remove cruft from programs/_confread/

commit 39651499350559b1ab5edbc72b81404ea4a1872f
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 23:48:15 2012 -0400

    * remove obsoleted manual keying section

commit 965024c9a928e26096eec99cf9fcd2f6f4fb8688
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 23:40:44 2012 -0400

    * Phased out "ipsec auto" usage in scripts
    
    Scripts now directly call the proper ipsec whack commands. Only
    humans call "ipsec auto".

commit ea732d460f0a39ed167ac12556be6390fbf489c7
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 23:35:53 2012 -0400

    * verify: fix bad ipsec auto usage in comment old perl code

commit 61edc89f2ec97aa5fd20990b72435cc24018ea30
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 23:19:51 2012 -0400

    * updated changes

commit 6a6daec90e1c0470be0f0876c7028e5566819a42
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 23:15:45 2012 -0400

    * scripts: phased out /var/run/pluto/ipsec.info
    
    This information is now obtained in the scripts directly. A lot of
    this usage will probably get phased out when _plutorun/_plutoload will
    be removed. This still needs testing when used with point-to-point
    interfaces.
    
    It seems this information is mostly used for ipsec tncfg to bind
    the physical interface to the virtual interface, and to give
    the default source ip and nexthop to addconn, which will feed this
    into pluto. The new pluto should probably just not care, and pick
    whatever is the default IP and nexthop, but that needs some more
    careful thinking (with DHR)

commit f98f20affa7145c236f363f78f087c4e04be7ac5
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 19:59:12 2012 -0400

    updated changes

commit 3066d1320bf57d2f7075596f618f09e692064ef9
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 19:57:55 2012 -0400

    * showdefaults: removed ipsec showdefaults
    
    showdefaults is simply outputting /var/run/ipsec/ipsec.info,
    which we are phasing out altogether.

commit 7b3406d2b0d94f00207dc9bb5ef6bbba296f1ac4
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 19:07:10 2012 -0400

    * in skeyid_preshared(), buf1 and buf2 were not properly sized
    
    Avesh had properly doubled there size - I had somehow missed that
    in my merge.

commit c85f11a80e17e8e23ed6c4dde1a2b2275c970bf8
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 18:37:47 2012 -0400

    * XAUTH: re-enable xauth_calcbaseauth() for now.
    
    Also, don't hit bad_case() and thus crash when receiving an unknown
    XAUTH TYPE, instead, just return NULL from refine_connection() after
    logging the unsupported case.

commit edb9f79403ee14e466b805db847714eba2f24fbf
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 18:36:48 2012 -0400

    * comment added regarding xauth_calcbaseauth()
    
    I feel this is a candidate to phase out. We should write out the real
    states in the switch case, so we can do appropriate special handling,
    instead of mapping this away.

commit 375afe0a4072f7669a1a937d6a721990809eb653
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 17:58:10 2012 -0400

    * fix building in mock
    
    - hostname was not in the build root
    - we need to exlude the softlink setup from fipshmac calculation

commit 7bc5adce6c18f810beb0f13e6e6158e249d18be5
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 15:37:28 2012 -0400

    * CHANGES: add pointer to docs/CHANGES.openswan

commit 49cf335c5fc533f8caf1df4804603cf249f1873b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 15:35:48 2012 -0400

    * cleanup libreswan.spec
    
    We do not need manual requires for curl or openldap. (we don't even
    need curl, just libcurl, which is found by rpmbuild)

commit 6505ba1bdf9c20d078dde145bcbb3554be862d92
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 27 15:29:14 2012 -0400

    * Updated, re-ordered, rewrite the CHANGES file.

commit c9a459d89d6f5d6263422eefd945aa274688619d
Author: Team Libreswan <info at libreswan.org>
Date:   Sat Oct 27 15:26:52 2012 -0400

    * Added TRADEMARK file placeholder

commit 9a6d93e139b25efce9664e194cdf963cb0ccc30c
Author: Paul Wouters <paul at nohats.ca>
Date:   Fri Oct 26 13:31:18 2012 -0400

    * Always include CAP_AUDIT_CONTROL - we need it for other things too
    
    Specifically, we need to log key agreement and destruction via the
    audit log, see issue #1405

commit 87d900f31ea724c6162f8ad90d98962c5281e801
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Thu Oct 25 21:40:42 2012 +0200

    crlcheckinterval seen as a number - Final fix

commit e5fdcd10413aafa921c8fb61b3276148e065dddf
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Thu Oct 25 17:54:41 2012 +0200

    specify expected syntax for crlcheckinterval

commit d72ac60f8a3d140bf185b99ce2486924b28d7f53
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Thu Oct 25 17:27:53 2012 +0200

    fetch.c ldap (untested) awaiting for a HOW-TO on CRL fetching

commit 4d208f30dbe854bab8864f27dac8862a1ca3402d
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Thu Oct 25 17:25:21 2012 +0200

    fetch.c ldap (untested) awaiting for a HOW-TO on CRL fetching

commit a2e1d817ef234561177e3bf9675b716ea9acdfe6
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Thu Oct 25 12:00:25 2012 +0200

    Added CAP_AUDIT_CONTROL capability to pluto if XAUTH_HAVE_PAM

commit df4eb7d587bb5e62f1faf7f2f1c2ebb3d9ef810f
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Thu Oct 25 07:53:59 2012 +0200

    Correctly dealing with ipsec.secrets

commit 9299a4b457bfff399d5a8855fc49fb4098eb59ac
Merge: 51d5eb4 24354c1
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 22:19:53 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 51d5eb41aab3efed73f5344ccd77f6f1a25c80d7
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 20:17:19 2012 -0400

    * testing: basic-pluto-05 fixup

commit e1ded44882a004fe491eacfea0bdbcf6bb0d95ad
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 20:15:48 2012 -0400

    * testing: fixup basic-pluto-04 (untested)

commit 10e353869c0fc51a3315bb0e84fd56889f8936bb
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 20:12:58 2012 -0400

    * testing: fixup basic-pluto-03 (untested, it uses north and NAT)

commit 8a11ebda9efca24e7add9d66c14f5f46fb64e384
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 20:07:25 2012 -0400

    * testing: fixup of basic-pluto-02 but testcase is broken
    
    It is missing west.conf and east.conf, so we need to look at a
    much older tree to see what hapened.

commit 5635206e70bd871b80516caed9adf945c0ad3452
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 20:04:40 2012 -0400

    * testing: fixup of basic-pluto-01

commit 32b1eeacef7b0dc938afa00ffa69d29a6d4dabf3
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 19:55:16 2012 -0400

    * testing: fixup ikev2-* and interop-ikev2-* tests for echo "initdone"

commit 339f2076ed15b73abac1b7bd7312c40307d65249
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 19:51:47 2012 -0400

    * testing: install ipsec-tools package for interop tests

commit a4af8ad4960b28b0c83ead567b3d6a31843b1ef0
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 19:42:52 2012 -0400

    * testing: move wait-until-network-ready from individual tests to *local.sh

commit 2872134b08720eb6327a340bc0fd6afcb6077ba6
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 19:36:46 2012 -0400

    * testing: remove manual calls that got moved to *local.sh

commit bfc98ca2eeef347774da86ecbfd32fd2c23aec70
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 19:33:20 2012 -0400

    * testing: move some often used *init.sh parts into *local.sh
    
    Mostly clear old firewall rules, sysctl.conf calls, ipsec stopping
    when running, and creating the pluto.log softlink.

commit 0c1e43596c39531955bcaf0b9b604b0e9be2122b
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 19:23:24 2012 -0400

    * testing: reset firewall rules and stop pluto if running in *local.sh

commit 3801977685ba8ef730a89287300b3542ca73dbeb
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 19:16:16 2012 -0400

    * testing: In swaninit, if a pluto is running, run ipsec setup stop

commit 183f834cc5e29cffe9c73c60390b93c22e38aaa0
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 18:48:15 2012 -0400

    * testing: Add nat_traversal=yse and proper virtual_private lines for east/west

commit 9eab002adfc916f1397f0171ffd7bd7f54e5be16
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 24 18:27:59 2012 -0400

    * testing: fixup test case ikev2-09-rw-rsa
    
    It used %any on both sides, instead of %defaultroute on one.
    It also used the old rsa keys instead of the nss based ones.

commit 24354c17698d08cc27a4e8ed7d520693c1b53517
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Oct 23 19:14:07 2012 +0200

    documented correct syntax for crlcheckinterval

commit f3620ca7116c22a1d3c97c488e2d053fa9515be1
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Tue Oct 23 16:07:48 2012 +0200

    ipsec auto --listxxxx and ipsec auto --rereadxxx were not working after ocspcerts

commit b36cc0bda8d51adbd7f1dbf3560e5752d8231439
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 23:27:32 2012 -0400

    * testing: Fixup of a bunch of IKEv2 tests to use KVM subsystem
    
    Also introduced pluto/bin/wait-until-network-ready which waits until
    we have a default route.
    
    Not all changed tests are successful yet. 6msg and biddown are
    unexpectedly failing. rw test needs config change. X509 certs have
    not been redone yet.

commit 11f5a439660daf8ba6e925319b3a5cfadfb1c7b2
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 20:03:48 2012 -0400

    * testing: copy ssh keys in guests

commit e683927ea4fd2428b8f6408f929b1cac28bef95d
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 20:02:50 2012 -0400

    * Fix file installed in /etc/profile.d/swanpath.sh
    
    This ensures all swan<tab> commands are in our path

commit 62e6e92ed8e35ee6655adae90e04b127ce32bcf6
Merge: d4b7d05 58c99f0
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 18:56:04 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit d4b7d05ba0d078032c546bafc1b353436de52232
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 18:53:59 2012 -0400

    * testing: Add ssh keys and authorized_keys for testing VMs
    
    This installs the same ssh host key for east, west, north, road, etc.
    Otherwise, developers keep having to edit their knownhosts files on
    re-installing the test VM's
    
    We also install authorized_keys of Antony, Tuomo and Paul so they
    can login to these systems without passwords. These test VMs
    configure themselves on non-routable IP space, so they should never
    be exposed to the world.

commit 699aa9272c3474c1a3c764514ebb043a903ef605
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 18:53:46 2012 -0400

    * testing: compile and install userland and klips in kickstart %post

commit 021a0f46c392e4af9b6942aba72a80441dd199cf
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 18:48:46 2012 -0400

    * change ft_mbz to ft_zig
    
    This was a pending change after talking to both dhr and Avesh.
    
    We now continue and ignore all receiving bits that should be zero
    but are not in in_struct()
    
    In out_struct(), code was already in place to zeroize what we believe
    must be zero for our outgoing packets.
    
    This makes us liberal in what to receive, and strict in what we sent.
    It also removes having two different "zeroish" fields of ft_mbz/ft_zig,
    as our payload definitions are used symmetrically, so the distinction
    was a little weird.

commit ab3fb39075a8904484692db5e10902467d6e0317
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 17:39:03 2012 -0400

    * update vendorids with known GSS API vendorids

commit 58c99f05cff139d264c8b1703c7c38c10bdab417
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Mon Oct 22 21:53:38 2012 +0200

    Lacking @ in @[GroupName]

commit c69b26e4ad6d32edf231da960bbf6765febbf45e
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Mon Oct 22 21:53:13 2012 +0200

    Lacking @ in @[GroupName]

commit a1962c7995e56338c378061e389ccff28fd0e6aa
Merge: d586d3b 3f74442
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 10:42:17 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit d586d3b71cca7016ad2181718933cc0fc9351600
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 22 10:41:12 2012 -0400

    * man: Add entry to man page about leftid=[groupname] using ID_KEY_ID
    
    Thanks to Philippe for spotting this.

commit 3f744428faac56db86c310da4349bb12f3878e35
Author: Philippe Vouters <Philippe.Vouters at laposte.net>
Date:   Mon Oct 22 15:30:46 2012 +0200

    Fixes to XAUTH TYPE

commit e65ce1aebf9638cc86a918adad62e1326f526909
Merge: 2333a8b 13c91da
Author: Paul Wouters <paul at nohats.ca>
Date:   Sun Oct 21 18:42:42 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 2333a8bf62d0341ffc9c660db50e17478e02693e
Author: Paul Wouters <paul at nohats.ca>
Date:   Sun Oct 21 18:41:46 2012 -0400

    * testing: gathered data for iOS/OSX racoon "cisco ipsec"

commit 13c91da3451627dedece5bef8c47b56d0e71d45b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 20 18:30:30 2012 -0400

    * testing: use sudo for 'dd' command

commit 5c66818ca8670e4a95ef0e53de95ff81e213c373
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 20 17:15:20 2012 -0400

    * testing: disabled baseconfigs/net.japan.sh
    
    It conflicts with the configuration of 'road' and road is used in
    35 tests and japan in one plutotest (and some co-terminal tests)

commit c799b900e336ab3e8c456e33595be632bec6c304
Author: Paul Wouters <paul at nohats.ca>
Date:   Sat Oct 20 17:04:54 2012 -0400

    * testing: fixup fedora reference in ubuntu.sh

commit dcc607530a77ff5124e3c6d4d8c90a5036b8b590
Author: Paul Wouters <paul at nohats.ca>
Date:   Sat Oct 20 16:55:56 2012 -0400

    * testing: added swan03 network, north and road VM creation

commit fa7f28277f332b48d4ad789f7fdc23876cbeb4f4
Author: Paul Wouters <paul at nohats.ca>
Date:   Sat Oct 20 16:54:29 2012 -0400

    * testing: fedora.sh / ubuntu.sh update
    
    - create the meta disk image using dd, as my virt-manager now aborts
      on not having a file for its --disk argument (instead of creating
      it like it did in the past)
    
    - fixup ubuntu.sh to run on hardware without intel/and VT instructions

commit 63d83df1be1f3f071f724d6d83f4522fd2d9a1df
Author: Antony Antony <appu at phenome.org>
Date:   Fri Oct 19 09:25:25 2012 -0400

    fix a typo in westinit.sh and run testparms.sh from python

commit 68639aa06bcb72ebb062c9598d04cf4721baeecc
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 13 12:08:41 2012 -0400

    update changes

commit 423adde517147be1000fd8cbe7a10aa1547d3151
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 13 12:07:05 2012 -0400

    * aggresive mode: also allow ISAKMP_NEXT_CR ISAKMP_NEXT_CERT as payloads

commit f105367def10cd7bb27b2140ab2a273daae43f6a
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Oct 12 17:15:57 2012 -0400

    updated changes

commit 4376c98dcc1a14708e6816e03e0b83e50bce91dd
Author: Philippe Vouters <philippe.vouters at laposte.net>
Date:   Fri Oct 12 17:14:46 2012 -0400

    * Add support for Mutual RSA + XAuth (implies aggressive mode)
    
        Confirmed interop with Shrew Soft IPsec client.
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 497d6c6e1d4efe2d0cdfc7936d0d277d7224fbea
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Oct 12 00:07:58 2012 -0400

    updated changes

commit bcbdc459485b6cfae8851ed921bfd33016260c9d
Author: Philippe Vouters <philippe.vouters at laposte.net>
Date:   Fri Oct 12 00:03:17 2012 -0400

    * IKEv1: aggressive mode sometimes picked wrong RSA/PSK connection
    
    This caused some connections to never be honored by refine_connection.
    
    Also I corrected some warnings in connections.c.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit f6d238933f62cf09f5b361176555bdb8a34643b9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Oct 10 09:59:14 2012 -0400

    updated changes

commit 6b1af7f4ad51bcc3255c81d168679bba518a0a0e
Author: Philippe Vouters <philippe.vouters at laposte.net>
Date:   Wed Oct 10 09:57:30 2012 -0400

    * bug #993 ipsec showhostkey: wrong kind of key PPK_XAUTH in show_confkey
    
    Skip non-RSA keys when using ipsec showhostkey.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit a287d8806d74675c3f9500274b05d03ff17a4c97
Merge: 495bb0b 355e977
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 9 20:26:18 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
    
    Conflicts:
    	programs/pluto/vendor.c

commit 495bb0bd72ece7b69c3519d4cefd9e147670bd2f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 9 20:24:52 2012 -0400

    * NATT: simply logging of older nat-t draft proposals

commit 355e977556341840a092ee370624e66c679464df
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 9 18:38:24 2012 -0400

    * NAT-T: Fix all broken logging of NAT-T methods / vendor ids
    
    We now always display the method name (which is not the VID name)
    and never a number. It used to try and lookup the vendorid name
    against the vendormethod, and hence it failed to display text.
    
    I changed things to use a proper enum_name. However, due to the LELEM
    use of the method stored in st_nat_traversal, displaying the proper
    method there was rather convoluted. But I refrained from splitting
    st_nat_traversal into two variables (one for current received prefered
    natt vid and one for the natt status detection (us, them or both NATed)

commit e53308b4e439a5712c896b2dbe09d5f5870c33d4
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 9 02:14:51 2012 -0400

    * pluto: SWIND vendorid stands for Sidewinder

commit 610db02be75d276f89469949dce39fdc147e1b33
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 9 02:00:12 2012 -0400

    * pluto: don' change NATT vendor id string
    
    This string is not for human consumption

commit ab387439c57e1c90e0fdd78c88b38ed029aa2b3b
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 9 01:52:23 2012 -0400

    * pluto: add vendorid draft-ietf-ipsec-nat-t-ike-01
    
    Shrew Soft client actually sends this vendorid

commit f2e47254e636dc98333f27960fca672e387bd87a
Merge: 42d5d58 63f442e
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 9 01:44:52 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 42d5d58d48795c214cbe856c6a3a90183b7e2ec6
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 9 01:43:51 2012 -0400

    * pluto: Added logging for more vendor id's (Shrew Soft client, etc)
    
    Added netscreen ones and a few others that were mentioned as comments
    but not in code.

commit 63f442e561ae1d66c3e3a32e2c806258259692ff
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Oct 8 16:07:39 2012 -0400

    updated changes

commit caf8f7925896182d40c69f139901711dfd1916ad
Merge: 1aae75d 545e2c2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Oct 8 16:07:16 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 1aae75d77b8e80dd257264199a449e1a16bb0c29
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Oct 8 16:06:43 2012 -0400

    * OSX: Set __APPLE_USE_RFC_3542 required for udpfromto functionality

commit 545e2c236ffdb356194b70a38107450953ca15fe
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 7 21:47:02 2012 -0400

    * xauth: added some xauth attributes we don't support

commit 0d438f4351ee3bc0e23fd85e8dd289198317c92a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 7 17:30:47 2012 -0400

    * XAUTH: Fix misleading warning message on unknown XAUTH parameters

commit e54000b6f51562a42321004eea8a446ee78c120b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 7 16:52:04 2012 -0400

    * testing: add xauthby=file to all xauth test cases
    
    All existing testcases used password file for authenitcation. New
    testcases for xauthby=pam using system auth, ldap and ldap via Windows
    are being added.

commit 8ec6be62525935eaf46af5769aaa970d79def198
Merge: ce043b2 d6a9295
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Oct 7 16:42:36 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit d6a9295866add5b688b18736b0f1f2202786f078
Merge: f8fa89c f77bd48
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Oct 7 13:53:58 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit f8fa89c25e9b2605a6c9dcf415ca895a405bf329
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Oct 7 13:52:17 2012 -0400

    * xauth: sync up with Phillipe's changes for xauth.c

commit f77bd484ad68f11f46ae1f46a938c121ad0b5837
Author: Antony Antony <appu at phenome.org>
Date:   Sat Oct 6 18:26:41 2012 -0400

    * testing: make scripts executable in ikev2-10-basic-rawrsa-nss

commit ae687758469455e6dfdaf15013f414ee75144e1f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Oct 6 18:24:15 2012 -0400

    * testing: change test #10 to use conn westnet-eastnet-ikev2 as well

commit 50b32efd73dcbcb1bf92764abe14fc1f65a4516d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Oct 6 18:17:27 2012 -0400

    * testing: fix include west-east-base-id-rsa -> west-east-base-id-nss

commit 30ad2249220b309a988ded8a075267c299e48311
Author: Antony Antony <appu at phenome.org>
Date:   Sat Oct 6 17:43:16 2012 -0400

    * testing: Regeneration of west/east NSS raw RSA keys.

commit ce043b2617281d9d819576a0279859cb3e3ad650
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 6 16:07:30 2012 -0400

    * xauth: I missed a line in Phillipe's patch

commit f9ab9c55c5501130472c811c80205abb3d58d909
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Oct 6 16:06:26 2012 -0400

    * xauth: Patch by Phillipe to move Andrej's xauth check.

commit 8d814c70c6506421b253bdf9393a79fb0c0c073a
Author: Philippe Vouters <philippe.vouters at laposte.net>
Date:   Sat Oct 6 12:32:18 2012 -0400

    * update to make distclean target
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 3e31c1a33b34e1a60403f76d200e657e9653b820
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Oct 6 12:18:49 2012 -0400

    * server.c warning: zero-length gnu_printf format string [-Wformat-zero-length]

commit fab5992efb1bb5f16e440e82bc3b0b2d99f7f458
Author: Philippe Vouters <philippe.vouters at laposte.net>
Date:   Sat Oct 6 12:17:15 2012 -0400

    * DNSSEC: conread.c needs to set empty dnsctx when USE_DNSSEC=false
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 14cfbffe2e74d129c96f4cc451521e05beff42f6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Oct 5 17:32:32 2012 -0400

    * packaging: add pam-devel support using USE_XAUTHPAM
    
    also remove HAVE_THREADS

commit 1451fbf3e6afdc62197da319dcd6e4c53e2a7e47
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Oct 5 15:17:56 2012 -0400

    * threads/pam: sync up to latest version of Philippe Vouters' patch

commit 66f65c6e1257d7b7e8e0f7c676cf663c61df5af5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Oct 4 22:50:10 2012 -0400

    * testing: swaninit was not setting testname properly

commit cf97dbe92d5f09b81988d182d951ca4022608789
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Oct 4 22:48:20 2012 -0400

    * testing: regenerated NSS configs for east and west
    
    We were missing the CKAIDs from ipsec.secrets and the files no longer
    existed. West was generated without SQL, east was generated with SQL

commit 8b4f2310157eb278c1f58b11d478704ff1a293cb
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Oct 4 08:54:45 2012 -0400

    updated changes

commit 31fd41caf5f69f71b640cf19cb768cb758b7d81e
Author: Andrey Alexandrenko <aalexandrenko at telco-tech.de>
Date:   Thu Oct 4 08:53:36 2012 -0400

    * DPD: reduce flood of DPD messages when receiving unexpected seqno
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit cfb827e204fa30cdf613e2d49ff1926aacfb3877
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Oct 3 23:50:40 2012 -0400

    * docs: fixup docs/XAUTH.README

commit d794333a6e1d8ee8a99401dcdc9a88aa991eb18c
Merge: e113d77 77c49de
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 2 20:46:45 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit e113d77f37bd7ef14f475c9f9fe2d748cab07f61
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 2 20:46:12 2012 -0400

    * testing: restore ikev2-10-basic-rawrsa-nss for now.

commit 77c49dec9854fcab2512b5d7d4448ac9a79b3d83
Author: Antony Antony <appu at phenome.org>
Date:   Tue Oct 2 17:25:35 2012 -0400

    spliting boot conole and rest ikev2-09-rw-rsa is not good yet

commit 37307c25c3881422ca1574412befc706c5dcfcfc
Author: Antony Antony <appu at phenome.org>
Date:   Tue Oct 2 17:00:08 2012 -0400

    rename runvm.py  to runkvm.py

commit cb1f63a3c8d4fdc7b421aaf6d62e86c990b41d68
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Oct 2 00:24:00 2012 -0400

    * starterwhack: suppress loopback/labeled ipsec mesage in addconn
    
    Only log it with DEBUG, not INFO

commit 80cc84a31e833a4ec4f5e3cea9b9c2dcb9e9a925
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 1 23:23:50 2012 -0400

    * _plutorun: iIPSEC_CONFDIR check for /etc/ipsec.d/ override was broken
    
    It always passed --ipsecdir /etc/ipsec.d, even when no IPSEC_CONFDDIR
    was passed. Because it always set this option, it would not look for
    ipsec.d within IPSEC_CONFS as prefix. This was causing the test cases
    to fail as the NSS files are in ipsec.d, and it looked in /etc/ipsec.d
    instead of in /tmp/TESTNAME/ipsec.d
    
    (note also the double D in IPSEC_CONFDDIR - a little misleading, but I
    left it unchanged as to not to break other people's setup

commit 24e99cede87e4996964bc0f685ce005cee3ae594
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 1 21:50:04 2012 -0400

    * testing: added swan-build, swan-install, swan-update
    
    Can be run within the guest to build, install or build+install.
    
    You only need to run swan-update on one VM, then you can just do
    swan-install on all others. It will then recompile and install
    the versions based on the git hostfs mounted in the VMs.
    
    (if you lack a package, dhclient eth3, and umount /etc/resolv.conf,
     then yum install xxxx and reboot)

commit 586870fa279f317123f8ac3906f8ce649b514d97
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 1 21:22:26 2012 -0400

    * testing: Instead of "virsh reset", use "virsh destroy" + "virsh start"
    
    This will also work if the VMs have not been manually started yet.

commit e59b6c6e510365f658c4fd4f6320a3fefb902442
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 1 21:22:05 2012 -0400

    * testing: don't error when directory already exists in mkdir

commit 755ffffa4e8b88374960a3a3d8a5ae8aeef20d00
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 1 21:13:24 2012 -0400

    * testing: remove "27" prefix for output files

commit f544118ae52a6adada77497aee2d0f7223b2ca07
Merge: ea6bb5c c61ae45
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 1 21:08:23 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
    
    Conflicts:
    	testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common

commit ea6bb5c8df9c9197c6daeabd021433da3fcc84d6
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 1 21:07:20 2012 -0400

    * testing: changes to west-east-base-id (split in rsa/psk)

commit c61ae4523157596f97fe37068ff248ccba427aeb
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Oct 1 19:12:04 2012 -0400

    * testing: Updates to ipsec.conf.common - converted IKEv2 tests to NSS

commit 226083ab6c02061f4bb64357822bea943f6139f1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Oct 1 18:54:42 2012 -0400

    * testing: fixup ikev2-09-rw-psk

commit 761c2f38591fb5e1e9e653eaae15244d3c50c7bc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Oct 1 17:56:09 2012 -0400

    * threads: rename remaining HAVE_THREADS_* entries to THREADS_*

commit beb89755fe982797deaef6051d9591e561c8999d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Oct 1 17:48:32 2012 -0400

    * xauth: sync up with Phillipe Vouters xauth changes.

commit f2567073a13e69fc8cef5bd821eb65b71942bec6
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 29 21:22:11 2012 -0400

    * XAUTH//PAM: Change of XAUTH_USEPAM -> XAUTH_HAVE_PAM and threads update
    
    This is the second part of Phillipe Vouter's thread/system pam update.
    
    Additionally, I changed XAUTH_USEPAM to XAUTH_HAVE_PAM, as compiling
    support in does not neccessarilly means it is used, because we now
    have the xauthby= option that determines if it is used or not.

commit eae378bb5aa043f2f9eeb67519007a8b17ec5d1f
Author: Philippe Vouters <philippe.vouters at laposte.net>
Date:   Fri Sep 28 13:43:35 2012 -0400

    * XAUTH: Add support for xauthby=<file|pam>
    
    It defaults to file using /etc/ipsec.d/passwd.
    Note that file lookups now also use a thread so pluto does not block
    if the file resides on a network storage device.
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit da9e5d566eb5c6cb76f1d5bb7bd6dbf4ce2dff93
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 28 13:42:24 2012 -0400

    * comment out the pam install - it needs to get moved and support DESTDIR

commit 977b3a47a8054546cf96006f0bd07bfa7b3aa86f
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 28 13:40:48 2012 -0400

    * ipsec.conf man page update for xauthby=

commit a93fed22a752dea82ec751c6359797d4e3b02a66
Author: Philippe Vouters <philippe.vouters at laposte.net>
Date:   Fri Sep 28 12:49:08 2012 -0400

    * Add clarifying braces in pack_str()

commit 0f71a2285eb5255b6ac1f11f128f88f6e39066cd
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 28 12:38:27 2012 -0400

    * updated changes

commit ddb7d137606940df0bd6025ff814a926846db9a1
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 28 12:37:04 2012 -0400

    * PAM: Move pam config out of contrib, and install in 'make install'

commit e205e66d1c9b4baa1a4ab026c49eebd7893b9b5a
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 28 12:22:45 2012 -0400

    * updated changes

commit 5669e634d2cc6a817a2c9123283bb1a25311dd2f
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 28 12:18:58 2012 -0400

    * Remove unused OCSP code
    
    We never compiled it in. It was unmaintained and untested. It should
    be done using NSS if we want to re-add support for it.

commit b5b0906576389e8b6d4593590b450e5cf361ba02
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 28 11:49:34 2012 -0400

    * XAUTH/X509 locking issues reworked
    
    There are several problems with the locking code being partially
    bypassed, and the crl fetch function being compiled into an empty
    function. See bugs #1390, #1391, #1392.
    
    This patch changes the HAVE_THREADS define, which was misleading
    because threads are dependant upon in all cases for the crypto
    helpers. Instead, it really referred to CRL/LDAP fetching, and
    XAUTHPAM code. So most of the defines got renamed to signify that.
    This exposed some problems with the HAVE_THREADS define not being
    exposed in all factored out libraries in lib/
    
    The check_crls() function now never compiles into an empty stub. The
    function is either defined when CRL fetching is enabled, or it is not
    defined. It also had to be moved for this.
    
    The CRL/LDAP fetching code was refactored into segments and ended up
    residing in programs/pluto/x509*, programs/pluto/fetch.c and
    lib/lib*swan/x509*. However, some of this code used a global
    variable inside programs/pluto/x509.c, so this refactoring never
    worked (and only compiled because the HAVE_THREADS define was lost
    when compiling the moved code into lib/lib*swan/x509*c resulting in
    empty stubs or skipped segments)
    
    Note that HAVE_OCSP is never set (it was removed from Makefile.inc
    a long time ago), so any code using this ifdef is never used. I will
    remove that code (it also should be done using NSS)

commit bf929f56944ffe7c3a7307af4c473d85d2a8afae
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 27 22:15:54 2012 -0400

    * avoid warning: zero-length gnu_printf format string [-Wformat-zero-length]
    
    Added the space back in.

commit 3a04bdfa8a66e5c654253d6908b85fabec59bb0a
Merge: 8b682a3 05ddd45
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Sep 27 18:49:45 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 8b682a35518af0ecd474f45acbf20aeb97edde6d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Sep 27 18:49:04 2012 -0400

    * debug: when do_command() fails, log it instead of silently ignoring it

commit 05ddd45b40a92603066f91eb76ba5a4ef8fe038d
Merge: 5c9d247 fc69590
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 25 22:40:38 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 5c9d2470f201390d337189c4532f879c4aff62d5
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 25 22:39:23 2012 -0400

    * testing: display password in /etc/issue

commit fc695905f87966fd9c83afc2ace22fce870d4bdb
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 25 19:48:59 2012 -0400

    * testing: Allow to run virt-install without hardware vm instructions too

commit 6b0ea7d794e73ad728684dff68659a671e4ff94e
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 25 18:16:10 2012 -0400

    * add ip l2tp to the barf output

commit 1fb99827eda6d464c9ec88c78ff20a30651f0e1c
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Sep 24 11:42:13 2012 -0400

    * labeled ipsec: linking fix
    
    Don't use security_selinux.c when not using HAVE_LABELED_IPSEC

commit 2b9328d5155ac37646b3119fc3979a5aa16d1220
Merge: 725040a 3d54d1e
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Sep 24 10:47:47 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 725040adff9f6081c36d5f6f9ea21d0fb38a319f
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Sep 24 10:45:48 2012 -0400

    * whack: fix handling --sha2_truncbug and --nm_configured options
    
    these options are passed without arguments (adding the argument means
    on, leaving them out means off), but the attempted to strcmp() and
    optarg, which was NULL.
    
    Reported by Andrey Alexandrenko <aalexandrenko at telco-tech.de>

commit 3d54d1e1ae9e7eddab1b2d65a952d04383327035
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 22:33:30 2012 -0400

    * testing: add pam headers to fedora/ubuntu kick start files

commit 8d8d4ad83164e293d83132359cd9b738b0514ef8
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 22:15:57 2012 -0400

    sync up Makefile.inc to use our existing OSDEP

commit efdb481f3ab49708a6cee88c2b25ff60b26a3133
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 21:54:55 2012 -0400

    * Limit XAUTHPAM to systems known to have it (Linux, BSD, Solaris)

commit 8b240e8a12368af6c230b3d907efa56c25211786
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 21:31:52 2012 -0400

    * testing: added route6-eth1 for east and west

commit 0219a094775b40e60412c88eaa47e1211e823304
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 21:22:13 2012 -0400

    * log.c was also using BLANK_FORMAT

commit 49d6bbd0382474807425606ffdee88b26db55ba2
Merge: d0be483 fded525
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 21:09:51 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit d0be483347cd203463ee6db04c3f6a953861c5ad
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 21:09:30 2012 -0400

    * Removed BLANK_FORMAT which was set conditionally based on GCC_LINT
    
    Apparently this was some compiler bug - seems to work now, so removed

commit 06d3ec7b5efb386ed622a8e4e5ebd4ac88abbb01
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 20:53:37 2012 -0400

    * packaging: fix GCC_LINT handling in libreswan.spec

commit ae06d6daf687faa9dff1956da93f58966bd55a97
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 20:17:39 2012 -0400

    * Remove unused argument from find_state_ikev1() / find_state_ikev1_loopback()

commit fa35ac950d6a75065ed5c29988124ec06efb9c00
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 20:11:08 2012 -0400

    * Makefile.inc: enable some features while we're not releasing anyway
    
    This enables some of the features already enabled in fedora/rhel/ubuntu/debian
    builds. (xauthpam, libcap_ng, labeled_ipsec, ldap, threads)
    
    (note: the goal is to phase out threads use for xauthpam)

commit 9c794518bb5d43e31634ecff488d336111ff0ac6
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 19:48:05 2012 -0400

    * OE: next_step was not always defined in error cases
    
    Compiler warned us about next_step possibly being unused. So in
    error cases, where we're aborting, set next_stop = fos_done

commit 3b5a67544a2f5f31045d4d18d03f77061d44e328
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 19:40:00 2012 -0400

    * remove unused connection c in delete_end()

commit 6ef3f81759f288788da5c20bac601a1b3d23fdd0
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 19:38:31 2012 -0400

    * initialise auth_policy to NULL to avoid "may be used uninitialized"

commit 06c2a317f87e05d26487eec5b51df17bb6a144f4
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 19:36:26 2012 -0400

    * remove unsused variable num for show_one_sr()

commit 04f9b2400154368a1bd9c8ef21e646fcc6cc1b11
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 23 19:33:19 2012 -0400

    * remove unused parameters for delete_end()

commit fded525e649bfda445bef6d8b7406071c0430106
Merge: 36e87fb c34ad28
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 20 18:29:38 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 36e87fb38a3d82301f40004986c4e41303e8e462
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 20 18:28:53 2012 -0400

    * testing: changed ipsec look to not need to know location of ipsec.conf

commit c34ad28e6f805195c7482b6cbbda4ce082c2d3e1
Author: Antony Antony <appu at phenome.org>
Date:   Thu Sep 20 16:57:42 2012 -0400

    fixing tests
    paul's cleanup to runvm.py

commit e79cccae9744ed5f669131e16bce40c6095b450f
Author: Paul Wouters <paul at nohats.ca>
Date:   Thu Sep 20 16:28:54 2012 -0400

    * testing: fix westnet/eastnet (they were renamed with -ipv4 suffix)

commit abdc41aa04d8a8af06d5773042fb37482b022769
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Sep 20 11:13:27 2012 +0300

    update CHANGES for #1384

commit 62dd271440ccf834f6db596cb61a7ed839031b7a
Author: Bram <bram-bcrafjna-erqzvar at spam.wizbit.be>
Date:   Thu Sep 20 10:56:10 2012 +0300

    Fix for bug#1384: confusing output from ipsec auto --status
    
    This is improved version of commit ce490e408d7f74df8a487cb6059e30d031115bcc
    adding info about vhost or vnet config into status output of template.
    
    * auto: fix --status output for vnet/vhost case
    
    For rightsubnet=vnet/vhost it would display the right= instead of
    of "?". Patch by Ani
    
    Signed-off-by: Tuomo Soini <tis at foobar.fi>

commit 259daf746b97eed44a0c9ac7e7a166a8f9e85976
Author: Paul Wouters <paul at nohats.ca>
Date:   Wed Sep 19 23:01:10 2012 -0400

    update changes

commit ce490e408d7f74df8a487cb6059e30d031115bcc
Author: Paul Wouters <paul at nohats.ca>
Date:   Wed Sep 19 22:59:13 2012 -0400

    * auto: fix --status output for vnet/vhost case
    
    For rightsubnet=vnet/vhost it would display the right= instead of
    of "?". Patch by Ani

commit e0dc171ef3ce3adb2a3f86df01a9b428bef7b6b3
Author: Antony Antony <appu at phenome.org>
Date:   Wed Sep 19 19:53:45 2012 -0400

    Squashed commit of the following:
    
    commit 7044d0f613c2b1a54ccfb52bf87f98e47be31483
    Author: Antony Antony <appu at phenome.org>
    Date:   Wed Sep 19 19:45:43 2012 -0400
    
        use searchwindowsize in python
    
    commit 940f3d292d01c0efd4737b669634d1ea4c55c566
    Author: Antony Antony <appu at phenome.org>
    Date:   Wed Sep 19 19:20:57 2012 -0400
    
        pexpect match needs new string every time
    
    commit aecd45e3f64a98cff6c3d12310f48afd84e41d11
    Author: Antony Antony <appu at phenome.org>
    Date:   Wed Sep 19 18:46:25 2012 -0400
    
        change ping target
    
    commit 7e43d12b59d8bb88335547718022ee9bad78ca87
    Author: Antony Antony <appu at phenome.org>
    Date:   Wed Sep 19 18:33:39 2012 -0400
    
        fixing runvm
    
    commit 8316ba0762e40a55041917cf825e6a2bf5dde6ad
    Author: Paul Wouters <pwouters at redhat.com>
    Date:   Mon Sep 17 12:12:34 2012 -0400
    
        * testing: always use ipsec.conf.common from /testing
    
        there is no reason to copy this to the VMs in /etc/ipsec.d as it
        only results in stale old copies.

commit 51e991dc0cce29982b81033e47f5ab9d1ff9e386
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Sep 19 16:46:26 2012 -0400

    * testing: add fstab entries for fedora/rhel, fixup kickstart paths

commit eb48edc4faadcf757f16c2149f263be75d82b66e
Merge: 46c5b66 4ad032a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Sep 19 15:50:53 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 46c5b669286dd68c9e58d981e35ea0682a570bd2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Sep 19 15:49:27 2012 -0400

    * testing: explicitely disable rp_filter for eth[0..4]

commit 4ad032a122a3c6a92f1bb0a78baed4495210350f
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Sep 19 17:37:50 2012 +0200

    * testing: Remove VM xml options that libvirt fills in for us.

commit 762e55491e86ee9c8c8688948bf6817c44b3407a
Author: Paul Wouters <paul at nohats.ca>
Date:   Tue Sep 18 16:06:22 2012 -0400

    * testing: scripts inside libvirt still thought they lived in fedora-setup

commit 4452fdbe1ea2629575ef467d3bfcc2662fd6bd7a
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Sep 17 14:14:13 2012 -0400

    * testing: deleted VMs /etc/motd which all contained old bogus data

commit 14b9e8410519e95045ccd0bdd5dafd335ecc5f8e
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Sep 17 14:08:49 2012 -0400

    * testing: updated guestbin/swan-transmogrify
    
    - Support for Debian/Ubuntu guests
    - redhat: iptables cannot be bind mounted, copy files instead
    - redhat: restart iptables/ip6tables service
    - added -d option for debug output
    - made sysctl quiet
    - copy in proper ipsec.d, ipsec.secrets and ipsec.conf in /etc
    - ensure ipsec.conf.common only exists in /testing/
    - fix nss files, they need a fixup of readonly permissions

commit 12b73a560207b0504bdbbc7d72aab4554b841efd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Sep 17 12:12:34 2012 -0400

    * testing: always use ipsec.conf.common from /testing
    
    there is no reason to copy this to the VMs in /etc/ipsec.d as it
    only results in stale old copies.

commit fbdc844101015f9e0ab70c52c8ec87e96425d322
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Sep 17 12:04:33 2012 -0400

    * testing: force /usr/local/sbin in our path.
    
    pathmunge should do it, but often using ssh, sudo or serial, it still
    somehow ends up not in our path.

commit e1457f559b35bf31cbb3957abd239456f3cb8ba9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Sep 16 17:08:49 2012 -0400

    * remove comments about ALG_INFO_F_STRICT, as this option was removed

commit 011a80b52a0c8f72f7a15b805c2d0de0d882dca3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Sep 15 19:24:47 2012 -0400

    * Renamed fedora-setup to libvir

commit 1711ae64949e1adc491a639170c3605cc058ef80
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Sep 15 19:23:25 2012 -0400

    * testing: Added ubuntu as valid guest too
    
    renamed the disks-libvirt.sh to be fedora.sh. And added ubuntu.sh
    
    fixup and rename userfix.sh to usercheck.sh

commit 72ee5143fac35ede555f163e1f3b9c8c4529b699
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Sep 15 19:15:12 2012 -0400

    * testing: Added ubuntu equivalent for testing base vm image

commit a36b4669b4b547fb005780b30844dded76be347a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 15 13:27:58 2012 -0400

    * testing: Use QCOW2 file format for guests, based on single swanbase.img
    
    Create copy-on-write images for all VMs. Saves diskspace, improves caching
    and decreases buffer ram. We can also easilly recreate a host (west,east)
    from scratch between tests if we want to.

commit 1d1a29b75bd90681f174317386455fc3951f578f
Merge: 71b2158 e0d0fc2
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 23:07:41 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 71b215869193dc42fb6012dbcae07f5508adb301
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 23:07:09 2012 -0400

    * testing: add version=9p2000.L to /etc/fstab entries inside guest

commit e0d0fc2d63387dec7850ae068b0e5c96ba16a3c1
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 23:04:49 2012 -0400

    * testing: squash access mode for 9p seems better for writing

commit 57564410ceb4082ff994a84b5945f8c9f144ee3a
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 22:52:50 2012 -0400

    * testing: add userfix.sh as reminder that qemu needs write access

commit e8cd7ff7b50cd7f1e24ec3499d96b026ed766c90
Merge: 44ca823 89e68b4
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 18:54:11 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 44ca823224e03c09c17424acff5f0ff91914d868
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 18:53:33 2012 -0400

    * lower mtu on install for my lame ISP's network. swanpath.sh fixup

commit 89e68b421589a82b66d349737aa39de781440520
Author: Antony Antony <appu at phenome.org>
Date:   Fri Sep 14 16:59:21 2012 -0400

    added to TESTLIST ikev2-allow-narrow-08-nss

commit bd971752f92a1e7a36ce5b134756934a764c0d82
Merge: 1925e44 314cd45
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 13:45:15 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 314cd459c3cdcdcf44a8ea2f40371f8a1a6fc241
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 13:44:51 2012 -0400

    * testing list tests in swantest with no arg

commit 1925e4463f8bd83cab88b70b51843580d0f615e3
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 13:41:28 2012 -0400

    * testing: cannot copy from /testing on install - not mounted yet

commit b4af832fe3e8a0cc2f9ef7507bef1ac24be0fdb1
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 13:37:41 2012 -0400

    * testing: /usr/local was missing #!/bin/sh

commit e8c60134846e682a6c150a6dbf77c797bd069bf5
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 13:33:52 2012 -0400

    * testing fixup swan-transmogrify

commit de3e0fa4dcb5336c7a4c67f2ca4a7568cb6f993b
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 13:12:01 2012 -0400

    * testing: updates to installer
    
    create iptables from files not kickstart file
    - remove old systemd attempts to re-network the system
    - added swanpath.sh and testing/guestbin
    - merged the mount-bind into testing/guestbin/swan-transmogrify
      that is called in rc.local.
    - also copies in sysctl.conf files and iptables files

commit a074cc5b306b4cb8bb4f93d32c7fa818a6301631
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 13:11:34 2012 -0400

    * had not commited the umlfedora26.config (for uml system)

commit 79e6fd6fabdd0aa9621d1cd036abb3efb98a19f2
Merge: a551d49 af6b62d
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 12:35:01 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit a551d4936bfc1e19fa75e30580b62a8c153a6edf
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 12:32:57 2012 -0400

    * testing: move from systemd to rc.local to reconfigure VMs
    
    The systemd scheme did not get triggered, so instead now use a simple
    rc.local file and then restart the network there. We also do the
    filesystem 9p mounts here, since we cannot yet mount them from /etc/fstab
    on boot, because the system needs to boot further before it can do those.

commit af6b62de58e77b6364ab3c04f52521ca09ef7869
Merge: e4c98a1 4f95c73
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 12:03:30 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 4f95c738850870028b79a5e4849ff38c3062cc58
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 12:02:52 2012 -0400

    * remove the swanbase VM after we are done using it as a base

commit e4c98a1027709f68c62907e730b989ea75ae03eb
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 12:01:52 2012 -0400

    * Move packages that are not available on install to %post
    
    hopefully, it will then use the new installed full repo list.

commit d41f3601ce4b5621f4b6ed8e43186f4585d3c7f2
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 11:46:13 2012 -0400

    * remove debug code

commit 7030dba2b1a56c101558ae5b453f673d2639c080
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 11:44:57 2012 -0400

    * testing: add 9p mount for /source in the guest

commit c3fa797c8321b7af8da0292fc51b6aa26141e5a4
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 11:35:30 2012 -0400

    * testing: fixup /testing mount within the guests
    
    Note that the swan tree has to be world readable for the /testing
    mount to make it. Added that to the README
    
    Do not specify pci ids for the filesystem mount. libvirtd will do
    that for us.
    
    We need both the FEDORA and TESTING dirs.

commit f2ad0c5a8c4fba213412edd7a8070aa9d929304c
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 11:13:30 2012 -0400

    * testing: export testing/ not testing/fedora-setup/ to the guests

commit 4ce5c1d7e3f77cec539007133934d077d19557a9
Merge: 941c808 7a59ba2
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Sep 14 17:24:23 2012 +0300

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 941c808744ec5c05fb0f60116116174360d26c38
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Sep 14 17:23:46 2012 +0300

    updated CHANGES for #1381

commit 01cdf87538dec40556b0d8e3d154f831eebe6969
Author: Bram <bram-bcrafjna-erqzvar at spam.wizbit.be>
Date:   Fri Sep 14 17:11:46 2012 +0300

    XAuth: the variable PLUTO_XAUTH_USERNAME is empty in the updown script.
    Looking at programs/pluto/state.c : duplicate_state shows that the
    'st_xauth_username' is not copied from 'st' to 'nst'.
    If the value is copied then it is correctly set in the
    'PLUTO_XAUTH_USERNAME' variable in the updown script.
    
    Signed-off-by: Tuomo Soini <tis at foobar.fi>

commit 7a59ba23511a743185baf0c8ad7c5eb798bae033
Merge: 78c1827 f6b803e
Author: build <build at east>
Date:   Fri Sep 14 10:16:13 2012 -0400

    Merge branch 'master' of ssh://vault.foobar.fi//srv/src/libreswan

commit 78c1827009a255b69eaaa4e011cbea23b71be257
Author: build <build at east>
Date:   Fri Sep 14 10:15:07 2012 -0400

    ikev2-allow-narrow-04 with nss rsa2

commit f6b803e200e09a20533a6d0c24a147eaac904247
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 10:00:56 2012 -0400

    * testing: add alias of westnet-eastnet for westnet-eastnet-ipv4
    
    Since most testcases specify westnet-eastnet, this is easier then
    changing them all (and it will preserve known good output)

commit fca89e81b53865681656dd1166c057cec05da447
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 09:53:57 2012 -0400

    * testing: added westnet-eastnet-ipv4-rsa2

commit 8b7b562f1dd15bd5dfcc678a68c9017d433fb61c
Merge: a5fede2 9d2310a
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 09:43:01 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit a5fede2cb855fbe92a7f5a13831e4653646d55b0
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri Sep 14 09:34:52 2012 -0400

    * testing: Add LOGDROP iptables/ip6tables target on all machines
    
    This also "starts" the iptables/ip6tables services, which just
    loads the firewall rules - that only contain creating the LOGDROP
    table. The post kickstart install addds these files and enables
    the services.

commit 9d2310a6b576987d972271de59e1ed052067bf3d
Merge: 3912dbe 23b1874
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 13 21:07:39 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 3912dbe87e6ffb00c3b5ea407d5c5456569c64a1
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 13 21:06:35 2012 -0400

    * testing: make fedora-setup scripts and /testing mount path independant

commit 23b1874d0cbf49adb881bbcd25e3b6acb2607e3f
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 13 19:49:00 2012 -0400

    * testing: Added NSS keys for east and west
    
    On west we ran "ipsec nssinit". On east we run it manually and
    added the sql: prefix. We added conn westnet-eastnet-ipv4-rsa2
    that is identical to westnet-eastnet-ipv4 except we added the
    raw rsa key from NSS as right/leftrsasigkey2=

commit bb5fb7a759b25bf5d2d475582511ca10632606da
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 13 18:32:38 2012 -0400

    * FIPS: add "ipsec initnss" to the fips list of modules to check

commit 771bf35c86babefc4a1634981036dfc6eddb32c7
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 13 18:15:56 2012 -0400

    * use define, not create to get persistent VMs

commit 52d316f0cc2b751cbdd126b1dbcebb9d70fa5912
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 13 18:13:03 2012 -0400

    fix typo in kickstart file

commit 812fb795f494ca6f41fa3e8d871d703a9a798353
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 13 18:09:30 2012 -0400

    * testing: added nss-leftrsasigkey2-01
    
    Test for using leftrsasigkey2/rightrsasigkey2 to help us with migrating
    non-NSS systems to NSS systems,
    
    Note: currently the second key is not filled in properly yet.

commit f71e5f2e56cadfe7a6b115f070628c637cc90116
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 13 18:00:34 2012 -0400

    * testing: Fix /testing/pluto/bin/wait-until-pluto-started calls
    
    They were often copied from bad use cases. The idea is that
    ipsec setup start does not wait until pluto listens on network
    and control socket, so the next command when issued to fast would
    fail. The wait loop tries to hit ipsec whack --listen until it
    succeeds. (I have to assume the network listen starts after the
    control socket listen)

commit 49d12deef02a5ae86d9ef0d6aa5245cbacd7be4f
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 13 16:25:39 2012 -0400

    * testing: fix waiting-for-pluto in ikev2-05 test case

commit ec3f5533f9f378e57e6f234ca2a8bc86a1928636
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Sep 12 20:44:35 2012 -0400

    * move 9p module to the /etc/modules-load.d and add entry for virtio-rng

commit 2c7df472cc3949324421777c762e9312608d373c
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Sep 12 15:32:03 2012 -0400

    * testing create /etc/modprobe.d/9p.conf in %post kickstart install
    
    This is so we load the 9pnet_virtio kernel module so we can mount
    /testing as "hostfs" on boot before the network is started to
    overlay the east,west,etc networking files using a single install image.

commit 3b134847551db810c44993fa2e731faf4378db58
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Sep 12 14:40:29 2012 -0400

    * testing: fix routing parameters for rhel/fedora style configs

commit 629f77773a6a6a7d39e750c389a63290a43fb759
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 11 22:27:21 2012 -0400

    * testing: update kickstart to ensure NetworkManager is not installed
    
    And install the buildrequires in case we want to manually compile

commit 9714918371fa715ed172ed107956d415c3b3ac1d
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 11 10:32:04 2012 -0400

    updated changes, some re-ordering

commit f58b4a322c54062994bd7bb0417553380f0d2f91
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 11 10:22:12 2012 -0400

    * updown: Delete the source ip addres on down only for Cisco peer
    
    We know we obtained (and need to lose) an IP when connecting using
    a Cisco peer. There are other cases where an obtained sourceip should
    not be removed (eg when moving from LAN to Wifi, using a setup where
    you get the same sourceip, a case that Tuomo has)
    
    This should cover most cases. I confirmed it works using the Red Hat
    VPN.

commit dffe6c6b4d7782b90e9693614ab7768b162c842c
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Sun Sep 2 16:12:59 2012 -0700

    * updown fixes to remove obtained IP from interface on auto --down
    
    Paul: This is probably not correct for Tuomo's use-case and needs
    fixing.

commit f5978de19e4b721fb8d8a8ad9c8bd48d0c73eb64
Author: Paul Wouters <paul at nohats.ca>
Date:   Mon Sep 10 23:15:58 2012 -0400

    * testing: fix swan-bindmount.service
    
    was using old osw-prefixed name, and one python indent was wrong,
    causing it to not attempt ifcfg-ethX mounts.

commit 226feb7aa6eef38a1e2f2b05456aee8891a9e292
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 23:36:54 2012 -0400

    * missed a sudo for the network autostart

commit 906e7c4f6c674968cbf9a71acddf61b437c8248c
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 23:33:06 2012 -0400

    * testing: use proper network names with virsh

commit 6f1e55d8712889e0b68baeca1cd15984dd20a269
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 22:33:45 2012 -0400

    * swan -> swanbase

commit 6e1d1a8fca15f7fe17e8ca430360ac1ac230536e
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 22:30:54 2012 -0400

    * testing: more updates to the vm/net/disk libvirt creation scripts

commit 229cd97d75245334e7a54bb7e7f7cf87486f8f47
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 21:46:20 2012 -0400

    * testing: qemu-kvm scripting updates
    
    - bind mount our host network config based on known eth0 mac address
    - use swan- prefix, not osw- prefix
    - update kickstart script to make use of qemu-kvm filesystem mount
      as hostfs replacement
    - activate the systemd swan-bindmount.service in kickstart %post

commit 0faf146265a99348ec54290ac227a831c0f77a43
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 14:31:10 2012 -0400

    * testing:  Added east and west xml files for libvirt

commit cfb2a15e8addcac01658e7dead25f7f73d4d9699
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 14:29:14 2012 -0400

    * testing: add note in README on nic types

commit 686dc159a9e36658432289b072d698d8822e2e3a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 14:28:49 2012 -0400

    * testing: enable the network service in kickstart's %post

commit d2e396afa67a83e547144056b10a4ce18664f855
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 13:48:12 2012 -0400

    * testing: change from transient to persistent networking in libvirt
    
    I had not realised virsh net-create only creates a "temporary" network.
    We have to use net-define to make it permanent. The xml files don't
    define whether to start it now or on boot, so we have to issue virsh
    commands for that as well.
    
    Also added the 192.9.2.0/24 and 192.9.4.0/24 networks (eth2 on the umls)

commit 147f4c6f948598aec2923eb092980099e65157f7
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Sep 9 00:59:48 2012 -0400

    * testing: updates to generating scripts

commit fe8562f7b1051289c15b6c7a6e57aadc1ae7f8a6
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 8 14:27:16 2012 -0400

    * fix merge conflict in umlsetup.sh

commit 7152a084a8c8220f933eda275dbf58e70b14ec26
Merge: b4c5f03 aa1127c
Author: Antony Antony <appu at phenome.org>
Date:   Sat Sep 8 20:11:08 2012 +0200

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan
    
    Conflicts:
    	testing/utils/umlsetup-sample.sh

commit aa1127c8a40947f6830d54a057b4ae116019484a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 8 13:38:34 2012 -0400

    * remove dnssec/ subdir from testing Makefile

commit bb12b1b7bb8f22c4e5c3cd4526ddc3166fa2614e
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 8 13:16:44 2012 -0400

    * Removed obsolete prototype test case
    
    Test code was unused, depended on removed lwresqd code and
    depended on sandelman.ca live zone not run by the project.
    
    It also depends on the unused prototype for USE_IPSECPOLICY
    which was the (abandoned) method for querying pluto about its
    dnssec knowledge (used with the ancient "wavesec" prototype

commit 84519ad9f2a8ac58a9638a5e97663f78e96bae38
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 8 13:13:59 2012 -0400

    * removed dead code that got moved into unbound.c

commit 80129f18dd970a7920821b5e1bde2afbd08d607b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 8 13:10:03 2012 -0400

    * Avoid dns(sec) lookups for numerical sourceip= values

commit 1ebad95049810d17b0df97bc61f2518fbb3ede04
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 8 12:54:41 2012 -0400

    * DNSSEC: only build unbound.c when USE_DNSSEC=true

commit bee4e4a9fd05384d7376e5fd6d00a1eb334250ea
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 8 12:54:03 2012 -0400

    * dnssec: fix variable name when USE_DNSSEC=false

commit 365e55ddb9ab11a7417d68d452899d3f3527d6af
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 23:44:53 2012 -0400

    update stock umlsetup-sample.sh to use "KERNVER26" and not SAref or uml patches

commit b4f9f612ca365ca352a831a8c42a4982f3ed2475
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 23:44:09 2012 -0400

    * added a fedora26 kernel target.

commit c6bad1f8af2eb1c3a029fad434e089f8bca230d7
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 23:42:55 2012 -0400

    * update testing/kernelconfigs
    
    Enable ext4 inline. Move some unused files out of the way,
    and rename the unversionsed once to "24" as the were for older 2.4 kernels

commit 5e4ae346e8f6f83fe9f0b39bb59283efdcc3ad60
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 23:41:37 2012 -0400

    updates to testing/fedora-setup
    
    Don't use lvm in guest, so we can more easilly get to partitions.
    Give it a little more ram so it does not need swap, but give it
    a swap partition anyway. Don't wget the systemd file but create in
    inline.

commit 16d70f65cbbf514d15da7cdb5877cb4da0a06886
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 23:39:18 2012 -0400

    Defining INSTMANFLAGS= caused make install problems

commit 414a44c351221242056e7101e4d84365ab1f0410
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 23:38:46 2012 -0400

    * testing: alias kernelpatch3.5 to kernelpatch2.6 and disable SAref patch

commit 54a845d4e11f3cf0345cdedc6566f1d3b41f971a
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 23:18:37 2012 -0400

    * testing: remove baseconfig/testing/bin/rs
    
    The "rs" script was to "restart" ipsec within the uml when it has
    been recompiled on the host. This saves a reboot of the uml, but
    it uml specific (and caused problems on fedora's rootfs where
    the bin/sbin directories are 555, not 755)
    
    Only old master probably knew and used this shell script.

commit 06b256f19401119226125e2303a72ad0c20b1322
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 16:44:22 2012 -0400

    * NSS: Add nss-softokn as dependancy - needed for certutil
    
    And certutil is needed to initialise the nss database before pluto
    can start.

commit e985bac9da5d0092ce68416960fd1950be52f2ef
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 15:31:03 2012 -0400

    * WIP: testing   split off disk image and network creation
    
    You can now choose to directly configure tap/bridge devices using
    the network-manual.sh script, or to use libvirt using network-libvirt.sh
    The latter is persistent over reboots but requires libvirt to manage it.

commit 61eefc46e73ffd9723e25e8bcaf4d2d071f275c7
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Sep 6 01:26:26 2012 -0400

    * WIP: testing  various changes to the new image generator

commit b4c5f03f75123e3a8316418b68d445f36f6f8757
Author: Antony Antony <appu at phenome.org>
Date:   Wed Sep 5 07:07:53 2012 +0200

    update  umlsetup-sample.sh

commit c04f5b6aabb76702027cb1a6a05030ac31b3ba53
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Sep 5 00:31:16 2012 -0400

    * packaging: updated spec file and merged in changes by Avesh
    
    This includes support for fipsmode, dnssec, libcap-ng, networkmanager,
    crl fetching and leaves in our efence/development/klips options

commit 4017c450e49a1564ec48f10eaf85f2263c23c4e4
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Sep 5 00:30:24 2012 -0400

    * Version: set Makefile.ver to use 0.9.9, not 1.0 as base

commit b7b99ee71732702a1e794abb941a9d51c4fcde9a
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Sep 5 00:29:52 2012 -0400

    * install man pages using INSTMANFLAGS="-m 644"
    
    This avoids hacking in the spec file to remove x bits from man pages

commit b0f23db85f0a4dd48fa6f29e425de15afac43050
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Sep 5 00:16:50 2012 -0400

    * Updated FSF address on the GPLv2 COPYING file

commit dbb42c290ece8739e598babe367006da1bef87bb
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 23:47:46 2012 -0400

    * Removed some obsoleted files in docs/

commit 44e1d01728daa6f36a55c68ca3f1971523d7f7f4
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 23:03:48 2012 -0400

    updated changes

commit 655477747c78ff28b82f3b2941de12800726f97c
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 23:03:33 2012 -0400

    * verify: warn users to start ipsec service before running verify

commit bcb20207fdb5d3cd109f6b3e9ca719fd9d11aeb3
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 20:53:52 2012 -0400

    * verify: ported ipsec verify from perl to python
    
    The reason for this is that the minimum install these days comes
    with python, but not with perl, and automatic dependancy detection
    scripts found this perl script and added perl as a requirement.

commit 3eb06340f1fa97f13fff0a00a822b01c2175a91c
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 19:35:34 2012 -0400

    * Deleted a softlink pointing to some out of tree file :)
    
    (The actual file is located in ./testing/utils/umlsetup-sample.sh)

commit ecb2d3627c64a98b8cf9ae9fa1fd1687362c57bf
Author: Antony Antony <appu at phenome.org>
Date:   Wed Sep 5 00:31:27 2012 +0200

    lets keep umlsetup.sh in git

commit 3472fb585c7f9f612994f56f08bf576094e8d1a5
Merge: 2380657 cfa138a
Author: Antony Antony <appu at phenome.org>
Date:   Wed Sep 5 00:19:14 2012 +0200

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 2380657af3faa5321aee6052bd39cef8ee4ed7ff
Author: Antony Antony <appu at phenome.org>
Date:   Wed Sep 5 00:18:26 2012 +0200

    creating ubuntu 12.04 based UML host and instances(east, west.sunset..)

commit cfa138a1d13fe88b1ed2ee8570d7ae2846b1ddd2
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 17:56:48 2012 -0400

    * NSS: include <prerror.h> without prefix
    
    Since debian/ubuntu and fedora/rhel use a different prefix

commit c187e735e4dbf8001d47e7f11d0acf32688916c7
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 17:41:06 2012 -0400

    * NSS: use pkg-config --cflags nss to find the header files
    
    Debian uses /usr/include/nss and /usr/include/nspr unlike Fedora
    and RHEL that use /usr/include/nss3 and /usr/include/nspr4
    
    Added Buildrequire: pkg-config to packaging/*spec

commit 8905ba4877538baed04babd80fc95f223d4c5770
Merge: a403c73 d6c6e4f
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 17:16:13 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit a403c7361a490bf0010b8fc7d547012508a89301
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 17:15:01 2012 -0400

    * testing: again renamed the ifcfg files containing a :
    
    It confuses the Makefiles

commit d6c6e4f15e060d368ca0e96a04a9751f513b8048
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Sep 4 13:16:31 2012 -0400

    * WIP testing: Added scripts for network reconfiguration based on test host
    
    during kickstart %post, we add the osw-bindmount.service for systemd. This
    file is created inline from the kickstart file, as we do not yet have the
    /testing directory mounted while we are installing.
    
    Once the VM boots, it is passed a umid=hostname kernel option, which this
    service uses to bind-mount /etc/sysconfig/network* before the network service
    is started.
    
    This allows us to use one disk image for all VMs we fire up. We use a disk
    image because it is created on the fly with virt-create, and not all VM
    technologies can do hostfs like uml can. (containers/namespaces can, but
    those do not support cgroups/namespaces for XFRM/NETKEY)

commit ddf16b26f7fd6dfd10d233e5c0000bea663a897a
Merge: 35b187c d415cee
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Sep 3 22:31:37 2012 -0700

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 35b187c11a82588bececa1b8367cde40033ae773
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Sep 3 22:30:57 2012 -0700

    * WIP: started port of "ipsec verify" from perl to python

commit d415cee7cb1bfa826518176aeedcdfd7bb693215
Merge: 9317853 b15d594
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Sep 3 19:37:50 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit b15d594875fcdb2f77362bcd77583c5093b5a8b9
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Sep 1 15:54:27 2012 -0700

    * WIP: testing: Added loopback/selinux test cases
    
    These are based on Avesh's tests
    
    - Add CONFIG_SELINUX* to the umlnetkey26.config
    - Added testing/pluto/loopback-pluto-*
    
    This requires USE_LABELED_IPSEC?=true (currently not the default)

commit 13a7438624902aeb5981633153537bc6ed9e6afa
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Aug 26 23:03:39 2012 -0400

    updated changes

commit f46940a9590f58d6af456ed3f238ee4610ae17f9
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Aug 26 22:58:46 2012 -0400

    * IKEv2 pullup from ikev2-narrowing branch
    
    - Add IKEv2 road warrior support
    - Extend IKEv2 narrowing code to include protocols
    - Add instantiation for road warriors and narrowing connections

commit 5f17c9387638a9dbc00fbdba79cc788e9c743c8a
Author: Paul Wouters <paul at nohats.ca>
Date:   Fri Aug 24 20:00:06 2012 -0400

    updated changes

commit 3d2f144bd4d9dd503ebc948f77288f1ae080b564
Author: Paul Wouters <paul at nohats.ca>
Date:   Fri Aug 24 19:59:08 2012 -0400

    * testing: unset CONFIG_UML_NET_VDE

commit 3568d355f19b399fbcc756e55a7d50973746548c
Author: Paul Wouters <paul at nohats.ca>
Date:   Fri Aug 24 19:58:40 2012 -0400

    * added "ipsec initnss" command
    
    This is to make it easier to also call ipsec newhostkey, which
    requires an existing NSS database now that NSS is mandatory.

commit 9317853256af008dc4bb10aa18b9196c75d8be6e
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Aug 23 18:58:08 2012 -0400

    * testing: Added four new testcases for IKEv2
    
    ikev2-09-rw-psk
    ikev2-allow-narrow-05
    ikev2-allow-narrow-06
    ikev2-allow-narrow-07

commit df4fac2e9e44709cb84d75d11fce7b4cde19fdc1
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Aug 23 18:55:49 2012 -0400

    * testing: fixups of some testcases

commit af711f9d58f430aa8502c6984c186cea186a3efd
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Aug 23 01:33:41 2012 -0400

    * testing: Added testing/fedora-setup [WIP]
    
    This contains some scripts dealing with setting up the network
    using proper bridges, installing a fresh f17 as base image, and
    then use COW to create the images we need (east, west, etc)

commit f2d5ae5092a1871430d03b91c56fd46222a2f3cc
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Aug 23 01:25:34 2012 -0400

    * Testing:  Added Fedora/RHEL style network configuration files
    
    Added etc/sysconfig/network and ifcfg-eth* / route-eth* files
    
    These are based on their original debian counter parts used with
    uml testing now.

commit 68c9e1a86a8b28ee914788ee4f7801393e59674b
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Aug 23 01:24:28 2012 -0400

    * testing: fix typo in testing/baseconfigs/north/etc/network/interfaces

commit c23a49010eee247ddcda9ee9a803332b59d904f6
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Aug 21 15:34:24 2012 -0400

    updated changes

commit 8d1209d9ea6d7a48ca2753dcea5659a9be10cb7b
Author: Andrey Alexandrenko <aalexandrenko at telco-tech.de>
Date:   Tue Aug 21 15:31:22 2012 -0400

    * XAUTH:  Use incoming XAUTH VID when picking best connection
    
    I have prepared a patch witch solves for me following issue with Xauth
    in Openswan.  Pluto may refuse to connect with a road warrior If some
    misc connections (with and without Xauth) are configured. The reason is
    that pluto do not regard Xauth policy in main_inI1_outR2 and may just
    choose a not suitable connection for proceeding. In my patch I evaluate
    XAUTH VID and use this information by connection finding.
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit a92acf2dfb902fa6880ce4c45292f389644bfd31
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Aug 20 23:00:53 2012 -0400

    updated changes

commit 816aae2e7607d64c3e531aaca2d0b9d20f611fa7
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Aug 20 22:52:57 2012 -0400

    * XAUTH: fix pam race condition and contrib/pam.d file
    
    Patch by Philippe.Vouters at laposte.net
    This is rhbz#815127

commit 102e4b8ad605d87d74db836e98f0d209dc269bac
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Aug 20 22:23:02 2012 -0400

    * Added dpd-08 testcase for rhbz#848132
    
    On a tunnel between host1 and host2 using dpdaction=restart, if host2
    goes down and DPD kicks in the new phase1 replacement will start
    retransmitting, but is subject to a limited amount of retries even if
    keyingtries=%forever (default) is set. If host2 does not come back in
    time, the phase1 replacement will expire and then the tunnel does not
    rekey until the old phase1 SA expires

commit b7599e205eb559dff7ad0d62ac3ad5bb67060ec3
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Aug 20 21:44:53 2012 -0400

    * barf: don't search for our logs in lastlog, btmp or wtmp
    
    This is rhbz#https://bugzilla.redhat.com/show_bug.cgi?id=771612

commit 4b5a633c9b3e3e6ee7f9ffd35a34f71c7d0a330e
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Aug 20 20:16:43 2012 -0400

    updated changes

commit a4e3b483135f072441366e645ac1d34b3d236077
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Mon Aug 20 20:07:46 2012 -0400

    * DPD/XAUTH/ModeConfig fixes
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit d00f36629229f619152a4e0dbb09e014883670d8
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Mon Aug 20 19:55:01 2012 -0400

    * Do not perform XAUTH/ModeCfg during rekey when using Cisco compatibility
    
    Paul: I added check for remote_peer_type=cisco as I didn't want to change
    behaviour for non-cisco.
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 6ed03ba7959f5c224a07866ab55f5f6f41280636
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Mon Aug 20 19:47:49 2012 -0400

    * Support for SHA384 and SHA512
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 0eac0cf957b5199a59abb7e574ad6ccbad3fc837
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Mon Aug 20 19:14:47 2012 -0400

    * v1phase2tov2child_integ() addition
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 5c44c1324fcb302f8abc0b10d07371949b90fbed
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Mon Aug 20 18:51:46 2012 -0400

    * Changed related to bz#703985 for Secure Labeling
    
    Signed-off-by: Paul Wouters <paul at libreswan.org>

commit 9134abd82145b69bb2ae7fd6028dcf2507a39de7
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Aug 20 18:41:13 2012 -0400

    * Added Avesh's additional labeled ipsec logging to starterwhack

commit a996cca2f2af79c1792ad82d1f557c0e305fde4c
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Aug 20 17:35:25 2012 -0400

    * Support reading NSS password from file
    
    Slightly modified from Avesh's patch to keep consistency of configdir
    location (i.e. when configdir != /etc/ipsec.d/)

commit dcd3775b95d30bebd0adf4fc9e4b154b390a7ce1
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Jul 20 00:52:58 2012 +0300

    update changes

commit fc86508683a92b3a3746d89395f6875a8c2d5e88
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Jul 20 00:50:18 2012 +0300

    restore postpluto functionaliy which was missing

commit 0ef5f70c869c8eea796a9311101e9b0feb83ae00
Merge: 25a7031 d218164
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jul 18 13:45:03 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 25a70312b788e90c94e5666b56d47bd7ac597851
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jul 18 13:41:54 2012 -0400

    * Sync up unbound/resolv.conf handling in _updown.{netkey|klips}
    
    Add unbound-control flush_requestlist to remove pending requests
    aimed at a resolvwe we can't or don't want to use anymore.
    
    Add a newline to the restored resolv.conf that was missing.

commit d2181641f5e5baded8eee54f232da1eaa64648b3
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jul 12 14:57:41 2012 -0400

    * Don't refer to NETKEY as "2.6" or "experimental code"

commit 9fdd3e55d247a277ab13a2985aeaf983bbd59a48
Merge: 2d26e0e 4f1e6db
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jul 1 19:24:34 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 2d26e0e1ea0ff16cb7b36059fd58629097f82907
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Jun 29 16:06:29 2012 -0400

    * Added AH_SHA2_256_TRUNC to ah_transform_name_private_use

commit 4f1e6dbc30156c1df1796b8fb65922641f0fe07e
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Fri Jun 29 20:12:15 2012 +0200

    _startklips: use ip route instead of netstat

commit 689efc6f04f75e063ce2eca54d6280f19cd28916
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 28 18:57:54 2012 -0400

    updated changed

commit f9f51be34bae997acbba6fac58619af8d402dc14
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 28 18:53:22 2012 -0400

    * IKEv2: Use ft_zig instead of ft_mbz for IKEv2
    
    The RFC's state we should "ignore and continue" and not "abort"
    when we receive a non-zero value for a field that "must be zero".

commit 97e1dfb8f31b9f36dcf67f0b61df37e20f96c9a3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 28 18:00:16 2012 -0400

    * Introduce ft_zig value and reimplement android workaround with ft_zig
    
    ft_zig (should be zero but ignore) is like ft_mbz (must be zero) except
    we log a message and continue instead of aborting.
    
    Currently, this is always logged. If we find this happens too often,
    we can change the logging level to something non-default.

commit e38e4bc7aa4194d7495b35d28b71022b6c0a6be2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 28 17:57:52 2012 -0400

    Revert "* Workaround for Android Ice Cream Sandwich ipsec-tools 0.8.0 bug"
    
    This reverts commit e474937fef9fe80b3a961db00d2c39b26ef9430b.
    
    Conflicts:
    	Makefile.inc

commit 2af05554af2bf082acd1a8ddac2edd9418c7948a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 28 17:56:38 2012 -0400

    Revert "* Fix endif statement in Android ICS workaround"
    
    This reverts commit 224e23bcec99692b214773923799e54608f88a83.

commit 6a87ba5f0e549d2ccdd6895d28ef43206a39e6ff
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 27 16:04:05 2012 -0400

    * Add check for transport mode traffic selector in transport-02 test

commit e222cc0089ea5d2b761a95f6e93758ea05a9c75a
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 27 15:58:58 2012 -0400

    updated changes

commit 9ed4d3e9ca2f57872167149c633f7ee2a3b01549
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Wed Jun 27 15:57:42 2012 -0400

    * Pass traffic selectors to the kernel in Transport Mode
    
    2. Traffic selectors in transport mode (both ikev1/ikev2) (redhat
    bz#831669): Openswan does not pass traffic selectors information to
    kernel during setup of SAs when a connection is configured in transport
    mode. This might lead to situation where esp packets not matching to
    existing traffic selectors can pass through kernel when the SA is in
    transport mode. The attached patch (openswan-831676.patch) addresses
    this issue and now Openswan passes traffic selectors information to
    kernel when SAs are setup in transport mode.

commit 4962a1ceb178ddd84c4e2cfcc0663f3a764d2346
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 27 15:42:18 2012 -0400

    helper: helper_passert_fail no longer used. Fix two string format warnings
    
    nss threads also do not use PLUTO_CRYPTO_HELPER_DEBUG like the old
    crypto helpers did.

commit 400633668791a663e0b0b14fceec2adab346691d
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 27 15:41:37 2012 -0400

    put rpmbuild values used to compile in Makefile.inc as commented examples

commit cd4b3e3c22aa28fc24bc3795898506190d5d7fbc
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 27 15:30:36 2012 -0400

    X509: fetch_ocsp should return void, not void *

commit 0afd5402533e382743a8b406748264364e5464fd
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 27 15:29:22 2012 -0400

    gen_reqid() can call exit_log() but confuses compiler
    
    compiler expects a proper return value, so return 0 even though
    this is never reached.

commit eadcaccc9d8d3666c3bd4ef5ba35c93860c62f14
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 27 15:28:36 2012 -0400

    NSS: We need to include nsperror.h for PR_GetError()

commit b05f3a9b473c87a4827978f678f7c098717ec1a7
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 27 15:06:08 2012 -0400

    XAUTH: fixup previous maxlength fix. mova hardcoded to defines

commit 1f8ca6d218f39d8b59a466e27339163f8f7d3dab
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 27 14:15:50 2012 -0400

    * NSS/SHA1: PK11_DigestFinal() passed sizeof pointer instead of sizeof *pointer
    
    While at it, changed some known values for SHA1_DIGEST_SIZE, and
    removed hardcoded 20's for readability.
    
    (oddly enough, the nss example itself is wrong too, see:
     http://www.mozilla.org/projects/security/pki/nss/sample-code/sample3.html)

commit 3351b1c30924869e12e7fc94ba1116e71d18a501
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 25 15:44:47 2012 -0400

    updated changed

commit 4d63ca1d15f68f8b4883c24625f06129f70e7ea1
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 25 15:36:21 2012 -0400

    * Support /etc/sysconfig/ipsec and /etc/default/ipsec (rhbz#789917)
    
    There is a subtle difference between "ipsec setup start" and
    "service ipsec start" or "systemctl start ipsec.service". The first
    command passes all environment variables, but the latter two commands
    do not.
    
    This causes environment variables to be lost, ie. when a user does:
    
    export PLUTO_EVENT_RETRANSMIT_DELAY=1
    service ipsec start
    
    This patch brings in support for /etc/sysconfig/ipsec (fedora/rhel)
    and /etc/default/ipsec (debian/ubuntu) where these environment
    variables can be set.
    
    Probably, these options should all go into ipsec.conf's config setup
    section.

commit 66cdf37975d376776109787e4c9babfda4c391a4
Merge: 3e087d5 20fc180
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 25 14:57:01 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 3e087d54cd334bfed16be3216553d1879166927d
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 25 14:55:44 2012 -0400

    * Log if we send non-default PLUTO_*_RETRANSMIT_* values via env variables

commit 20fc180060956ff3d2e624df137931e4fd71e935
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Jun 21 22:15:06 2012 +0200

    add changes entry for last two commits

commit 914ee12d40b231d2a3d1d8a24b6bd28f567911c1
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Jun 21 18:45:10 2012 +0200

    add missing fi

commit aaf0fc3469948220d08641a509fd71b9296a80ac
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Jun 21 12:48:32 2012 +0200

    add missing ;then

commit 10d0a3db22e102f3724015b25d87e5b0206db7bc
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 20 00:02:51 2012 -0400

    * put note back regarding labeled ipsec in docs/README.labeledipsec

commit 3c1ca1c0e10471cfdbd92cda6e8661e999944da0
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jun 19 23:46:12 2012 -0400

    * coredump: default to /var/run/pluto/ which is compatible with SElinux

commit 0c4801620b0c622cfdf9e4768d35928ac8ad7058
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jun 19 23:30:16 2012 -0400

    * Remove support for PLUTO_CORE_DIR env variable (use dumpdir=)
    
    It would conflict with dumpdir= and the uml tests are not using it

commit a07179e2b9690afc01fd4d07671b82bc85cacfe4
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jun 19 23:21:20 2012 -0400

    * NETKEY: linux_pfkey_add_aead() left alg.sadb_alg_reserved uninitialised
    
    It is reserved, and we only ever set it to 0.

commit 97a5128f3b4425c0f0436642f012cbe95c8508dd
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 18 10:12:45 2012 -0400

    * fix debugline to print only in verbose mode

commit e7be44dc356ad2fbddcc0029d877fb4e7259b758
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 18 10:09:38 2012 -0400

    Add unbound.c to Makefile.dep

commit 38a689528e3b2d2e678c18de1da507dc3299082d
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 18 10:08:07 2012 -0400

    * Had forgotten to add lib/liblibreswan/unboud.c

commit e220a74e3ada270dcd9cd9f94711817d126f221e
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jun 17 23:04:27 2012 -0400

    updated changes

commit 297ad3853088bd42d0dbce45bbe445cb710aeb64
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jun 17 23:00:11 2012 -0400

    * starter: all resolving via starter is now done with DNSSEC support.
    
    All of resolving in starter now uses one ub_ctx context that is
    passed along, so that we carry our dns cache along. This does change
    the API of functions in confread.c, which make using non-DNSSEC (eg
    the old gethostbyname()) harder. That needs fixing after I talk to
    dhr.

commit 0c586e3b7d78304abf8605c24b072367f5ee6f0a
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jun 17 22:58:39 2012 -0400

    * dnskey.c: put back old LWRES code for now so it compiles.
    
    The OE DNS lookups need to use an async unbound based lookup anyway.
    It also needs TXT/KEY -> IPSECKEY which was started but not completed yet.

commit 6efb6ab52234ea0bda580e1937435149648a44f6
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jun 17 22:58:11 2012 -0400

    Use IKEv1_AUTH_ALGORITHM_NONE for now (work in progress)

commit 93a3727ac1ecf1064a1089e8e7e280825e2aad89
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jun 17 22:54:04 2012 -0400

    * starter: remove prototypes for static functions
    
    init_load_conn(), translate_conn() and move_comment_list()

commit 6538429eb9a402af50765d12d6dd1909e299aabd
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jun 16 22:46:55 2012 -0400

    * remove some old linux 2.2 cruft
    
    kernelpatch targers, Makefile targets, packaging/defaults

commit e74a370956c7a075d18d8835a12d9bfb7fc374f1
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 20:51:08 2012 -0400

    * remove duplicate include of oswlog.h in x509dn.c

commit 3a42cd1a14e540b2147b9214dabcf5b94fc10fe2
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 18:51:58 2012 -0400

    * Add DNSSEC support to confread.c

commit d196c3c6f7f2f3b10f7652e3073ea8fca80d33a4
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 18:50:43 2012 -0400

    * push USE_DNSSEC into the lib/Makefile.library for use within libraries

commit f58a6a1eef83c98236fb73a98b52d6228d8d6a7b
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 18:49:36 2012 -0400

    * prevent double inclusion problems with dnssec.h
    
    Use a #ifndef _DNSSEC_H and make the variables static for now, until
    we move things into a library.

commit bc593c1275db9b6aab4e752b28df557684537b31
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 18:11:31 2012 -0400

    * Fix AF_INET6 tnatoaddr() check in addconn.c and make static
    
    The static for now is because I'm also placing this in a library and
    it conflicts. Later on the addconn version will come from the library

commit 873f46297561c34a995c2fd2c5e49635b93de245
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 15:52:31 2012 -0400

    * Add scaffolding for man pages for labeled_ipsec, loopback and policy_label
    
    Perhaps Avesh can fill these in for us.

commit 2773fafdb92886414dbda045e6a4a251a1793310
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 15:41:08 2012 -0400

    * Don't try to resolve A/AAAA records of IP addresses in addconn.c
    
        When looking up --defaultnexthop values

commit 02edb14c50c777f8ecb8942fd6a77eab1d4b5183
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 15:33:08 2012 -0400

    * Don't try to resolve A/AAAA records of IP addresses in addconn.c
    
    When looking up --defaultroute values

commit 88207d364cacd9d048ed252033dc2ae918e31d06
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 11:49:02 2012 -0400

    merge virtif.c header change

commit b28042874e99141ca2b7c117f86756b020e2b395
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Jun 14 18:36:23 2012 +0300

    update CHANGES for _updown.netkey fix

commit 62f7bed504fadd8dfd9dbdaa45028ff58f67d847
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Jun 14 18:34:08 2012 +0300

    _updown.netkey: fix route to be inserted on correct interface when nexthop is used

commit 41c871caf9b594d0a7655512dc7120300e282520
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 00:07:10 2012 -0400

    updated changes

commit 177c5e96a582f4be159f42292a23a3b36c812253
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 14 00:04:38 2012 -0400

    * Added new option plutostderrlogtime= (default=no)
    
    Add plutostderrlogtime= option to enable or disable logging the time
    stamp before each log message (as syslog does). Some people want this
    when logging to a file.  However, since the swan code is using this
    output via plutostderrlog= in a file for the test suite, this needs to
    be an option that can be turned off.

commit e0b44314cd81c492a4de33c2e7e992c064457313
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jun 12 21:29:21 2012 -0400

    * Cap xauthpasslen and xauthnamelen at 128 (their buffer size)

commit 332bc03819b227c503924e15fb2720378c6e6857
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jun 12 21:13:55 2012 -0400

    * fmt_log() fix similar to previous strncat() use

commit 640f2c19f6e771a05a3c6d7e180cbc0cd21a5554
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jun 12 20:49:15 2012 -0400

    * xauth: in theory, in xauth_inI0() it could attempt to memcpy NULL

commit 5db42ff386f29f7403a951e89edd0d1503fa42a6
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue Jun 12 20:43:06 2012 -0400

    * ensure not to call same_chunk on a null pointer

commit 10dcb3a3569a28a03849b42686d72cd28c664d4b
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 20:46:39 2012 -0400

    * redone and simplified functions around strncat/snprintf

commit 4c1fbb32b871350e41528715674de34daa26c915
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 17:20:32 2012 -0400

    * fix addrtot() with a passert and off-by-one

commit cfc5bcad40987bea9375a0280d812a358e616012
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 16:56:19 2012 -0400

    * fixup format_end(), do not use strncat but snprintf

commit e69ade6fd822725c52084d051324c633ff3030a8
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 16:22:53 2012 -0400

    * Move the close() call for the sock to the function that created it.

commit 3eda2666ddb763ee3d659e56ec862bfe93d16cef
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 16:17:12 2012 -0400

    * undo the close on whack_sock, as it is placed in the state.
    
    Left a comment to avoid making this mistake again.

commit aa9af2459312e603b02950c23969b748f1044ceb
Merge: 64be346 ce752b8
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 16:06:11 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit ce752b8f8bdd0a034493968101df2dbb1abc94ff
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 13:51:42 2012 -0400

    * remove --copyright usage

commit 5329b6cb05c2199757dff31497406b020ee17c09
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 13:49:09 2012 -0400

    * close dup()ed whack_sock in ipsecdoi_replace() to avoid leaking fd

commit ea8863e00b98e9e33fb5c5b2661f0212c003b758
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 13:48:19 2012 -0400

    * Remove other half of ipsec_copyright_notice()

commit 8d100777b03b8f45b09f275392b146a3efaa4514
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 13:33:52 2012 -0400

    * include "sysdep.h" in udpfromto.c
    
    That defines HAVE_IP_PKTINFO for Linux and HAVE_IP_RECVDSTADDR for
    BSD.

commit 08212d9c87c8668e551df3479ddf4be5a06680d4
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 13:33:17 2012 -0400

    * close socket fd of the interface in _iface_down()

commit d525d831c97b4112ba8d70db3ace76f29f51e7e7
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 13:09:56 2012 -0400

    * undo accidental commit to kernel_netlink.c in previous commit.
    
    (that patch was still under testing and was accidentally commited)

commit 422c3e6166ca43b5452b24f1eb7a298d48194bd6
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 13:01:54 2012 -0400

    update changes

commit 6ef7136c6dc32db790064110eca8c432b1ba1948
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 13:00:22 2012 -0400

    * Fix potential strncat() failure in format_end()

commit da07ef5c15465888d375b3d33b7d090a807ec0cc
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 12:32:57 2012 -0400

    * More strnat() safety checks

commit dc5a3a88ff9bca84e723685223132d63165696d3
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 12:15:12 2012 -0400

    updated changes

commit 68a57612b63d28a6674dc72e8740c41b9b386a79
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 12:12:11 2012 -0400

    * Additional safety checks to alg_info_snprint_esp() and alg_info_snprint_ah()
    
    Similar issue as with commit 08cf475d7dc

commit 623c7087ea41400cd5e967f0d12a2ee3d6f562b0
Merge: 55097de 8c4cc70
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 12:01:37 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 55097de9e240db84b956128b6f5a5de547d6226d
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 12:01:21 2012 -0400

    updated changes

commit 08cf475d7dc3ae74407e16d808b17428f89b4f11
Author: Paul Wouters <paul at libreswan.org>
Date:   Mon Jun 11 11:55:41 2012 -0400

    * Additional safety checks to addrtot(), inet_addrtot() and sin_addrtot()
    
    These functions when used properly are bassed a char of size ADDRTOT_BUF
    which is more then enough to strncat "<invalid>" into.  But scanning
    tools don't know about these and show red flags in case something smaller
    is passed.
    
    So now we check if the dstlen passed in is smaller then sizeof("invalid")
    
    At least if someone would call these functions with chars that are too
    small, we just truncate the text "<invalid>".

commit 64be34602346c23993935068f07dd4bf76012bd5
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jun 10 17:56:20 2012 -0400

    * sync patches with variables names
    
    ESP_reserved -> ESP_RESERVED
    IPCOMP_V42BIS -> IPCOMP_LZJH

commit 8017b30aa3c23a7c91eafbf832736b0721165fd0
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Jun 10 14:17:17 2012 -0400

    updated changes

commit 8c4cc708ff398a2addd2923d9e461078b1a714f7
Author: Panagiotis Tamtamis <tamtamis at gmail.com>
Date:   Sun Jun 10 14:13:57 2012 -0400

    * Block rules created by openswan remain even after tunnel establishment
    
    bugfix for #1334
    
    Detail analysis
    
    Problem text refers to block policy rules (bare shunts) which are created
    by openswan and remain in kernel for ever until service is restarted.
    This is happening if the user manualy adds policy rules.
    
    If a manual policy rule is added, this will trigger an ACQUIRE
    message. ACQUIRE will be handled by openswan by the following manner:
    
    A valid conn will first be searched at initiate_ondemand_body function
    at find_connection_for_clients.  If a valid connection is not found
    then cannot_oppo function is call.  This function at the #ifdef KLIPS
    part of code will call the replace_bare_shunt function. This function
    is called with failure_shunt = FALSE and the transport protocol != 0.
    What it is going on now is wrong!
    
    openswan goes inside this function in order to delete the policy rule
    which triggered the ACQUIRE msg (as it is stated from trace message). But
    transport protocol is != 0. So instead of delete performs an addition!
    By that way a bare shut or block policy rule is created in NETKEY stack
    which cannot anymore be deleted by openswan.
    
    In my opinion pluto, even if the user does not "properly uses" openswan
    by adding a manual policy, should not add and moreover let those block
    policy rules in the kernel.  Since those are added by openswan should also
    properly delete them.  In NETKEY the default value of the parameter level
    is "required" which means that no unecrypted traffic will go out until
    an SA is fully established so a block rule is not required!  KLIPS might
    need that but this part of code should not be executed under NETKEY stack.
    
    Futhermore even in a proper use the code has a bug.  Lets assume now
    that a very very simple host to host tunnel is erouted.
    
    Pluto will add a policy (trap) to the kernel. When a ping is send from
    one host to the other this will trigger an ACQUIRE message to tell
    pluto to establish a tunnel.  Now the connection is found (proper use of
    openswan) at initiate_ondemand_body function.  Code will go to assign_hold
    function at line 860. assign_hold at the if statement eclipsable(sr)
    will return true since it is a host to host tunnel and this later will
    call free_bare_shunt function which will print "delete bare shunt:
    null pointer".
    
    In conclussion analysis is that those 2 IFDEF KLIPS code flows should
    not be executed if NETKEY stack is used.  Below are traces from ACQUIRE
    message in host to host and subnet to subnet erouted tunnel in "normal
    use".

commit 8ac9f628bf14bb5f919828f55b0d63cbd98bb53f
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 7 18:03:54 2012 -0400

    * addconn: Add IPv6 support for defaultroute/nexthop lookups
    
    This support is both for using the new unbound_resolve as well
    as the old ttoaddr()

commit 05506326feca7ec8f5c938724a1d4c7566379e3f
Merge: 237eddf 38001cd
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 7 17:21:14 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 237eddf6689ba6572ca0328c77872fe43fbe8185
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 7 17:17:11 2012 -0400

    * Fixup the unbound_resolve() code.
    
    I was confusing err_t and char * and returning unmalloc'ed chars.
    
    When moving the DNSSEC code into its own library I will ensure to
    only use static strings for err_t. For now, I changed the type to
    bool or err_t within the DNSSEC ifdef.
    
    (Thanks to dhr for going over this code with me)

commit 38001cd5738aba516078447b998c23ed0930a8be
Merge: 028fe09 3843922
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 7 15:09:58 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 028fe09fc4d1573321b5aab69196a06a15ae01df
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Jun 7 15:08:06 2012 -0400

    * Log a warning for NETKEY/XFRM breaking RFC 4301, Section 5.2
    
    When setting up a transport mode connection with a protoport selector,
    the Linux NETKEY/XFRM stack will accept any encrpyted packets between
    the hostpairs, and not just the ones covered by the selector. We log
    a warning about this.

commit 38439225e4c1f18e6795031dca6338ebdc9eeb2f
Merge: 629e702 2639740
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 6 20:22:04 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 629e702fc12480ed92de6e1e9c4e8190d2894c79
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 6 20:20:35 2012 -0400

    * DNSSEC: added root and DLV (dlv.isc.org) key for dnssec validation
    
    This hardcodes the root and DLV keys. These are long term keys, and
    it would be nice to handle this differently later. For now it avoids
    dependancies on these key files (in various odd formats) elsewhere.

commit 0fcaeab77320a27233d9bbcbc8fe551cad9d2d3f
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 6 20:17:41 2012 -0400

    * DNSSEC: Introduced new option USE_DNSSEC
    
    Defaults to true in this tree as it is deemed a development tree now.
    
    This is a proof of concept. Makefiles will need to get adjusted when
    the unbound cacher code moves into a library.
    
    This option requires the libunbound (http://unbound.net/)

commit b99843f8920bc63c9a84df825eaacbbc7f0b77f4
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 6 20:14:18 2012 -0400

    * DNSSEC: Converted addconn.c from ttoaddr() to using libunbound()
    
    Also warn if resolving was performed but the lookup was not validated.
    (we'll see how spammy it gets)
    
    Other readconf/parsing routines called by addconn.c still call tooaddr()
    
    Note this is a proof of concept only. Some of this will have to move
    to a more generic place to get re-used by other binaries and libraries.
    
    ttoaddr() at some point calls gethostbyname() which is blocking. So
    this is a simple replacement using unbound that is also blocking. It
    does use a shared cache if you would use it to load all conns.
    
    Addconn.c does not resolve left/right directly, but only the defaultroute
    options and nexthop values.
    
    It needs more testing to confirm IPv6 works, but I seems ttoaddr() did not
    fully supported ipv6 to begin with.

commit 224e23bcec99692b214773923799e54608f88a83
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jun 6 13:22:12 2012 -0400

    * Fix endif statement in Android ICS workaround

commit 308fa7dd5037793ac5439eda8fbda4e2971c1f31
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed May 30 15:18:17 2012 -0400

    updated changes

commit b5e0a262187ca55d9d1b53a8be044a41d1676392
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed May 30 15:05:08 2012 -0400

    * Always assume UDPFROMTO works on Linux and BSD
    
    - Phased out UDPFROMTO_DEFS
    - Moved HAVE_UDPFROMTO, HAVE_IP_RECVDSTADDR and HAVE_IP_PKTINFO defines to arch
      specific sysdep.h versions of bsd and linux
    - Fixes a bug where compiling just NETKEY and no KLIPS support would lose HAVE_UDPFROMTO

commit 526fc702fc5a6f8d36d7e1fd13ed82a45b3c93a1
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed May 30 14:09:12 2012 -0400

    * Remove "ipsec copyright" command
    
    The text was always extremely outdated anyway. Proper copyrights
    and credits are in the source and distros tend to distribute those
    files as well.

commit 3a8801f9a1ca258d76c43463c95343707ccbe9b8
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed May 30 13:52:57 2012 -0400

    * Remove unused MD2_DIGEST_SIZE

commit 36b9caa758815e96914316da9e7ff4eb179c9d1c
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed May 30 13:50:57 2012 -0400

    * Only set MODP768_MODULUS with USE_VERYWEAK_DH1

commit 2639740e37cca6f9ca824310bf0faf55849dae1a
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed May 30 13:25:44 2012 -0400

    * one #endif ended up being an #end by mistake

commit 0c2705bf3947d5edc2fcce4da13b89d78fc5f2ec
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri May 25 17:56:35 2012 -0400

    * Testing: remove double == in testcase echo line to avoid confusing

commit 2f5d4356167b553833aa4e9d75d81c7b409080c8
Merge: 1aa4b0a e474937
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue May 22 12:40:02 2012 -0400

    Merge branch 'master' of vault.foobar.fi:/srv/src/libreswan

commit 1aa4b0a1dcd46cbffec5f8f0ac145aa0f648dcf6
Author: Paul Wouters <paul at libreswan.org>
Date:   Tue May 22 12:37:50 2012 -0400

    * Remove KLIPS define in initiate.c
    
    This define was supposed to limit some OE/on-demand code to KLIPS, but
    there is really no reason anymore to do that as NETKEY can also do this.
    As everyone on Linux enabled KLIPS support anyway, it was always there.
    
    But now we also check/enable some initiate code when the currently used
    stack is NETKEY.

commit e474937fef9fe80b3a961db00d2c39b26ef9430b
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun May 20 13:30:16 2012 -0400

    * Workaround for Android Ice Cream Sandwich ipsec-tools 0.8.0 bug
    
    ipsec-tools 0.8.0 mistakenly sets some NAT-OA fields that are defined
    in RFC1374 as "always zero". We define these as "ft_mbz" (Must Be Zero)
    
    This workaround changes the type to "ft_nat" (Natural number) and
    then ignores it.
    
    What we really need is the "ft_mbz" case to log and zeroise, but I
    could not get the pointer magic working.

commit ef189bb983c6bca1d3972d57caf907a1c660825d
Author: Paul Wouters <paul at libreswan.org>
Date:   Fri May 18 16:02:22 2012 -0400

    * remove duplicated history (and test commit)

commit 523226da1f3f3c431065da96489d13139418f0ca
Merge: 6cd4429 74c2a46
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu May 17 09:36:12 2012 -0400

    Merge remote-tracking branch 'openswan_master/master'
    
    Conflicts:
    	CHANGES
    	programs/pluto/ikev2.c

commit 74c2a46b5562920f7849761748e026e19991b4be
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu May 17 10:58:20 2012 +0300

    update CHANGES for AES-GCM fix

commit 81778fcad5c3ebb966b02fc9af0fc7c0fbead678
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu May 17 10:53:18 2012 +0300

    Fix for three AES-GCM issues with key lengths 128, 192, 256 bits and IV
    of 8, 12, 16 bytes as per RFC 4106.
    
    1. AES-GCM for key length 256 for all 3 variants
    (IV of 8, 12, 16 bytes) does not work.
    
    2. AES-GCM negotiation for ESP during IKE exchange does not
    inter-operate with any other implementation, because Openswan
    sends wrong key length values. RFC 4106 defines that key lengths of
    128, 192, 256 should be used during IKE exchange, whereas key
    lengths + 4 bytes should be calculated as final keys to be sent
    to kernel for ESP. However, Openswan sends key length + 4 bytes
    during IKE exchange and breaks interop with other implementation.
    
    3. RFC 4106 only allows 3 key lengths of 128, 192 or 256 bits, but
    Openswan lets configure any key length which should not happen, and
    configuration should be limited to only the specified lengths in
    the rfc.
    
    Signed-off-by: Tuomo Soini <tis at foobar.fi>

commit 6cd4429aa0a2d53466dec005e4c650b0dbb7beba
Author: Paul Wouters <paul at libreswan.ca>
Date:   Wed May 9 22:08:19 2012 -0400

    updated changes

commit 05de145b00abce435ea8e843b2e50f5bc76158bb
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed May 9 22:04:33 2012 -0400

    * Make the nss crypto library mandatory
    
    - Removed custom crypto code
    - Also removed md2 algo which was apparently used in some old certificates.
    - Fixed some warnins on unused variables

commit f403742a9916a93c259421fcf873e455408e852c
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 11:32:29 2012 -0400

    * bump WHACK MAGIC to detect version mismatch with other swans
    
    We leave WHACK_BASIC_MAGIC the same, so a package upgrade from
    one swan to the other swan will still work properly.

commit 976935a57a62f93085a791d244d7c876664532fa
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 11:20:39 2012 -0400

    * Fixup some credits. Remove merged contrib code for selinux

commit e0ae5cae7c461bdf8576c6bcc6564eddae1094c9
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 11:16:26 2012 -0400

    updated CHANGES

commit 36d4f37be455d315b3593c48db45b54ba0d70c31
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 11:10:47 2012 -0400

    * Remove support for kernel 2.5.x. We only support 2.4, 2.6 and 3.x

commit 4a78018321d29b94ac5d1bb8a03b00b1a6ad8675
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 11:02:28 2012 -0400

    * Remove support for kernels without snprintf

commit dc3a8a74dfa55100739d34d28bbb8d921b9a1531
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 11:01:07 2012 -0400

    * Remove support for kernels not supporting MALLOC_SLAB

commit bef9308a73d189763ed9cad677cbdde05567082a
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:53:05 2012 -0400

    * Remove remaining pre 2.4.4 kernel support

commit 168470919ace441cd684e3e9e4dbcbba65809e03
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:49:54 2012 -0400

    * Remove pre 2.4.4 IP_FRAGMENT_LINEARIZE compat code

commit dba5243a8e512640acedbdb2a96cc431d59032b1
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:47:54 2012 -0400

    * Remove pre 2.4.4 kernel compat for PROTO_HANDLER_SINGLE_PARM

commit aacf99f88d31865d8a812ed3f67d379d7a0d18bd
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:46:32 2012 -0400

    * Remove compat code for SKB_COW_NEW for < 2.4.4. kernels

commit 0e9a8e7ed74b9333091238a6635e4c97e3e8f2b3
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:43:58 2012 -0400

    * Remove compat old/broken IP_SELECT_IDENT for < 2.4.2 kernels
    
    Also removes support for broken 2.4.19 suse kernels

commit e25587cf4425b6b733f4fba4a04e1dd233a33de3
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:39:18 2012 -0400

    * Remove SKB_COPY_EXPAND for < 2.3 kernels

commit 515d84e89cf79d5fa146abe58588da563dd0e679
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:36:04 2012 -0400

    * Remove /proc dummy code for old kernels (PROC_NO_DUMMY)

commit 31aa26de1aaf9a7e5d826a25b8668800b97bd5d0
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:34:58 2012 -0400

    * Always add support for alias capability (CONFIG_IP_ALIAS)

commit b42af089fb0702d13f1af34ec304dadedba03fb0
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:33:55 2012 -0400

    * Always add support for alias capability (CONFIG_IP_ALIAS)

commit 1a33f59063a6db5a565e414362e5994e371bbbe6
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:32:52 2012 -0400

    * Remove support for NET_23 (kernels before 2.3)

commit 88f79de57d6e366034b9f6cc861efa96eba36643
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:26:37 2012 -0400

    * Remove kernel support predating NETLINK

commit 3da668240f48c006b62c451ad8faa89d730149b0
Author: Paul Wouters <paul at libreswan.ca>
Date:   Tue May 1 10:17:11 2012 -0400

    * Remove /proc support pre-2.4 kernels (PROC_FS_2325/PROC_FS_21)

commit a41fbbce2aa00048ed34c025f1a9a75b092260e2
Author: Paul Wouters <paul at libreswan.ca>
Date:   Mon Apr 30 23:43:30 2012 -0400

    * Remove more old 2.1 and 2.3 kernel code

commit a4a398b9bad1b2def31f3ddf75fe8e81e193ce28
Author: Paul Wouters <paul at libreswan.ca>
Date:   Mon Apr 30 23:16:29 2012 -0400

    * Remove support for kernels without SPINLOCK and SPINLOCK_23
    
    These are all pre 2.4 kernels.

commit 60c45c6993221ccad248b559b952b31fd8018c65
Author: Paul Wouters <paul at libreswan.ca>
Date:   Mon Apr 30 22:21:56 2012 -0400

    * Remove support for Linux kernels < 2.1.0 via NET_21 define

commit 171d2f6c276e6e7757cf3dec4356c2243a6f54e6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Apr 29 23:39:29 2012 -0400

    * IPSECKEY: no longer split the string as required for old TXT records.

commit e141565eab35acf49572cb73611993148a716116
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Apr 29 23:34:51 2012 -0400

    * Fixup IPSECKEY support with ipv4/ipv6 family and support --precedence
    
    Also updated the man page to reflect the changes made.

commit b275c0c6820adb0ea634e2f0dbfcbcb70a57ed9c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Apr 29 22:45:38 2012 -0400

    * Updated ipsec showhostkey to support IPSECKEY
    
    Also removed support for KEY and TXT record, and removed stub
    options for x509 options that were not implemented.

commit 8ca36783dd35b6ce7575a36dfa59e9ccb4deab9a
Author: Paul Wouters <paul at libreswan.org>
Date:   Thu Apr 26 18:12:56 2012 -0400

    * Removed strict mode option via '!' flag.
    
    Also removes the entire flags= section from status output, as strict
    was the only flag we had.

commit 463ce6c77c42baa32bdc324f4b9f9675a89fd4fa
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Apr 24 08:36:22 2012 +0300

    update CHANGES for bug #1329 fix

commit 31415c27ae4c7d2bf1de2ae20f7357aa28ad8df6
Author: Steve Lanser <slanser at tallmaple.com>
Date:   Tue Apr 24 08:26:14 2012 +0300

    Fix the IKEv2 crasher seen in the 2nd update to issue #1329.  We need
    to allow complete_v2_state_transition() to handle errors with reason for
    failure (as described in commit 3bdc91faf5d492e65ceeaede9320f2b81c779fb1),
    and to send an error response to the peer.  Continue to abort for the
    STF_TOOMUCHCRYPTO case which is called out separately, and for other
    cases where state is expected. Note that DoS detection and control should
    be handled at a higher level.
    
    Signed-off-by: Tuomo Soini <tis at foobar.fi>

commit 168369e4cf80050ef9e4112f354f2f1737d813c4
Author: Paul Wouters <paul at libreswan.org>
Date:   Sun Apr 22 23:25:33 2012 -0400

    * Remove USE_LWRES support
    
    This completely removes the partial outdated staticly linked ISC
    stuff for dnssec. It will be replaced by ldns/libunbound code.

commit f7b216110303068467b6341b5b80ded1aa891c25
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Apr 21 23:55:19 2012 -0400

    * Fix generating libreswan versions based of git
    
    And remove support for obsolete versions of git

commit 00beb8a99a93ac7318848f19f63e58730ef543ac
Author: Paul Wouters <paul at libreswan.ca>
Date:   Sat Apr 21 23:36:21 2012 -0400

    * Change our vendorid prefix to "OEN"
    
    Vendor ID will be redone soon to not require md5 runtime, which is
    a problem in fips mode.

commit 10acb2d0b646781586730495ee63d7deb16d987e
Author: Paul Wouters <paul at libreswan.ca>
Date:   Sat Apr 21 23:01:09 2012 -0400

    * Initial fork commit

commit 58d49a5103cd55c0f871bda97c0961b68ebc0629
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Apr 18 08:17:04 2012 +0300

    update CHANGES for bug #1308 fix

commit 9b187016d7e9017281ab4780cae7a272f95c338e
Author: Matt Rogers <mrogers at redhat.com>
Date:   Wed Apr 18 08:10:15 2012 +0300

    Fix for bug#1308: forceencaps= setting does now show up in status output.

commit a6c7acb739780aadaaf076100c4753cd760eedac
Merge: fb35ee3 5875a24
Author: Antony Antony <appu at phenome.org>
Date:   Thu Apr 5 00:34:54 2012 +0200

    Merge remote-tracking branch 'turk/master'

commit 5875a24d314171760b679cd04888797d89058ba6
Author: Antony Antony <antony at phenome.org>
Date:   Wed Apr 4 18:31:33 2012 -0400

    fix test config

commit fb35ee36a31909cee0c9f784146e80bc46c54ff7
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 26 16:50:47 2012 +0300

    updated CHANGES

commit 4a5d36cb496dcb3d869d5a0417500d88591f8a2e
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 26 16:24:08 2012 +0300

    Silence error message when DN is loaded to ID with %fromcert

commit 8593ed4ae8be46598abd7068dc57949ee5c1cb0b
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 26 11:03:07 2012 +0300

    Fix url to bugs system.

commit a337b09e2aa8140136ab60217974327c7223b1ca
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sat Mar 24 01:41:54 2012 +0200

    updated changes for v2.6.39

commit 1639ae503659ddcc7f93fa79671860218aa16025
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Mar 23 23:05:37 2012 +0200

    update CHANGES

commit e09605eb144f3922a7037c93a3b658d5ae416a93
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Mar 21 14:32:01 2012 +1000

    Fix up support for ipv6_skip_exthdr on linux-3.3
    
    linux-3.3 kernels and later now takes and extra arg for ipv6_skip_exthdr
    that I don't think we need to worry about.  Deal with it in a flexible way.

commit 65ed395a8f32d453f50c2c853a6bf594b7c3f530
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 20 12:35:47 2012 -0400

    * IKEve testcases for port narrowing

commit d330fcbfa9144e53c1542b0c22ff8bb768934af0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 20 07:34:03 2012 -0400

    * IKEv2: forward port of ikev2_evaluate_connection_port_fit handling

commit 20c8efa0383c7b7b46e07bb09ccd07bbb8e2f87d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Mar 14 14:21:59 2012 -0400

    * remove some unused variables from iprange.c

commit d335edbe803c75b921171d15a4305105333c8513
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 22:59:04 2012 -0400

    slightly better ikev2 traffic selector mismatch code

commit 1d796c1dba446c264cdd551982ba004e2aa37797
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 22:09:12 2012 -0400

    * return STF_FAIL + TS_UNACCEPTABLE for now to avoid more issues

commit 399cd4751cb267d9a491e83eb40a30a75a86ab4f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 16:47:58 2012 -0400

    esp_transformid_names not esp_transformid_name

commit 173c4da76e8a1531066bfd095439efa55dbab4f9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 16:32:02 2012 -0400

    * fix logging call to use enum_name(), not enum_names()

commit b6810940cb51dccd8b68088c5f7657993932bac1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 16:18:39 2012 -0400

    Fix signedness of dc.ptr pointer cast

commit f9143cdadaa4bc0970d8254e7650122ee78ba53d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 16:13:23 2012 -0400

    missing format argument

commit e6799072f6847644b37b06a78afba5393ba4fe4e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 16:10:55 2012 -0400

    * fix exact TSr/TSi match.

commit 3bdc91faf5d492e65ceeaede9320f2b81c779fb1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 13:14:09 2012 -0400

    * IKEv2: always pass reason for failure to complete_v2_state_transition()
    
    We were changing STF_FAIL + reason to STF_FAIL, causing us to log with
    empty reasons, eg:
    
    133 "test" #1: STATE_PARENT_I1: initiate
    133 "test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
    134 "test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
    200 "test" #2: STATE_PARENT_I2: (null)
    
    Now the last line properly prints:
    
    238 "test" #2: STATE_PARENT_I2: v2N_TS_UNACCEPTABLE

commit a99771733f659252de7381a6dee9bd83d3ab206a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 12:14:19 2012 -0400

    * IKEv2  Code dealing with parent success, child fail, was bad
    
    Reverted it to always send the AUTH payload again.

commit 4d0d228e0a519a0a6a73bb55bbbea5f191c30faa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 11:50:48 2012 -0400

    * err_t excuse was only ever set to "not sure" - removed

commit 01bf3f3633977d0177e74d8c28722be3c277bb6a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 11:12:25 2012 -0400

    * testing: The IKEv2 tests use "west-east-base" which was split out.
    
    Added it back with two also= includes for west-east-base-id and
    west-east-base-ipv4

commit 365ab87a86e3de70756e2ecb0b6ff10f63ef4284
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 13 10:53:31 2012 -0400

    * IKEv2: change order of ikev2.h / demux.h for struct payload_digest

commit 8c02060f97ba547ee726ebf7288801725548dfe9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 12 16:13:07 2012 -0400

    updated CHANGES

commit 3d277cebda58d2a24bc4fa1591d2e0c59c457f37
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 12 16:10:05 2012 -0400

    * IKEv2: sync back Changes from RHEL
    
    These relate to deleting SAs, Information Exchange, and Traffic
    Selector narrowing.

commit c97e5670e217329febc3c4262b0a3d93a4d407c7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 12 11:45:18 2012 -0400

    * IS_CHILD_SA_ESTABLISHED() now also checks for st->st_clonedfrom != SOS_NOBODY
    
    While this should not be neccessary there is some confusion about
    child states in IKEv2 (and IKEv1 Aggressive Mode). In IKEv2, both
    the parent sa and a child sa show up as PARENT_STATE_I3/R2.
    
    Conflicts:
    
    	include/pluto_constants.h

commit 13708d51b8d0fdb4fd3984ef1b2d32601eb42095
Merge: a0169a3 e3ad704
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 9 01:53:19 2012 -0500

    Merge branch 'master' of ssh://vault.openswan.org/openswan/openswan

commit a0169a383d250e69e14dfb64fd9123d196adc090
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Mar 8 13:51:12 2012 -0500

    * change rmmod order for ipcomp/ipcomp6
    
    Our simple grep test for ipcomp triggers on ipcomp6, so when you
    have ipcomp6 loaded but not ipcomp, it will show a (harmless)
    error about ipcomp not being loaded.

commit e3ad704d94d561ac2c8a7767f593b4cf772e07ab
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 20:53:41 2012 -0500

    Only log directory changing of the X.509 stuff in DBG_CONTROLMORE.
    
    We were getting spammed with useless messages like:
    
    Jan 17 13:26:38 tb7 pluto[32270]: Changing to directory '/etc/ipsec.d/crls'

commit c5932f8992600b6a1302814f26d87c8fe8fca34e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 20:53:07 2012 -0500

    * fix unhandled case IKEv2_AUTH_HMAC_SHA2_256_128_TRUNCBUG
    
    The compiler was so kind to help us, nice enums....

commit a1405234faaa2608412f06b2c2e4a0da819b30a5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 20:52:29 2012 -0500

    * Forgot to rename IKEv2_AUTH_HMAC_SHA2_256_128_TRUNC
    
    to IKEv2_AUTH_HMAC_SHA2_256_128_TRUNCBUG.

commit 5701ad75b1235b4f9ddb8652be0e2e39c4bf5ef9
Merge: 1ccfc5b e721cab
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 20:37:01 2012 -0500

    Merge branch 'master' of ssh://vault.openswan.org/openswan/openswan

commit 1ccfc5bd006c25c46c2e98a1b2ba5b4879d41571
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 20:35:16 2012 -0500

    * Remove unused defines from include/ipsecconf/files.h

commit e721cab9c1e88b0c772f89254ef5190044977d07
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 19:35:29 2012 -0500

    updated changes

commit b102e8b3c4c32e1d16f370fa1adbdf69b7040fe0
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 19:32:01 2012 -0500

    * Remove unused bucketno argument from state_hash()
    
    We only ever had it set to NULL.

commit e927841b2d139bf9b79f25176cdd1295171fb37f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 19:10:46 2012 -0500

    * Remove USE_IPROUTE2= flag - we always require it
    
    This mostly affected _updown.klips/*.in which had two versions,
    and now only has the one based on iproute.

commit 644b780c7164a61d426bce903393dbb90c733a22
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 18:22:24 2012 -0500

    * Fix XAUTH unbound hooks again
    
    domain name and nameserver IPS got mixed up. Also sync'ed up the
    klips/mast versions to the netkey version.

commit 94921c7c6e7a498a482af9adfa703c8a9daad645
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 14:00:19 2012 -0500

    * Remove SElinux check from "ipsec verify"
    
    The policies allow a lot, and we have direct communication with the
    SElinux people when we find new issues.

commit ef442c5c79a8e8cd176147d8250673635746a1e3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 13:58:29 2012 -0500

    updated changes

commit deeaa8a662bd7054e2d8bec6516c3d99b66d33d6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 13:47:54 2012 -0500

    * SAREF: fix all patch versions to use new numbers for SAREF
    
    That is, use IP_IPSEC_BINDREF=30 and IP_IPSEC_REFINFO=31

commit 1573998a2020b2f4334d4e8328bc5f2b736d7561
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 02:12:02 2012 -0500

    * more SHA2 Trunc cleanup, re-instate accidentally lost case CD_IKELIFETIME:
    
    Also add man page that I forgot to add earlier

commit f57bd5f18b30e32b5874ced61a423733536986cf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 01:45:55 2012 -0500

    * Remove older version of sha2 trunc support

commit 31d1fc057f7097db931b459778c63fad485b9e51
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Mar 6 00:57:25 2012 -0500

    * Backwards compatibly with broken SHA2 truncation using sha2_truncbug=yes
    
    Instead of passing a fake algorithm all over the negotiation, track
    this in the connection object, and only pass the fake algorithm in
    the call to kernel_ops->add_sa(). This saves us from needing to hack
    the out_attr() proposals and re-interpreting incoming proposals.
    
    Currently, only the NETKEY stacks supports this.

commit 094e119c59213f62b43b50cecae10bc14f300a14
Author: Hugh Redelmeier <hugh at mimosa.com>
Date:   Mon Mar 5 22:56:05 2012 -0500

    * ikeping: Fix for strict alias warning in ikeping.c
    
    Note: it still prints cookies in assumed host order

commit f4386d5587daebb8ae9a453fdc0b28d3771a01d5
Merge: d9cc8e2 02fdc15
Author: root <root at thinkpad.nohats.ca>
Date:   Mon Mar 5 20:33:02 2012 -0500

    Merge branch 'master' of ssh://vault.openswan.org/openswan/openswan

commit 02fdc15dad830f140f8c8da8d562f190dc034485
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 5 17:28:39 2012 -0500

    * SHA2: Improvements on commit d7694d3a8db2e358dbd911a4138ed63926b86f3d
    
    - This fixes / updates various isakmp regitry values
    - Translate sha2_256-96 to sha2_256_trunc-256
    - Instead of using 61440 for our private use value, use 252 (since there is
      confusion about sadb vs aalg being 2 vs 1 octet and these two are mapped
      with functions like alg_info_esp_sadb2aa() / alg_info_esp_aa2sadb2()

commit 6621398dfc4f517ba4dcdd46cc09bec4ee74671b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Mar 5 14:51:15 2012 -0500

    * Fix authalg in esp_info to be u_int16_t, not u_int8_t
    
    The compiler did not warn us about this, and setting a private use
    number (61440) ended up setting just the least significant octet.
    
    Why we have auth and authalg, and those numbers being "mostly"
    authalg=auth+1 (which actually is only true for MD5 and SHA1) and
    a mapping function alg_info_esp_sadb2aa() is not entirely clear to
    me.
    
    Why alg_info_esp_sadb2aa() uses a switch(sadb_aalg) with case
    values both from SADB_AALG_XXX and AUTH_ALGORITHM_XXX is even stranger

commit a41ba29c53feaeb4a38b34a8df894d38b7ab7910
Merge: d7694d3 3e25c7b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 2 19:15:18 2012 -0500

    Merge branch 'master' of ssh://vault.openswan.org/openswan/openswan

commit d7694d3a8db2e358dbd911a4138ed63926b86f3d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 2 19:08:48 2012 -0500

    * Support SHA2-256 with proper 128 and broken 96 bit hash trunction
    
    The Linux kernel uses a broken 96 bit truncation via xfrm_algo. A
    new structure was added xfrm_algo_auth, that has an additional
    hash length truncation field one can use.
    
    However, openswan has a hard time using and passing this new option
    (as parsing esp=aessha2_256-96 will cause the "96" to be interpreted
     as key length, not hash trunction length), so instead we use a
    "private use" Authentication Algorithm named "sha2_256_trunc".
    
    Example use:  esp=aes-sha2_256_96    (or use phase2= instead of esp=)
    
    This value then needs to be correlated to the real "sha2_256"
    algorithm, before we send it out in our proposal, and we need to
    match it back to our private number on the incoming proposal.

commit d9cc8e25236317f4388759e2931fa52c23b07a98
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 2 18:33:09 2012 -0500

    * Fix loop over random_devices which tried iterating one time too often

commit 3e25c7bcac6000e3c6a4434bd598547b76778dc1
Author: Simon Deziel <simon.deziel at gmail.com>
Date:   Fri Mar 2 10:18:02 2012 -0500

    Update debian/rules to also ship the patches for Ubuntu Natty's kernel (2.6.38) and Oneiric's kernel (3.0.0).

commit 0fbb665480fe88ec7c82c8d36e48415d78b79ee5
Merge: 650c2e9 ab93ec4
Author: Simon Deziel <simon.deziel at gmail.com>
Date:   Fri Mar 2 10:13:17 2012 -0500

    Merge branch 'master' of vault.openswan.org:/openswan/openswan

commit ab93ec47c7291ddc5a13597419650152e32cdd7e
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Mar 2 16:18:07 2012 +1000

    Do not return errors from parse header op
    
    The code in linux/net/packet/af_packet.c uses the return from this
    function directly for "sll->sll_halen" and things go bad if we return
    -ENODEV, as in complete system crash and burn.
    
    This happens on ppp devices and other devices without a header_op(s).
    
    Just return 0,  which is what netdevice.h does.

commit 58696dbf4b560040d42ccd219058deef4cb3bade
Merge: d0e8519 60e319d
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Mar 2 15:52:24 2012 +1000

    Merge branch 'master' of ssh://vault.openswan.org/openswan/openswan

commit 60e319d4272d5eab9a16390152cd8fcc17330854
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 29 22:01:21 2012 +0200

    fix XAUTH unbound integration only to query unbound pid if cisco xauth is used

commit bf5f8d667a08890532a66df8026de0ed29ed5ec7
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 29 21:15:05 2012 +0200

    fixup syntax errors from _updown.netkey

commit e23c682f9ee4a554fe5935bedc8b78f394e133b9
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 29 18:03:10 2012 +0200

    Fix typo in narrowing.xml and cleanup formatting

commit 8b55b44a6320469b53031ad06fcd2dd2bbd15a28
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 28 11:32:17 2012 -0500

    * Update manpage to list undocumented phase2=ah+esp to interop with racoon

commit 9cd2c94c41f3a2668283f9bb5a7479dad5f24fd5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 27 20:09:06 2012 -0500

    updated changes

commit 18f813b36afcab737a94392c050ccc1b548c8ea9
Author: Jonathon Padfield <jonathon.padfield at gmail.com>
Date:   Mon Feb 27 20:08:02 2012 -0500

    * SAref patch ported to linux 3.0.0 kernel

commit bc1e57cb7437abc976019959e8fd44d3ff80789f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 23 01:07:39 2012 -0500

    * XAUTH: Automaticly update DNS when unbound is detected
    
    This brings is up to the latest svn unbound syntax for this feature.

commit 9b0a64ccc061ea7ed38633f84530e2cf4a4ea19a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 22 13:47:40 2012 -0500

    minor README.rfcs update

commit a6a4d734bb744df8bbc0a4fc239a0054d42ed33d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 19 23:50:29 2012 -0500

    * Make note in comment about host/network order of msgid_t
    
    The IKEv2 code was doing it badly, mixing up what was host and what
    was network order. We will change this type from rt_raw so that the
    packet marshalling code in out_struct() and in_struct() will deal
    with it properly for us. For now we tried to reduce the ntohl/htonl
    calls by making it host order for ikev2

commit 00369122aa2f2b3524246cf0ddb6ad6a2d0c7177
Merge: 8c67f52 2eef471
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 19 23:16:21 2012 -0500

    Merge branch 'ikev2_ts'

commit 8c67f520370acdd87408cca8770df7241be613b2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 17 10:04:27 2012 -0500

    * updated changed

commit b44418272c1fbd686cb4e7ca860494664270a04b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 17 09:59:14 2012 -0500

    * Rip out the ISAKMP_NEXT_NATD_BADDRAFTS / NAT_TRAVERSAL_OSX hack
    
    This was probably needed before OSX/iOS supported the RFC properly,
    and we had to override it. Now, however it just caused confusion
    and broke a proper RFC compliant OSX client.

commit ff85d1de33b68259fdc5cafc3a0b97ad790ab1fa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 17 09:23:25 2012 -0500

    * NAT-T: Fix OSX clients on public IP
    
    We preferred VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE over VID_NATT_RFC.
    
    We also send more draft VIDs. We now only send the RFC VID, and the
    VID_NATT_IETF_02_N / VID_NATT_IETF_03 VIDs. The latter two are to
    support Windows XP. The rest of the world has moved on to implement
    the 7 year old RFC properly.
    
    Changed some debugging options, which will require testcase output
    updates.

commit 2eef4713dfb57bc2c6f8ebc77d4c6464aa742086
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 14 01:13:50 2012 -0500

    forgot to rename the ikev2_subnettots prototype

commit e35dc5c5d40cc0ce1740ea73b1f08578c92ee583
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 14 00:39:55 2012 -0500

    * IKEv2: fix traffic selector construction - remove duplicate code.
    
    I renamed ikev2_subnettots() to ikev2_end_to_ts() since it not only
    converts subnets, but also protocol and port range (and sets ts_type)

commit fddf777cfb9504769fdc2eeab933c647309e615e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 13 22:46:20 2012 -0500

    * Attempt to flush the unbound cache for DNS domains obtained via XAUTH
    
    When we receive a domain via PLUTO_CISCO_DOMAIN_INFO, in the updown
    scripts we now check if there is a local unbound resolver running. If so,
    we flush the cache of that domain (and every subdomain of it).
    
    We do the same on disconnect of teh VPN.
    
    This will ensure that unbound does not have internal IP entries in its
    cache when dropping the VPN.
    
    Note that we are waiting on unbound to finish implementing the method:
    
    unbound-control forward_zone redhat.com 1.2.3.4 5.6.7.8
    
    That way, once we connect the VPN, we can dynamically reconfigure unbound
    to forward all queries for the PLUTO_CISCO_DOMAIN_INFO to the servers
    we received in $PLUTO_CISCO_DNS_INFO.
    
    This will even work when using multiple tunnels to different domains!
    
    A similar updown script should be written for pppd to ship with xl2tpd,
    so it does the same for IPsec/L2TP connections.

commit 1a7f3e6331929a5be41cdf496086142ce290d72a
Merge: a500d38 b246a96
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 13 21:57:24 2012 -0500

    Merge branch 'master' into ikev2_ts
    
    Conflicts:
    	programs/pluto/ikev2.c

commit b246a96de07fa95766474813b16b7d4ebb7f01de
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 13 21:54:48 2012 -0500

    * IKEv2: log unexpected isakmp protoid in received informational delete

commit b65ebad6c9cd51fe93ad4d974c98d70eb435b506
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 13 21:51:00 2012 -0500

    * IKEv2: increment msgid before using it in process_informational_ikev2()

commit b96cdbcb9ca3b248aa6577163df3f94db314b60d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 11:27:06 2012 -0500

    * IKEv2: Adding informational exchange [Avesh]

commit 1985137890bed94b16e914c5a4c4e61a454ca18c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 13 11:32:52 2012 -0500

    * security_selinux.[ch] were not commited in previous Labeled IPsec commit

commit a500d3836ab849749476f1b27a1a45b5b3c65853
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 13 11:32:52 2012 -0500

    * security_selinux.[ch] were not commited in previous Labeled IPsec commit

commit b60ed0e7619fa3193a5af425d2604d5b200c1b08
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 23:09:36 2012 -0500

    * Added Labeled IPsec (Requires selinux, disabled by default)
    
    This merges in Red Hat's patches:
    - openswan-labeled-ipsec.patch
    - openswan-711975.patch

commit 13d4f0ad5c7ac380cdbb909dd54bb7d933c1dc33
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 23:09:36 2012 -0500

    * Added Labeled IPsec (Requires selinux, disabled by default)
    
    This merges in Red Hat's patches:
    - openswan-labeled-ipsec.patch
    - openswan-711975.patch

commit d478ac619004ce2162a64ac6b7435db72e1e1b56
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 22:39:29 2012 -0500

    * IKEv1 fixes to XAUTH/ModeCFG rekey #rhbz658253-658121 [Avesh]
    
    Changed from the RHEL patch to not blindly delete IPs, as we might
    have other reasons to set a SOURCEIP. So only delete when the remote
    peer is of type cisco (eg xauth/modecfg)

commit 5f918b51038b0ad81ec45d16fbad4a5d5b981124
Merge: 3dde6ae c22b1aa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 21:36:41 2012 -0500

    Merge branch 'master' into ikev2_ts
    
    Conflicts:
    	include/pluto_constants.h
    	lib/libopenswan/constants.c
    	programs/pluto/ikev2_parent.c
    	programs/pluto/plutomain.c
    	programs/pluto/whack.c

commit 3dde6ae5e6453550148e8f2b32e5aeeed1c50ab9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 21:28:13 2012 -0500

    * IKEv2: return v2N_TS_UNACCEPTABLE when appopriate
    
    if traffic selector narrowing is needed but not allowed, or if
    the narrowing is not supported (non CIDR network) or the narrowing
    violates our local policy, return v2N_TS_UNACCEPTABLE.
    
    (I don't think this makes it up the call chain properly yet)

commit c22b1aaef827e573f83326e88dcaa25b13b35bda
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 21:16:18 2012 -0500

    * IKEv2: increment isa_msg when sending ISAKMP messages.
    
    Added void increment_st_msgid(struct state *st) which is called
    before setting n_hdr.isa_msgid on outgoing messages.
    
    Retransmits re-use the built message, so these are not incremented.
    
    We remember the stored incremented value in st->st_msgid_nextuse
    (which was already part of the struct, but never incremented)

commit 78b07fc196ea786ea4f7630ecb8a098a29b3999e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 21:16:18 2012 -0500

    * IKEv2: increment isa_msg when sending ISAKMP messages.
    
    Added void increment_st_msgid(struct state *st) which is called
    before setting n_hdr.isa_msgid on outgoing messages.
    
    Retransmits re-use the built message, so these are not incremented.
    
    We remember the stored incremented value in st->st_msgid_nextuse
    (which was already part of the struct, but never incremented)

commit aed7f2765789e45f9c80efb0089c64c1d782e3ea
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 19:21:51 2012 -0500

    fixup

commit 17324fcddefd48c540ca26a11e5499bc47d43e65
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 19:09:44 2012 -0500

    * IKEv2: incorporate some of the POLICY_IKEV2_ALLOW_NARROWING checks.

commit 1be435aa4afc7caee3d22fc5c9da037416a06881
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 17:30:49 2012 -0500

    * IKEv2: Added narrowing=<no|yes> option for IKEv2 narrowed Traffic Selectors
    
    See "man ipsec.conf" for details. See also RFC-5996 Section 2.9
    http://tools.ietf.org/html/rfc5996#section-2.9

commit 774c9a770a73b510e92928afaea97e1a44f25d5b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Feb 12 00:25:01 2012 -0500

    * Added another work around for the 6in6 testcase regarding connaddrfamily
    
    This time for westnet-eastnet-6in6

commit 5b46e79d807e4ac66132d708b6d1b909f655e325
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 11 22:24:09 2012 -0500

    * Rewrite ipsec.conf.common to work around connaddrfamily issues
    
    connaddrfamily= gets confusing via many also= loads because in some
    cases it cannot and in some cases it should be there. It should really
    be phased out. Once we know left/leftsubnet/right/rightsubnet, we
    can deduce the connaddrfamily. Though a little more complicated on %any
    and %defaultroute conns.

commit b17888348f6c81c397b829cff783922362666238
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 22:05:39 2012 -0500

    * subnet checks for traffic selectors, and instantiation framework
    (though latter still disabled)

commit 264fcee6c0aa42f78f5a5ece21c7c986f566ff7a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 21:36:46 2012 -0500

    * ikev2 instantiation for traffic selector test

commit 19bdd50171bd0b6cefec7905669bc07d516503dd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 20:00:51 2012 -0500

    ikev2.c cleanup

commit d502b3ead6d5d5bcdcb439441029f5b05191d3d9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 19:56:47 2012 -0500

    commet out wrong spot

commit 6f943cc83ed0d8fa5cedf673fa2bc9b2b737f47a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 18:36:00 2012 -0500

    * initial ISAKMP_NEXT_v2TSr payload procesing

commit 4d46213bf0e404c0b92d8f3f48c27ef46d23e329
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 16:28:51 2012 -0500

    * fix narrow code

commit b09cf232467a19b8086a0a0a6a265bd3cbd13904
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 16:22:08 2012 -0500

    * length is in bytes, not bits.

commit 0864b8720fff9c4a978918d392a356000e050334
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 15:33:44 2012 -0500

    * IKEv2: Fix Traffic Selector length

commit 5e7819d587b4f80179ce8aac840a4903aeb6c6cf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 15:23:43 2012 -0500

    * IKEv2: Reflet desc name with that the TS payload is singular

commit 0ee3071be0cb00d30c6d3e834d96ba508bb4ce7e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 15:15:47 2012 -0500

    * IKEv2: Fix traffic selector endport and set ts_i as well as ts_r
    
    If our port is 0, use 65535 as the endport. Depending on whether we
    were inititor or responder, we were still not setting some traffic
    selector settings

commit 11d44c3204781e6031ec8bc10d4f048f1037974d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 14:43:42 2012 -0500

    * IKEv2: ikev2_calc_emit_ts() needs to set TS type for both ends.

commit 3c7b8e7d27bd292631e867e3dc1ef982dc83c7dd
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 14:33:42 2012 -0500

    * IKEv2: ikev2_calc_emit_ts() was not setting the Traffic Selector type

commit 6fd6ff3547869b57e650b74930b8630678231818
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 14:02:24 2012 -0500

    * IKEv2: missed one AF_INET conversaion case in ikev2_emit_ts()

commit 928eac2cb80074d838bc2242944ef95c3d990dc6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 12:50:08 2012 -0500

    * IKEv2: Use IKEv2, not IKEv1 or sin_family traffic selector values
    
    Do not use ID_IPV4_ADDR_RANGE or sin_family, as these do not map one
    to one to the IKEv2 Traffic Selector type.
    
    The code wrongly assumed IKEv2_TS_IPV4_ADDR_RANGE == ID_IPV4_ADDR_RANGE == AF_INET
    
    I changed the name of traffic_selector.sin_family to
    traffic_selector.ts_type to make that more obvious.

commit 0c9d43a4f611c4c047ff58a0bbc41b64f71ec5c8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 11:42:11 2012 -0500

    * IKEv2: fix previous commit - clear the mdp pointer.

commit 6e495ca7a49dc93c24237bd3fe5a671683bd5aaf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 11:42:11 2012 -0500

    * IKEv2: fix previous commit - clear the mdp pointer.

commit fce7fa0c87bd468df4242e19128eca6a884f6fee
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 10:50:29 2012 -0500

    * Added testcase for IKEv2 nhelper problem (commit eabf83639)

commit 05edc7769f4c962012fb00e1102dedd01fb5f23a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 10:41:54 2012 -0500

    * IKEv2: Initiating IKEv2 with nhelpers=0 failed
    
    This was was caused by a special STF_INLINE case in process_v2_packet()
    that claimed:
    
    case STF_INLINE:
    	/* this is second time through complete
             * state transition, so the MD has already
    	 * been freed.
    	 0                  /*
             *mdp = NULL;
             break;
    
    As a result, we never called success_v2_state_transition(mdp)
    
    I am not sure what this code intended to do, as AFAIK, there
    would never be two passes for STF_INLINE. Perhaps this was meant
    for one of the other states, like STFSUSPEND or STF_TOOMUCHCRYPTO?

commit 8948cad07b93c8e42ea40c8a446b41bbe917e90c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 10:50:29 2012 -0500

    * Added testcase for IKEv2 nhelper problem (commit eabf83639)

commit eabf83639bde020d5267be8f8e0c70604cfad965
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 10:41:54 2012 -0500

    * IKEv2: Initiating IKEv2 with nhelpers=0 failed
    
    This was was caused by a special STF_INLINE case in process_v2_packet()
    that claimed:
    
    case STF_INLINE:
    	/* this is second time through complete
             * state transition, so the MD has already
    	 * been freed.
    	 0                  /*
             *mdp = NULL;
             break;
    
    As a result, we never called success_v2_state_transition(mdp)
    
    I am not sure what this code intended to do, as AFAIK, there
    would never be two passes for STF_INLINE. Perhaps this was meant
    for one of the other states, like STFSUSPEND or STF_TOOMUCHCRYPTO?

commit a9b5bc08119c418f6b08f3901d6f84992093e9f5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 10 00:16:58 2012 -0500

    * undo most debugging I added. I keep breaking this fragile code with it :(

commit 7f27badc1dfc3374c9abcd541210280b6b5fecfe
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 22:59:54 2012 -0500

    merge to partially old :(

commit 434d1dec1f57698b2907617d2323b51ea6e98564
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 20:17:28 2012 -0500

    sync avesh/paul cookie/msgid

commit 3f416172acd91a9c6182f1aa6e78503f80ae953c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 17:14:35 2012 -0500

    * IKEv2: Add more msgid logging

commit 07589afaa993fd2370ddf0f985be4314dd48122f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 15:00:38 2012 -0500

    * Added --impair-send-bogus-isakmp-flag option for testing
    
    This option causes pluto to send packets using a RESERVED ISAKMP
    flag, currently defined as ISAKMP_PAYLOAD_OPENSWAN_BOGUS.
    
    See testing/pluto/ikev2-isakmp-reserved-flags-*

commit b2314e50ddb4e484504f2ffb6bcf3266d2ce2566
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 14:56:10 2012 -0500

    * Added two testcases for sending a RESERVED ISAKMP payload flag.
    
    The console output for these still needs to be corrected

commit 611daa837c93d8c4ed021b7e5ce625f4b765fceb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 13:01:20 2012 -0500

    * Fixup of previous impair-retransmit commit, move attempts to max
    
    This will cause the state to be deleted as final failure.
    This also fixes displaying "impair-retransmits" in ipsec auto --status

commit 59ed64b359eb59be35c4cf970a8bc1a6f05a6f93
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 13:01:20 2012 -0500

    * Fixup of previous impair-retransmit commit, move attempts to max
    
    This will cause the state to be deleted as final failure.
    This also fixes displaying "impair-retransmits" in ipsec auto --status

commit 650c2e9f0cb79446e069a93a150f96d087d0b502
Merge: 80c8095 c52718d
Author: Simon Deziel <simon.deziel at gmail.com>
Date:   Thu Feb 9 12:26:24 2012 -0500

    Merge branch 'master' of vault.openswan.org:/openswan/openswan

commit c52718d69a36aa5b09d8b14b35b06da57a2fa38d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 12:20:10 2012 -0500

    * Added --impair-retransmits to prevent pluto from retransmitting IKE packets
    
    During testing when reading lots of logfiles, it is often useful to
    supress retransmits of IKE packets to avoid cluttering the logs with
    retransmit data (or running an ipsec auto --down connname)
    
    As with other impair functions, you can activate this dynamically using:
    
    ipsec whack --impair-retransmits
    
    or by specifying --impair-retransmits as argument to pluto,
    
    or by adding plutoopts="--impair-retransmits" to 'config setup' in ipsec.conf

commit 6c988cc030fc2da21085c9ea96d693599b1687eb
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 12:20:10 2012 -0500

    * Added --impair-retransmits to prevent pluto from retransmitting IKE packets
    
    During testing when reading lots of logfiles, it is often useful to
    supress retransmits of IKE packets to avoid cluttering the logs with
    retransmit data (or running an ipsec auto --down connname)
    
    As with other impair functions, you can activate this dynamically using:
    
    ipsec whack --impair-retransmits
    
    or by specifying --impair-retransmits as argument to pluto,
    
    or by adding plutoopts="--impair-retransmits" to 'config setup' in ipsec.conf

commit 9ece4207002ed8b9c151315720fc7c4d17bddac4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 9 11:13:44 2012 -0500

    * IKEv2: fix cookies (IKE SPI) handling - msgid handling needs work

commit 80de47d072d1b379dd3791b3dbbca6af66b1db75
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 23:07:28 2012 -0500

    * X509: Fix cert_defaultcertpolicy to reflect reality of cert_alwayssend
    
    Our default policy for sending certificates apparently is to always
    send it (which is questionable IMHO) but the cert_defaultcertpolicy
    define reflected the old situation of cert_sendifasked.

commit d19b6a74b1e4cd0e3848636956a8e829244292df
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 23:07:28 2012 -0500

    * X509: Fix cert_defaultcertpolicy to reflect reality of cert_alwayssend
    
    Our default policy for sending certificates apparently is to always
    send it (which is questionable IMHO) but the cert_defaultcertpolicy
    define reflected the old situation of cert_sendifasked.

commit 332ee1aa67381e1c0bca9c849d3b72397aea19d4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 19:04:28 2012 -0500

    * KLIPS: Cleanup ipsec_kversion and add support for UNAME26
    
    kernel 3.x maps to 2.6.40+x with the UNAME26 patch.
    
    Without this, compilation of "2.6.41" fails on my old Fedora 14 system
    because HAVE_NETDEV_PRIV was only set for >= KERNEL_VERSION(3,1,0)

commit 81f27a590c03b92993775524c3e783998e6560e5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 19:04:28 2012 -0500

    * KLIPS: Cleanup ipsec_kversion and add support for UNAME26
    
    kernel 3.x maps to 2.6.40+x with the UNAME26 patch.
    
    Without this, compilation of "2.6.41" fails on my old Fedora 14 system
    because HAVE_NETDEV_PRIV was only set for >= KERNEL_VERSION(3,1,0)

commit f218f3287cbe685293fe22bbe80a91d85eb7a31e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 17:03:29 2012 -0500

    * OSX: Delete old compiled .a files from source tree

commit e8963ab153b51d54270aeeeb5a956c20c5f260cf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 17:10:50 2012 -0500

    * IKEv2: Disentable IKEv2 notifications from IKEv1
    
    We were re-using the IKEv1 notification_t for IKEv2. It was confusing,
    leads to errors and eventually conflicts in the IANA v1 and v2 registries.
    
    ikev2 code now uses v2n_notification_t, notify names all prefixed
    with v2N_

commit c0365cbf7aabb03b07d4e5984ac0cf3ac28a97e2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 17:04:06 2012 -0500

    IKEv2: Disentable IKEv2 notifications from IKEv1
    
    We were re-using the IKEv1 notification_t for IKEv2. It was confusing,
    leads to errors and eventually conflicts in the IANA v1 and v2 registries.
    
    ikev2 code now uses v2n_notification_t, notify names all prefixed
    with v2N_

commit 4877d5dd73f0fad2be20c63a5c1f5b3e94d0e3c5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 17:03:29 2012 -0500

    * OSX: Delete old compiled .a files from source tree

commit 25514aa5274219fcb4b0f8d70fc18193509bae54
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 12:43:31 2012 -0500

    ikev2_child_sa_respond() code to narrow the connection. still needs
    instantiation?

commit 056664579ec4f76044fa6029e095d1179e99af4e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 12:42:29 2012 -0500

    * add TSI/TSR markers for logs

commit e315133ce52d79d7047e9d074dc002217817eb20
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 12:01:46 2012 -0500

    * Lingering whitespace / logline change change

commit d00431a39c783d3cdc4948c9d57504ff5d329a00
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 11:50:31 2012 -0500

    * Fix pointer cast to const for check_expiry_msg in list_public_keys()

commit c27ac464daecbb475079042382ae25fa69103538
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 11:49:38 2012 -0500

    * Fix pointer cast for dc.ptr in ikev2_parent_inI1outR1_tail()

commit 6217842485076b0b9d2c6089078ff333a74e0117
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 8 10:24:26 2012 -0500

    * Fix pointer reference to ikev2_ts_type_name
    
    (and testing the new commits mailing list and CIAbot)

commit be0ef9a9ee1eda8e650448441dcf746ef6bddb4a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 7 23:52:20 2012 -0500

    * Added missing names for impair-*-version-bump to debug_bit_names

commit 9c1e1188fc0d5216273d11068525ef73e36413ed
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Feb 7 20:34:40 2012 -0500

    * Added testcase ikev2-algo-04-aes-gcm

commit e8deec22eb9fa5007d96a4a5d95fe505d04daa3c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 6 19:57:24 2012 -0500

    * IKEv1: Fix various STATE macros (related to aggressive/xauth/modeconfig)
    
    - PHASE1_INITIATOR_STATES was missing XAUTH and ModeCFG initiator states
    - IS_PHASE1_INIT(s) was missing above states too, as well as having a bogus
      STATE_AGGR_R2 state included.
    - IS_ISAKMP_AUTHENTICATED(s) was not excluding STATE_AGGR_R0/STATE_AGGR_I1
    - IS_ISAKMP_SA_ESTABLISHED(s) was missing STATE_MODE_CFG_I1
    - ISAKMP_SA_ESTABLISHED_STATES was missing STATE_MODE_CFG_I1
    
    Thanks to Henrik Langos <hlangos-openswan at innominate.com> for pointing out
    these had gotten out of sync.

commit 39516bf8c41bf2d929eeb6762e0c23740cdb639c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 6 17:40:10 2012 -0500

    * remove trailing whitespace

commit 99eb12bf15b60b430a9ca17e3e6f3a81480f3e3d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 6 17:39:07 2012 -0500

    * ikev2-07-biddown was missing from the TESTLIST

commit 6c2127c7d3e2f1b12edac615a93f179a1f60723a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Feb 6 17:38:33 2012 -0500

    * Added testcase ikev2-08-delete-notify

commit e864f72ae1e7cdfd98e4e643d60dae460be75911
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Mon Feb 6 17:19:36 2012 -0500

    * IKEv2: Add support for IKEv2 Delete Payload

commit 596399f83d26ffb7ffd9521f8d1a1843af2f6fde
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 4 23:28:47 2012 -0500

    * Fix possible memory leak of qke in quick_outI1()

commit d4b780f057019efd399ac668452cb056eb68469b
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Feb 4 21:22:09 2012 -0500

    * Fix typo in commented out example for -DLEAK_DETECT<I>VE

commit b6d6b1ea241fece90955f0052d1ac9444a043435
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Feb 4 21:13:40 2012 -0500

    * Fix leaking a ipsec_conf_dir

commit 24a65233d591ab94e1410f4dd0eccf1627f5a155
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Feb 4 19:51:38 2012 -0500

    * Removed a chunk of #if 0 code

commit 67fd54d1940a00d666f24c020029de21c713b661
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 4 18:23:16 2012 -0500

    * Fix memory leak of dirent filelist in load_crls()

commit 708f715f76e268ac997267710f270b79f6d4f21c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 4 18:17:32 2012 -0500

    * Fix memory leak of dirent filelist in load_acerts()

commit 56f6cda26c4c18ee749c5fad96dd4b848281bb81
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Feb 4 17:50:44 2012 -0500

    * Fix possible memory leak in showhostkey

commit 575712309381bb2f401000b661f199a634f4e6a8
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Feb 3 19:56:32 2012 -0500

    * KLIPS: Fix jiffies wrapping problems
    
    Here's a patch to fix a jiffies wrapping problem.  On 32bit systems
    with current kernels jiffies wrap 5 minutes after booting.  Any tunnels
    that are brought up before the wrap are affected.  The time values in
    /proc/net/ipsec_spi become bogus (very large) after the wrap.
    
    I went through and found any other jiffies calculations I thought needed
    work while there

commit 1c8048b915b0f2e5d049e772917bca1233706fbc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 17:39:50 2012 -0500

    * DPD: DPD failed within certain XAUTH/ModeConfig states
    
    ISAKMP_SA_ESTABLISHED_STATES did not contain all valid states, and
    was mismatched with IS_ISAKMP_SA_ESTABLISHED(s)
    
    Found by Henrik Langos and Murat Sezgin

commit 2e1d84636e40398545d9f4d1cdc4e3cdb07bd667
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 17:32:21 2012 -0500

    * XAUTH: Allow compiling aggressive mode without xauth

commit 77edda35f91ad11725e299aad70a2be971a6c60c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 16:45:11 2012 -0500

    * XAUTH: Send notification on bad ModeCFG exchange packet [David]

commit 6d20132d00f04442e846f9277a7747b1d1d3b7aa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 16:38:10 2012 -0500

    * DPD: Don't log a "took too long -- replacing phase 1" for each pending phase 2
    
    This also ends the loop on the first stuck phase2. No need to keep looping

commit 01b37fd0d1d3ba5b29d63515fce3e1d81e6a7596
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 16:30:20 2012 -0500

    * Fix DPD logline to tell the truth about pending + dpd time
    
    It did not take the "3x" into account.

commit ba489c8204fd2e5844e49d41df8fb36a634278dc
Merge: e5ec369 500976b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 02:56:31 2012 -0500

    Merge branch 'master' of ssh://vault.openswan.org/openswan/openswan
    
    Conflicts:
    	programs/pluto/ikev2.c

commit e5ec36944252d49d666b07d0d12644c58df32b28
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 02:53:22 2012 -0500

    * Fix connection struct leak when getting bogus proposals
    
    Such as AH+ESP or neither. or esp/ah without any transforms.

commit 500976b80b06abdc696f0b2a6f9153c05e4dec0e
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 01:35:59 2012 -0500

    * Fix comment at duplicate_state() to reference IKEv2 as well

commit 069e35d7e0bf195d0a3c893f52e50596e1185631
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 01:33:56 2012 -0500

    * IKEv2: in ikev2_parent_inR1outI2_tail() copy idprotoid and ports in ts
    
    On the initiator, also copy our protoport policy into an IKEv2 Traffic
    Selector Payload. Note that we only support "all ports" or a single port.

commit 35bd957a0dd191fdc649b7e2826da32140a5e13f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 01:29:09 2012 -0500

    * IKEv2: If finding a better matched conn, copy ipprotoid into traffic selector
    
    When switching to a better connection bsr in  ikev2_child_sa_respond(),
    also copy the ipprotoid into the IKEv2 traffic selector payload

commit b15269bb5a0effa49b600c2aade86322e4189397
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 01:24:11 2012 -0500

    * IKEv2: ikev2_evaluate_connection_fit() also checks protocols and port ranges
    
    And logs these as well when testing for a better fit.

commit fa5a8149d6e8bcc66a0670c6a8271dc9818a287b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 01:09:36 2012 -0500

    * IKEv2: If responder narrows proposal, update Traffic Selector payload.
    
    See http://tools.ietf.org/html/rfc5996#section-2.9
    
       When the responder chooses a subset of the traffic proposed by the
       initiator, it narrows the Traffic Selectors to some subset of the
       initiator's proposal (provided the set does not become the null set).
    
    The function ikev2_port_in_range() was added to deal with the strange
    situation of port ranges. We can only specify one number, which means
    "all ports". Port ranges of 0-65535 and 0-0 both mean "all ports".
    
    In ikev2_calc_emit_ts() when we are RESPONDER, we narrow the traffic
    selectors with protocol and port ranges. Matching on more-specific
    subnet ranges was already done by picking the best connection.
    
    Note that we currently have no way of specifying a non-all range of
    ports via our configuration. We log a warning if we see these in
    the traffic selector,

commit 9803e08790d001f44f6ce26001e1bc81b9d52404
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 00:58:49 2012 -0500

    * IKEv2: Also log protocol and port ranges on tunnel establishment

commit ec23e39d96e2c636223b436aad91e6245bae7354
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 00:42:48 2012 -0500

    * IKEv2: Don't try to out_raw() a v2 notification payload that's empty

commit 3ab6cd44b050a57ca11cbf384d6fc883052aa59a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 00:24:57 2012 -0500

    * Fix typo Notifiy -> Notify

commit dc61f0e433546b26f0b4b843e5639b0b1ad49aaa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Feb 3 00:13:29 2012 -0500

    * IKEv2: Fix crash on max number of retransmissions reached STATE_PARENT_I2
    
    In ipsecdoi_replace() there is a check for the kind of state we are in to
    see if we should save some partial policy we got out of the connection so
    far into the state. It did not account properly for the STATE_PARENT_I2
    and so it thought it had more policy then there really was, hitting a
    passert.
    
    This showed up as:
    
    [root at oswtest1 openswan.git]# ipsec auto --up test
    133 "test" #3: STATE_PARENT_I1: initiate
    133 "test" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
    134 "test" #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
    010 "test" #4: STATE_PARENT_I2: retransmission; will wait 20s for response
    010 "test" #4: STATE_PARENT_I2: retransmission; will wait 40s for response
    [...]
    010 "test" #4: STATE_PARENT_I2: retransmission; will wait 40s for response
    031 "test" #4: max number of retransmissions (20) reached STATE_PARENT_I2.  Possible authentication failure: no acceptable response to our first encrypted message
    000 "test" #4: starting keying attempt 1 of an unlimited number, but releasing whack
    
    At this point it would hit the passert.

commit b6fad7871090b58ca38ac909b36ef2d92166dd08
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 2 23:23:59 2012 -0500

    * IKEv2: Allow notification messages with empty Notification Data
    
    I am not sure why we did not allow this. When one side rebooted and
    a retransmit came in for a lost IKE SPI, we would not send the notify
    message because we had no Notification Data to add to the notify error
    of type v2N_INVALID_MESSAGE_ID.
    
    Note: Shouldn't that error be IKEv2_INVALID_IKE_SPI ?

commit 4c00dda5888fab2761a1030a73a59e84e8369e00
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 2 22:41:56 2012 -0500

    * IKEv2: Added traffic selector type names
    
    IKEv2 traffic selector lookup was erroneously using ident_names
    causing it to log lines talking about ID_FQDN like:
    
    | ******emit IKEv2 Traffic Selectors:
    |    TS type: ID_FQDN
    |    IP Protocol ID: 0
    |    start port: 0
    |    end port: 0

commit 8d0a2e528c3a56d2f9d38d06e406aad83845048a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Feb 2 20:36:57 2012 -0500

    * Remove bogus log "received packet that claimed to be  both (I)nitiator and (R)esponder"
    
    The icookie (initiator IKEv2 SPI) is always set. The rcookie is set on all but
    the first packet. Whether one is initiator or responder can only be found out
    via the state beloing to the set of icookie/rcookie.

commit 58d824857ca27a4b16794eda18733e0f5d8ce447
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Feb 1 22:59:09 2012 -0500

    * IKEV2: log proto and port range in "negotiated tunnel" message.

commit 11dd79702be4c3733bd3f55ab900259713b68277
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 31 17:45:00 2012 -0500

    * fix protoport typo in testcase

commit 585cbc02590f6309a4f5ed87d3361814c2142322
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 31 17:39:15 2012 -0500

    * Fix ikev2-allow-narrow-01 testname in west/eastinit.sh

commit 0614e961a9b49d6e12d9538d45779647c01ec4bf
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 31 17:19:49 2012 -0500

    * Updated TESTLIST

commit 06611aaf67546ee9ec25dff5e2ebddab572de4f7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 31 17:19:32 2012 -0500

    * testing: Add ikev2-allow-narrow-01 testcase

commit fd17890d81ebfa1bb5026fa01001dc96c49c5c5a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 31 17:10:08 2012 -0500

    * Updated CHANGES

commit 25f454e20185b494a5034c393295efe36ecdf16c
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Tue Jan 31 17:04:59 2012 -0500

    * Handle leading zeroes in DH keys
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit a99a35bbd204b554f352a304336417cf99daf8a8
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Tue Jan 31 17:01:08 2012 -0500

    * IKEv2: IKE-SA_INIT with INVALID_KE_PAYLOAD Notify Payload should continue
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 539668755f76b3d1fe93273dd9d4a1a4df87cfa6
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Tue Jan 31 16:43:21 2012 -0500

    * IKEv2: incorrecty sent PAYLOAD_MALFORMED on unknown minor version
    
    See: See http://tools.ietf.org/html/rfc5996#section-2.5
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 463529cf9a7d295c62f0b9e821937a9cd25a46da
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Tue Jan 31 16:39:35 2012 -0500

    * IKEv2 should ignore unknown RESERVED bits in payload
    
    The critical bit was compared as a byte instead of a bit. This lead to
    failing to ignore non-critical new flags.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 2ed77db0050d738dc86cd93a7383af9adaf5c79e
Merge: b8f8c9c 7598655
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 31 00:06:56 2012 -0500

    Merge branch 'master' of ssh://vault.openswan.org/openswan/openswan

commit 7598655afda55960c2681784e7135b7c977f2e15
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jan 31 00:06:34 2012 -0500

    * Updated changes

commit b8f8c9cfad5017a9aea17786cff20a608ceef72a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 30 23:42:10 2012 -0500

    * Implement sending higher IKEv2 major and minor versions
    
    This is used for testing interop compliance with RFC5996 Section 2.5
    See http://tools.ietf.org/html/rfc5996#section-2.5
    
    We currently send 3 for a fake major version and 1 for a fake minor
    version. This needs to be updated once such versions actually exist.
    
    This is used by testcases ikev2-major-* and ikev2-minor-*
    
    Note that this also fixed processing DBGOPT_IMPAIR_JACOB_TWO_TWO, as
    that option was mistakenly left out when DBGOPT_LAST was not updated
    when DBGOPT_IMPAIR_JACOB_TWO_TWO was added after DBGOPT_IMPAIR_DIE_ONINFO

commit ed266324a062127f04cbb928419f798a2e90053d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 30 23:40:31 2012 -0500

    * Fix comment typo in version

commit 8de58065845f1e74b55280f3cb7000c8e990022b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 30 21:58:59 2012 -0500

    * Add 4 test cases for major/minor version number mismatches in IKEv2
    
    This is to test http://tools.ietf.org/html/rfc5996#section-2.5
    
    It uses two new options to pluto's whack:
    
    --impair-major-version-bump
    --impair-minor-version-bump
    
    These options will make pluto increase the major or minor number.
    Tests run for major/minor increase on both responder and initiator.
    
    No actual new message type for the hypothetical new version is tested.
    Once IKEv2.1 actually is releases, such a test should be added.

commit 82931b769ba04bf9497eb669dec51558cf47787d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Jan 27 17:46:24 2012 -0500

    * Updated the htpasswd references to include mentioning DES
    
    On some systems, htpasswd -d instead of htpasswd -m had to be used
    for htpasswd file based authentication (XAUTH without PAM)

commit 86d5adf6f3428866061684a5d0a5bef6f24e8c6b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Jan 27 10:54:53 2012 -0500

    * Remove old RCSID references from openswan-1 CVS and eariler

commit e312abd86ac799ff77674df882d5a249eacc8c43
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jan 26 19:47:08 2012 -0500

    * Added some comments and IETF references

commit cbaa91192f4ec370ba6981050db19ab831c904f0
Author: Paul Wouters <paul at nohats.ca>
Date:   Fri Jan 20 11:46:27 2012 -0500

    * Phase 1 ID Payload MUST be 0/0 or XXX message changed
    
    Signifiy in the message that we will attempt to continue (this behaviour
    was changed a few years ago due to too many bad Cisco VPN3k deployments)

commit bf395045e51ac83af0ca0d8ff10d81814bb21d22
Merge: addc3e1 df87d72
Author: Paul Wouters <paul at nohats.ca>
Date:   Thu Jan 19 12:04:40 2012 -0500

    Merge branch 'master' of ssh://vault.openswan.org/openswan/openswan

commit addc3e1497e2f1276f133c47265a90bbebe7cb7e
Author: Paul Wouters <paul at nohats.ca>
Date:   Thu Jan 19 12:04:00 2012 -0500

    * Remove "Warning: empty directory" for empty X.509 directories

commit df87d72cfa847790245a04854fda27403312a300
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Jan 15 18:42:52 2012 -0500

    missed an email address

commit f93198634595d9c10a8059e5d896563653d1eb97
Merge: a4caf1a 49b7f22
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Jan 15 18:41:17 2012 -0500

    Merge branch 'master' of ssh://vault.openswan.org/openswan/openswan

commit a4caf1a0717e270bcbecca874adba6b35d11ef06
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Jan 15 18:40:40 2012 -0500

    update my email address to paul at nohats.ca

commit 80c80952225b8c087a113ba30ce59eafa567bd2d
Author: Simon Deziel <simon.deziel at gmail.com>
Date:   Thu Jan 12 17:36:16 2012 -0500

    Fix missing trailing whitespace

commit 49b7f22875530731442118f886734680b6f117c9
Author: Paul Wouters <paul at nohats.ca>
Date:   Thu Jan 12 17:23:37 2012 -0500

    * Fix two format string buglets - found by Moritz Muehlenhoff from Debian

commit 69ee5a8ab77ed40db9307dc2586b2aadd6361920
Author: Simon Deziel <simon.deziel at gmail.com>
Date:   Thu Jan 12 17:13:13 2012 -0500

    Refresh debian/* from latest Debian's version.

commit 94d96094346192d0fe2b077276d4814c3a716390
Author: Simon Deziel <simon.deziel at gmail.com>
Date:   Thu Jan 12 16:10:07 2012 -0500

    Refresh debian/rules using latest Debian's version.

commit 29efa863926a36ee3eab2da13b35d64415456f44
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Tue Dec 20 19:02:35 2011 -0500

    * Multiple IKEv2 connections with different ports failed
    
    Multiple IKEv2 connections are established erroneously when the
    connections are similar but have different ports associated. IKev2 code
    can not find the specific connection defintions leading to incorrect
    SA establishments when more than one connections exist between same
    end points.

commit a2cd93a59b007f86ffe465851f9d25b75eecfa10
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 6 20:25:35 2011 -0500

    * Added hmac(sha256), hmac(sha384) and hmac(sha512) XFRM netlink names

commit 10026d9cbe975f55ff0a43c7ec7fcb4fcf8dba7b
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 1 11:49:48 2011 -0500

    * Added struct xfrm_algo_auth for changing truncation of SHA2
    
    Taken from 2.6.38 kernel

commit 5b6851778eac73f5dbc44a21a8e8938417056742
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Dec 1 11:33:43 2011 -0500

    * Kernel changes to header files: netlink.h rtnetlink.h xfrm.h
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 65844716eda68d0892aaa19c4aac49fd109548f9
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Nov 30 09:44:56 2011 -0500

    Revert "Multiple IKEv2 connections are established erroneously when the"
    
    This reverts commit 5ca991f394629ca8ce3c8f9de61401dd37a80a82.

commit 4886e0d33c7a47c6ebea5a8c888f972c4023ad8f
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Nov 30 09:48:13 2011 +0200

    update CHANGES

commit 6be595cc2b802f3ec64d2f4eabda09ed6c2fde2c
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Nov 30 09:39:40 2011 +0200

    fix bug #1294 _startnetkey selects wrong default gateway if there is multiple

commit 33aea96b36ff282f64bc9cc2a69f89ffa908826c
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Nov 30 09:10:53 2011 +0200

    USE_SHA2 is not defined for libopenswan elsewhere.
    
    Revert "* defining -DUSE_SHA2 is now done at the proper place"
    
    This reverts commit 1eadd7b5a0392e1ecfa3182ccda345ae264ca1ee.

commit 1eadd7b5a0392e1ecfa3182ccda345ae264ca1ee
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Nov 29 11:57:29 2011 -0500

    * defining -DUSE_SHA2 is now done at the proper place

commit d9c6bad2e2ab5bdafc07cb948c8af85711076f67
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Nov 29 00:23:39 2011 +0200

    Re-add LIBSHA2 to LIBSPLUTO and make sure -DUSE_SHA2 is set for pluto.

commit 3203cd13660e0e5f09c83fb4343cf784a42c6192
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 28 13:42:17 2011 -0500

    * Always add libsha2

commit 110e575ccb44600c556ae85e86f233571b8762dd
Merge: 1419517 e1ae199
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 28 12:54:24 2011 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 1419517fd9469721afe496c8317f0229ce4d5aac
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 28 12:53:29 2011 -0500

    * Fix SHA2 without EXTRA_CRYPTO
    
    the libsha2.c code was not getting pulled in without EXTRA_CRYPTO=true

commit e1ae199c5de621f598e6ea58814f8b27d556882d
Author: Simon Deziel <simon.deziel at gmail.com>
Date:   Mon Nov 21 20:03:11 2011 -0500

    Typo fix

commit 7f7a291a8d2f9c832fee3cb811d76a3f99f88eed
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Nov 6 12:16:44 2011 -0500

    * comments on MS NT5 vendorids

commit 90cec1192e5daec7d78c8e47c778f16d58c2bf5c
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Nov 5 11:55:07 2011 -0400

    * barf: fixups spotted by Shinichi Furuso

commit 2cb35855147eadda532dd84fb70153c359647c47
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Nov 5 11:52:40 2011 -0400

    * SUSE: packaging/suse/preamble was not properly added

commit 488fbb929a37a3ec1a746d868d7454d5abbff577
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 3 13:31:24 2011 -0400

    * Add -llber to PLUTOMINUSL when using USE_LDAP

commit 6f69bbfb691572519081a1bd79277fc2b0d8465f
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 3 13:08:57 2011 -0400

    update changes

commit ed223e24f12a19f3609616ad0f7dbd4e0040a696
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 3 13:08:11 2011 -0400

    * update userland copies of Kernel changes to netlink.h rtnetlink.h xfrm.h

commit b03409f5a86740bc6a94c6da6caf0a691ca3e840
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 3 13:06:10 2011 -0400

    * Add PLUTO_IS_PEER_CISCO= to updown

commit 134f768284d0a6a4dcd0c2b503d4329c3f072c8f
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 3 12:53:44 2011 -0400

    * typo in comment

commit b9d8c8fef0852e31c906d60b30a5ff16f71cc102
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 3 12:51:58 2011 -0400

    * hostpair: initial_connection_sent was never set to not FALSE - removed

commit acbf3cc1ec11f1d8ce68d88d8949e19c1ea5d305
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 3 12:49:24 2011 -0400

    * NSS: log error more verbosely when key creation fails

commit 5ca991f394629ca8ce3c8f9de61401dd37a80a82
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu Nov 3 12:44:46 2011 -0400

    Multiple IKEv2 connections are established erroneously when the
    connections are similar but have different ports associated. IKev2 code
    can not find the specific connection definitions leading to incorrect
    SA establishments when more than one connections exist between same
    end points.

commit 9001da2166ad56c94ae1f71459062542f9cf2997
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 3 11:06:04 2011 -0400

    update changes

commit a3d494b09e4b0b68142f18b1c76c8ec9c23ea770
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 3 11:04:40 2011 -0400

    * verify: fix false positive on IP forwarding on some perl versions
    
    Patch by steve delaney <sdelaney39 at gmail.com>

commit a05c79185d9df7f7d533f8c2fb7adcbb15dbde08
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Thu Nov 3 10:42:07 2011 -0400

    * barf: iptables-save without -t option shows all tables.

commit d49dfdec8691a2b97e79c822543196db1c08e144
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 3 10:37:00 2011 -0400

    updated changes

commit a9114952d97c67f13e03e42910494060b566c2eb
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Thu Nov 3 10:35:01 2011 -0400

    * SUSE: Make packaging more compliant with Kernel Module Package Manual

commit 6f13e17aba7cd03437a521e29c744a14302eda59
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 3 10:32:37 2011 -0400

    * barf: iptables-save on suse is in /usr/sbin, not /sbin

commit 589cb53d367f045929b31aed997f00766530899d
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Thu Nov 3 10:22:40 2011 -0400

    * DPD: packets were sent too foten
    
    old code was last = min(p1st->st_last_dpd, st->st_last_dpd).  If multiple
    SA's are established over one host pair,  a number of EVENT_DPD's will
    fire before it receives R_U_THERE_ACK.

commit f163b052d15ae1532d60357c96e5fb7db7debb8c
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Thu Nov 3 10:16:51 2011 -0400

    htonl'ed seqno was logged

commit b4c37b5d9b54d9093c087a25579c6293b2523aaa
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 28 16:46:11 2011 -0400

    updated changes

commit fb58c84cc5ff39f581ea63842ccd68385fbb8165
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 28 16:43:35 2011 -0400

    * Fix for CVE-2011-4073 crypto helper crash
    
    When a helper or helper queue had work for a phase2, and the
    corresponding phase1 was deleted, the helper would not get informed.
    Once it had completed its work, it would try and use the old pointers
    to write the work item data.
    
    This would only happen when not running with nhelpers=0. See the CVE
    announcement for more details.

commit d0e851988d9a3fdc8ec310fa90412e0e7325d1ed
Merge: 2cb8b57 69e2995
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Oct 28 11:18:04 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 69e2995fe29d33e580dd53a079ea94657cf62053
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 27 13:56:42 2011 -0400

    updated changes

commit 46daaab049de3e87eb38c6473317f14876c98b12
Merge: 8b01039 7986005
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 27 13:55:20 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 8b01039506fc706ce0e26c0bf53370d679787994
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 27 12:51:38 2011 -0400

    * make "requested algorithm is not available in the kernel" more verbose
    
    We do this by falling through the switch case and hitting the default,
    that causes the msg to be logged.

commit 2cb8b575818de64e4ecf64ff7b6bc63b62f8ad3d
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Oct 27 11:57:50 2011 +1000

    SUBNETTOA_BUF and ADDRTOA_BUF too small for IPv6
    
    Switch them across to use the SUBNETTOT_BUF/ADDRTOT_BUF defines
    which are large enough and lose some magic numbers at the same time.

commit 7986005cccc252e1570c7d58ff6e99d213047743
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Oct 27 11:22:29 2011 +1000

    fix sending icmpv6 packets in an ipv6 ipsec tunnel
    
    Packets were getting their source address corrupted.
    
    Neil Morehouse

commit 5898945687c16731367215597bb7734806466f6c
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Oct 27 11:20:38 2011 +1000

    header_ops->cache takes an extra arg in linux-3.1

commit 3677be5411eae1150ee5a1a42032047225f38808
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Oct 27 11:18:40 2011 +1000

    Should be using linux/scatterlist.h now
    
    As on linux-3.1 asm/scatterlist.h no longer provides everything we need.
    From now on use linux/scatterlist.h to get both.
    
    Greg Ungerer <greg_ungerer at mcafee.com>

commit 059f96a113d9a1446e637172a7c7f698bfd9efba
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Oct 27 11:15:51 2011 +1000

    Linux 3.1 no longer has some HAVE_* defines
    
    Specifically HAVE_NETIF_QUEUE, HAVE_NET_DEVICE_OPS, HAVE_NETDEV_PRIV.
    So make sure we know that linux-3.1 supportes them.
    
    Greg Ungerer <greg_ungerer at mcafee.com>

commit 214c39c4da945367ee51668c5a3bd91cb3a613a2
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 26 12:10:28 2011 -0400

    * removed hack to supress a compiler warning on pathlen
    
    Basically, the code read:
    
            int pathlen;
            pathlen = pathlen;      /* make sure it used even with !X509 */
    
    We no longer have the X509 define, so the issue is moot. But even if it was
    still an issue, a real fix would have been preferred over this hack.

commit b98294c998be013770e86319c8065f9e2d8bc0bd
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 25 13:36:23 2011 -0400

    * added some notes on debugging settings in Makefile.inc

commit f53e48ac96593bd84f754d20ab0eea1e8fa2c10f
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Oct 23 00:33:14 2011 -0400

    updated changes

commit 2b9d626de79d430a91ea383ea2357b7e79f03fab
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Oct 23 00:31:34 2011 -0400

    * Fix for ike_alg_get_encrypter() possibly returning NULL
    
    See: https://bugzilla.redhat.com/show_bug.cgi?id=747852

commit 8cf7c954f0e6ef70e8463e79c65ffe1535f48d73
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 19 22:23:11 2011 -0400

    updated changes

commit 9954c946bcec187640bd1f73c6990bc349aa7daa
Merge: b791f4c 7894279
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 19 22:21:38 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit b791f4c7c2fa20c4cdfeab12934168baced27796
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Wed Oct 19 22:19:25 2011 -0400

    * vhost allows connections with subnets proposed and ignores virtual_private
    
    In virtual.c the function returned NULL at 364 if vhost is used and the
    proposed net is not a host.
    
    The bad thing is that at this point except for the fact that the net
    itself is not allowed no further checks will be done and the proposed
    subnet is accepted regardless if the proposed net is a public network,
    the world (0.0.0.0) or whatever.
    
    vhost:%no,%priv and virtual_private= are useless in this case.

commit bb100e0f0ad857631706e977ff76f81b2f19434d
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 18 20:48:13 2011 -0400

    * update IP_IPSEC_REFINFO / IP_IPSEC_BINDREF from 22/23 to 30/31

commit 7894279cc3039064693c290bf65b3d4a2b6fbf1a
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 14 16:52:54 2011 -0400

    * Added xfrm_ipcomp and tunnel6 to the module unload list for netkey

commit 69b6e7ff044006a4a89df6800db79a10ebc17f20
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 5 09:45:02 2011 -0400

    formatting fixes for CHANGES

commit 5e1d2d7bf24bee7c671e10af32e446a1d37b3df8
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 5 09:35:45 2011 -0400

    updated changes

commit e79565f95d894bba1ce55cc30dfedf64c4bfca9a
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 5 09:33:08 2011 -0400

    * Fix for CVE-2011-3380 Openswan IKE invalid key length vulnerability
    
    The function parse_isakmp_sa_body() calls the function ike_alg_enc_ok()
    twice, once to verify the algorithm and once to verify the key length.
    In openswan 2.6.29, the second call was changed to pass NULL as the errp
    pointer. The function ike_alg_enc_ok() error handler improperly dereferences
    the errp pointer.
    
    When an ISAKMP message with an invalid KEY_LENGTH attribute is
    received, the error handling function crashes on a NULL pointer
    dereference. Openswan automatically restarts the pluto IKE daemon but
    all ISAKMP state is lost.  This vulnerability does NOT allow an attacker
    access to the system. This can be used to launch a denial of service
    attack by sending repeated IKE packets with the invalid key length
    attribute.

commit f018510b2454e2bbfac90e7d13ecf25a0a637278
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Tue Oct 4 20:58:10 2011 -0400

    * barf: ip6tables does not have nat tables
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 44d80099efb30c703f7f0a8fae3e6531d85e2ebf
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 3 18:12:00 2011 -0400

    updated changes

commit 8547b9e57f19f827e93caa13afea528efe7ad4c4
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 3 18:10:51 2011 -0400

    * SAREF: Added updated patches for 2.6.36 kernel

commit f98cbd576d245fd61fee03fbea0a6aeed12a65de
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 3 18:04:59 2011 -0400

    * SAREF: Remap IP_IPSEC_REFINFO/IP_IPSEC_BINDREF from 22/23 to 30/31
    
    2.6.26+ is using 22 for IP_NODEFRAG now. This also required xl2tpd
    to use the new number. It should probably be made a new option in
    xl2tpd.conf

commit 9c8ee101bb99f8a86d3fd9a3dec54804b41ba72d
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Sep 30 11:11:49 2011 -0400

    * UML: Enable USE_IPSECPOLICY=true for uml builds, now the default is off

commit 1b44ed411ecdadaa0ea4073891dc3bbe94eb765f
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 29 16:41:24 2011 -0400

    updated changes

commit 15e2e965a4565ba65c49511da56aac24003276d3
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 29 16:40:07 2011 -0400

    * SAREF: kernel patch added for Linux 2.6.38 [Paul]

commit 541354644a17cfcd40e4b7d54e73ce1004afe7be
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 28 13:16:53 2011 -0400

    updated changes

commit bc5f2c0e6824316bfc38e6b01c483ca8e97e5166
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 28 13:10:58 2011 -0400

    * Disable USE_IPSECPOLICY per default - there is current no consumer for it
    
    It creates an unneeded socket /var/run/pluto/pluto.info, which when
    used incorrectly could cause pluto to hang indefinately on reading
    the socket. Access to this socket was prohibited by the /var/run/pluto
    directory being readable by root only. However, in the case of /var/run
    on tmpfs, this directory would get recreated with worldreadable permissions.
    
    Found by Sony Japan

commit 207c2c13f240a07c53f5d6a328584f54a17c8e82
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 28 12:57:06 2011 -0400

    * comment out an old tar build target and remove some old RCSIDs

commit c5bca10d7d4207943cc07da7fc21d696951d8513
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 28 11:46:02 2011 -0400

    updated changes

commit eccdfa2b5dd7ebc648144c0de7fa2b2aa02ae5c6
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 28 11:11:33 2011 -0400

    * Prevent a local admin from opening up pluto to a Dos attack [Sony Japan]
    
    Ensure the administrator did not make /var/run/pluto 755 by some strange
    accident - we create it 700 and so do the main linux distributions, but
    things could get recreated due to /var/run/pluto being on a tmpfs mount.
    
    This avoids the case where a non-root user could open a worldwritable
    socket in /var/run/pluto/pluto, keep them open and block pluto from
    processing anything. (this could be true for pluto.info, not pluto.ctl)
    
    This patch also ensures that any existing /var/run/pluto is changed to 700

commit 379eb97edaea96fa7c1a62c81629d323a593ac7f
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 21 10:26:52 2011 -0400

    Remove debian patch for -llbr. no longer needed

commit 210c57c1b4edcf4556aeb1e9628b63df5288a775
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 20 21:01:01 2011 -0400

    updated changes

commit bb0481d93b439ef27a28e4e8491ad97dcf3524ff
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 20 20:52:21 2011 -0400

    * ipsec verify: New kernels use nf_conntrack instead of ip_conntrack [Avesh]

commit abe2f7ce9aaffa96180915946dd4f3846b41b3c9
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 20 20:51:46 2011 -0400

    * LDAP/CRL needs liblber (rhbz#737975 [Avesh]

commit bfb3d0590d78f2aeedb52c15eaf82356c16fe89e
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 20 20:43:13 2011 -0400

    * Use iptables-save instead of iptables -L if possible
    
    Suggestion from Avesh, it prevents loading the conntrack modules
    if no conntrack was happening before.

commit c377f518652934c080a2f06c98d8fb2e79973f99
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Sep 16 19:25:08 2011 -0400

    updated changes

commit facd81436e1a0fcca73521a3972659060e32e85b
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Fri Sep 16 19:24:04 2011 -0400

    * ipsec_sa_getbyid() did not work properly on IPv6
    
    The implementation of ipsec_sa_getbyid used sin_addr to compare
    two addresses, regardless of their address family.  I'm afraid that
    2001:db8::1 and 2001:db8::2 are the same addresses.  It'll be an issue
    when ipv6 is used and SPIs on two machines collide.

commit dd35281fb99ec107515573dfda977ace79dba861
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 12 11:01:49 2011 -0400

    update changed

commit 73cdb9a15580b7974204fd7130947a71a4e5987e
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Mon Sep 12 10:58:18 2011 -0400

    * KLIPS: ipsecdevices index overflow
    
    The default maximum is 64 ipsec devices (ipsec0 to ipsec63). Attempting to
    delete ipsec64 would cause a kernel crash.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 0f3cc8a90b8e074bcc26bbcc1b4ff211db8266a6
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Mon Sep 12 10:53:34 2011 -0400

    * KLIPS: cleanup off by one interface, prevented module unload [Shinichi Furuso]
    
    ipsec_tunnel_cleanup_devices removed only IPSEC_NUM_IF (=2) devices instead
    of ipsecdevices_max, skipping cleanup of manually created ipsec2 and higher
    interfaces, resulting in an ipsec.ko module unload failure.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 3031eb78fb9ddf5735bd7ab29167e43371baa892
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Mon Sep 12 10:51:31 2011 -0400

    * tncfg called incorrectly for adding more ipsecX interfaces [Shinichi Furuso]
    
    If the machine has 3 or more interfaces, we can write
    'interfaces="ipsec0=eth0 ipsec1=eth1 ipsec2=eth2' in
    /etc/ipsec.conf. However, openswan can't create ipsec2.  The reason is
    _startklips calls 'ipsec tncfg --create --virtual ipsec2'.  '--create'
    options takes 1 argument ('--virtual') and tncfg tries to create a
    '--virtual' interfaces and fails.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit b463e4df541f20f02702220e18bf9e88fdd5941a
Merge: 421f1c9 e07f3a0
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 1 17:19:56 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 421f1c9793b04874262ee0b866cab8a3e85f1cc6
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Aug 31 11:37:27 2011 -0400

    updated changes

commit 8bc95c1ba311d64103003ef2c1d330d4cc2765b0
Author: Shinichi Furuso <Shinichi.Furuso at jp.sony.com>
Date:   Wed Aug 31 11:25:43 2011 -0400

    I cancel a patch of pluto that deletes port floating codes when Delete
    SA is received.
    
    The former part of the condition never matches any objects, that is
    there's no object with st_serialno is 0.  After all, it is equivalent to
    "st->st_serialno == nfo->st->st_serialno".
    
    Test environment:
    Server 0 -+- Server 1
              |
              +- NAT Router -- Server 2
    Server 0 is a target to test.
    NAT router is set up with:
     iptables -t nat -I POSTROUTING -j MASQUERADE --random
    
    I set up 3 connections: nonat, nattun0, and nattun1
    
    Here's a scenario:
    1. start all openswan on Server 0, 1, and 2
    2. Server 1 initiate "nonat" connection.
    3. Server 2 initiate "nattun0" and "nattun1" connections.
    4. "conntrack -D -p udp" on NAT Router and clear NAT table.
    5. Server 2 delete "nattun1"
    6. stop openswan on Seavrer 1, 2, and 0.
    
    With the old code, "nonat" is rewritten when "nattun0" is established.
    It's the issue that we wanted to fix.
    
    With the current code, above issue is fixed, but "nattun0" is not
    written when "nattun1" is deleted and port floating occurs.  Thus,
    Server 0 can't send Delete SA to Server 2 when openswan on Server 2 stops.
    
    With the patched code, both issues are fixed.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit e07f3a036589310163f9c3e75aee54851f18cfd9
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Aug 29 10:08:05 2011 -0400

    updated changes

commit 9c6bb63a8727538ea70e6d566351f28db05e02ea
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Aug 29 09:57:33 2011 -0400

    * NAT-T: Fixed logging for broken NAT-T keepalives [Tobias Brunner]

commit 6f2455474869e30cff041ec5e5f79a656a678e9a
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Aug 24 10:20:07 2011 -0400

    updated changes

commit 6bcd894d6c028d0ab7a8687fde4389efa32f24bd
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Wed Aug 24 10:17:24 2011 -0400

    * Add building with SAref on SLES10 / SLES11 / Opensuse [Shinichi Furuso]
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 07a8d8bdd5054452b32f8536017b83a7f277f5e0
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Aug 23 08:55:10 2011 +0300

    update changes

commit f162436d89a3a0f97f7c6ea1399e1d6a1e5579dc
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Aug 23 08:52:21 2011 +0300

    hub-spoke.conf: how netkey works is by design, not a bug

commit 14eb163d4374f37dfdd13fa134efcaac119911a7
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Aug 9 13:35:30 2011 -0400

    updated changes

commit 0d5b4cacea2408fdc8ac8a41f3ded59b4705c61d
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Aug 9 13:32:44 2011 -0400

    * IKEv2: We always sent the openswan VID instead of using #ifdef
    
    It now uses #ifdef PLUTO_SENDS_VENDORID like IKEv1

commit 2c436b0cca8a630768775fc4ce3e9ec1d6be6833
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Aug 9 13:30:56 2011 -0400

    * IKEv2: ikev2_get_dcookie used SHA1Update() with pointer size [Avesh]
    
    It used sizeof(spiI) instead of sizeof(*spiI));

commit 4d5082766605d6105a9e28e67c0d1cdcab322f04
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Aug 9 13:30:00 2011 -0400

    * TESTING: Added some more consistent logging in prerunsetup()

commit baddc2b7e5942b467b92c945751b9ac4dbca5a34
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Aug 9 13:28:30 2011 -0400

    * pcr_init() should memset the request helper size, not pointer size [Avesh]

commit 1aadb908b28872f77a44a0516006a8802a895d3c
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Aug 9 13:27:29 2011 -0400

    * Prevent deferencing ctx->trans_cur  using passert() in db_trans_add()

commit ef4838e82d027650582be0642fc67b9a0dea30d9
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Aug 9 13:26:42 2011 -0400

    * XAUTH: whack_get_value() never decremeanted "tries" so asked indefinitely
    
    Patch by Avesh

commit ef4d0f4a921afe1977a02d97a9bf1b48b8aad85e
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Aug 9 13:26:14 2011 -0400

    * Fix closing fd in lib/libopenswan/oswconf.c [Avesh]

commit 60991b7c528ef76cd2e644b85b19e45cd9ddcbdf
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Aug 9 13:25:11 2011 -0400

    * rsasigkey: configdir is always set in the NSS #ifdef part [Avesh]

commit c812da7403c3429a53844e50f1884e5ba87b11db
Merge: e4c216c 4f9e1d2
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Aug 8 17:34:11 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit e4c216cefa4e0d06e40485acc1733f923525f914
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Aug 8 13:37:10 2011 -0400

    updated changes

commit fe7b29f4b5ee74e3ac268d4e4a79e3c89d8330a9
Author: Shinichi Furuso <Shinichi.Furuso at jp.sony.com>
Date:   Mon Aug 8 13:36:04 2011 -0400

    * [CRYPTOAPI] Support for backported 2.6.19 CryptoAPI in SuSe kernels
    
    In 2008, SuSE backported a new CRYPTOAPI, saying 'update CRYPTO for
    IPv6 IPSEC requirements'. This prevents klips from being compiled.
    In May, CRYPTOAPI support is enabled by default in openswan.  So,
    ipsec_alg_cryptoapi.c will be compiled.  It switches old and new CRYPTOAPI
    only by LINUX_KERNEL_VERSION.  Thus, it tries to compile old 2.6.16.60
    CRYPTOAPI code on new backported CRYPTOAPI kernel.
    
    I checked CentOS 5.6 whether it also backports new one, but found it
    doesn't.  I don't know other major vendor-supported distributions that
    use a kernel older than 2.6.19.
    
    I tested it can be compiled old SLES10(2.6.16.60) and new SLES11(2.6.32.43).
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 4f9e1d2ec5a13dae884203a692d2632e6716fa42
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sun Aug 7 02:07:39 2011 -0700

    More "sane" debug output changes.  Minor.

commit e54eaf82fbf48dff95d522f641776fea90865a61
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sun Aug 7 02:02:31 2011 -0700

      More "sane" debug output changes.  Minor.

commit 5077d26642d863f03f1e17af6c5f020e82375a6b
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Aug 6 20:00:58 2011 -0400

    * Commented out umltree subdir that Hugh added.
    
    It does not exist, and causes regular "make clean" and "make programs"
    to fail.

commit a27e30b017afadce901a067edb446ab035703b24
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Aug 4 12:20:23 2011 -0400

    updated changes

commit 16c6fe07a701629c431b30daad31a36171aa522c
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Aug 4 12:17:29 2011 -0400

    * Changed a few *alloc() calls to alloc_bytes()
    
    We were not tracking some allocations for LEAK_DETECTIVE. Seeing that
    I did not find the proper free() calls, it might mean these are actual
    leaks (unless pfreeany() was used).
    
    One realloc() call in ssdep_linux.c was left, as I was not sure how
    to do the realloc() call using our wrappers.

commit d584624905a77ecb22292fd282a5a806bdcb86f7
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Aug 1 20:22:47 2011 -0700

      This is a large commit of work done to stabilze the testing "framework",
    to get make to run in a reliable mannor, to see where things are happening
    etc.
      One big change is that all makefiles and most shell scripts are now
    expressly BASH scripts as they had been coded with BASH syntax and were
    failing in odd ways in borning old POSIX shells.
      Please note that this is not "done" work, I think the commit does no
    harm, but I am sure that there is more to do before testing works again.

commit f9077d8ed0b7ed79a77676dc965d6ca12611aa62
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Aug 1 19:46:13 2011 -0700

      One major change and various minor tweeks and extra output lines use in
    debugging testing.
    
      The BIG change here is moving the SHELL from /bin/sh to /bin/bash, as many
    sripts in testing are coded with BASH extended syntax.  Since BASH does everying
    a POSIX compliant sh does this should not harm any other scripts (and no harn
    has been observed in a week of testing...).

commit ae8b6acba2d733b1fe211dda43b3ae4b79351348
Merge: d33c86c aa67b53
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Aug 1 19:17:11 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit d33c86c86e5b6a4cdb58f79c0e83bc18d992fabc
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Aug 1 19:14:20 2011 -0700

    Sizeof returns different things on different arch's, so cast it big so the
    compiler is unlikely to bitch.

commit aa67b53e8117c16235b0537053c6f628e0ac6f88
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jul 26 11:59:01 2011 -0400

    * KLIPS: Log a warning when using CONFIG_IPSEC_NAT_TRAVERSAL on > 2.6.22

commit 7a1b8c50ee9f90b22721079c8d148e4b4e766083
Merge: e73dfde 1e594ea
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 25 15:55:26 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 1e594ea240f9ba294c2607f04949de622bf4f80d
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Jul 25 12:44:55 2011 +0300

    update ipsec_pluto.8 man page

commit 215e2db2109ad994982fdc604bc662dbce82735d
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Jul 25 12:43:04 2011 +0300

    add --checkpubkeys to man pages

commit 1cc085e434a62e7f64efaa415fd2e30d0eb33b96
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Jul 25 12:41:20 2011 +0300

    update CHANGES

commit db4ea9f8d2d967c335f8789be15fd81f8fc4a409
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Jul 25 12:36:22 2011 +0300

    document --checkpubkeys option

commit 53b5f4b5c2c960d66f22fb9112a580a6d4c40733
Author: Mika Ilmaranta <ilmis at foobar.fi>
Date:   Mon Jul 25 12:16:06 2011 +0300

    Add --checkpubkeys option into whack and auto for checking public keys.

commit 06ec3f8e8944347eb3a27c0e0b2f927dc522dae2
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Jul 25 11:27:25 2011 +0300

    update CHANGES

commit 3cf91546468484b1b345cbc59de028f3855b20d1
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Jul 24 11:29:22 2011 -0400

    new changelog entry

commit fd9be2a9cf5e1dff41f18eb0ba7d6ba72b592fd5
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Jul 23 16:48:03 2011 -0400

    update CHANGES release date

commit e73dfde59254113d28038230070af161f86d36e1
Merge: bdb454e daf04af
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jul 22 13:32:27 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit daf04afe1949d7c42199138aca627e0c39965c42
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jul 21 10:34:16 2011 -0400

    updated changes

commit a542d42cc03864c06c9108b98ba8cbca15231174
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jul 21 10:33:34 2011 -0400

    * OCF: Only include ipsec_ocf.h when using CONFIG_KLIPS_OCF

commit f03f13b30d10efa48b7b002218418e5621b9b245
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jul 21 09:54:12 2011 -0400

    update changes

commit 04a61f2353bd54b31e0cfca76465bb122c0c1976
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Jul 21 15:15:57 2011 +1000

    Fix mast packets on host-to-host connections
    
    We were not identifying packets correctly after the ip_select_ident changes
    on host-to-host ipsec connections using mast. net-to-net seemed ok.
    Refactor and ditch some code and use ixs->mast_mode as it is always right :-)

commit bebc8f14d0ed8978693ed151a9166708f16d2929
Merge: 5807851 da42f2b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Jul 21 10:38:13 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit bdb454e167556033cc5a683cf3a594adf3bd94fb
Merge: 591136f da42f2b
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jul 19 17:02:54 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 591136f8ccef0b7efd0e687ad9add8803388750e
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jul 19 16:50:32 2011 -0400

    * Setting the debug_mast to -1 caused debug to be active per default

commit da42f2b802dac8054b875aa38476cff811097bd1
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jul 19 11:18:13 2011 -0400

    updated changes

commit 72383827f1951e846141e25f2d06e1c143ba9f77
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jul 19 11:15:29 2011 -0400

    * OCF: Give a hard #error in ipsec_ocf.h if we don't have CONFIG_KLIPS_OCF
    
    I managed to compiel with it defined in linux/net/ipsec/defconfig but
    without using it in my MODULE_DEF_INCLUDE that pointed to the file
    packaging/linus/config-all.h. This resulted in some obscure error, instead
    of a clear error that the config files did not match up properly.

commit 58078515ff72eed3bc33f5c9215e6eacbc7d6164
Merge: 66e8174 14f30c3
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Jul 19 15:09:53 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 14f30c3a631143d347d9463e4c9d97cb1ae0384f
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 23:50:45 2011 -0400

    * KLIPS: more prefix fixes to debug log lines

commit cbb1c004d7b10f8e2b8f898270b484bceebc0045
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 23:22:22 2011 -0400

    updated changes

commit 98eed4a91ea93e69807f1236b82f61325c4c831f
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 23:20:43 2011 -0400

    * DPD: Do not ignore failure in dpd_init()
    
    Note this commit accidentally came in via 993e9312f195. This commit
    is just a marker of that for the git log.

commit 388969cc02e7a5092e4f4a84ed47a481495e272f
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 22:58:39 2011 -0400

    updated changes

commit faa8308fc1445dc1ac2e41405427de908aa5e05c
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 22:57:34 2011 -0400

    * KLIPS: more prefix fixes to debug log lines

commit ba34bd2566889524ba47abc7418c03d73090f4b9
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 22:26:31 2011 -0400

    updated changes

commit 30cff989e25e48581dcc70d8a202cc87a1e7869c
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 22:24:57 2011 -0400

    * KLIPS: updated bad debug references to ipsec_xmit_encap_once
    
    ipsec_xmit_encap_once() at some point got refactored and renamed,
    but he klipsdebug prefix was not updated to reflect this.

commit f7c0a61449473ab6ebceb06e2a8fbc27607c7328
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Jul 18 21:57:23 2011 +0300

    cleanup comment for set_cur_connection change

commit e5f0052e21bc19619dac26d281549d326cf17865
Merge: 90630ec 282ed0a
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 14:18:56 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 90630ec5c580dac22b23faf3fc5a1051d689ba35
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 14:14:19 2011 -0400

    updated changes

commit b6c2514a97bf86187690869360968361a971367e
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jul 18 14:13:36 2011 -0400

    Fix for Tuomo's (rare) crasher where globals were not reset. Idea by dhr

commit 282ed0acbec43264b68126578a81a361f14cf9ce
Merge: ec00950 993e931
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Fri Jul 15 18:32:50 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit ec009505525e3443254ed7c20d6de81f84990823
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Fri Jul 15 18:29:45 2011 -0700

    If a script needs BASH it needs to SAY so...

commit 993e9312f195f54a3e3a00126aaf926ad566e2ae
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jul 15 13:14:10 2011 -0400

    * Bart's disabling of the mast debug per default did not make it in.

commit 3e3bc829db987d1f59b21eedc952f153323ea53f
Author: Hugh Daniel <hugh at star.toad.com>
Date:   Wed Jul 13 13:05:48 2011 -0700

    The script uses BASH extension that break on POSIX compliant systems, so
    we force use of /bin/bash rather then hope /bin/sh points to it.

commit 22d6013a83390f5973dd55e35a16c1641dfce2ae
Merge: 50f7a51 0d709b4
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Jul 13 12:55:51 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 50f7a519682c901e4734de79d3e5a5ed367b399a
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Jul 13 10:37:59 2011 -0400

    update changed

commit 54085743b7760a3417b510e75aab0efff4194c38
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Jul 13 10:35:45 2011 -0400

    * KLIPS: Fix MTU on interface - bug introduced in 2.6.33 [Wolfgang Nothdurft]

commit 0d709b47f5d1e9335677e3db18b3f9bc1fb58775
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jul 12 20:51:56 2011 -0400

    * Fix previous malloc() use fix for Tuomo's crasher
    
    Note the previous fix accidentally got submitted in an "updated changes"
    commit message.
    
    out_sa() used malloc() directly instead of using our memory wrappers,
    but in free_sa() we were assuming it had been allocated with our
    wrappers.
    
    The previous fix used alloc_thing on both proposals and transforms, but
    the proposal ones needed to use alloc_bytes() due to the multiplication
    for 2 * proposals.

commit 28c496fb4ecaa006754977cabe2ca0448648f2be
Merge: ce7ca9d b8b316e
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jul 12 18:22:11 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan
    
    Conflicts:
    	CHANGES

commit ce7ca9d87b24ef9ced83d4b67af93b651eb8c73b
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jul 12 18:21:40 2011 -0400

    updated changes

commit b8b316eb176e62a16ed4f9b0d9fd1d5f1ec38b8e
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Jul 9 11:34:15 2011 -0400

    * default KERNELSRC to the currently running kernel

commit 0e739f6c3dc416d6850763e51bd8a4f185f56451
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Fri Jul 8 18:12:23 2011 -0400

    * UML: updated kernel configs for UML_NET_PCAP, UML_NET_VDE and UML_RANDOM

commit 8d191e93feef736064a959837d481a289bac85f6
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jul 8 15:26:41 2011 -0400

    updated changes

commit 1c58f14b19aef87cd15e7d0ae42b0a2e87a5395f
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jul 8 15:24:06 2011 -0400

    * st_peeridentity_port missed ntohs() causing interop fail with little-endian
    
    Found by Magnus Öberg

commit 717744479d3da28ad30505eee8ec651653740fb9
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jul 7 17:15:16 2011 -0400

    updated changes

commit 5a443cc72837ef33f38a5f09e849b061a4be55bc
Merge: 4f26de1 b4faa45
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jul 7 16:47:55 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 4f26de19fb22444fc1c6cd450ac37b8c76481204
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jul 7 16:38:45 2011 -0400

    * Prevent double ipsec_kfree_skb()
    
    Shinichi Furuso pointed out that ipsec_rcv_unclone() can call
    ipsec_kfree_skb() if it is cloned (due to tcpdump or so?) and then
    returns NULL. in such case, the caller, ipsec_rcv_init() returns
    IPSEC_RCV_REALLYBAD, which causes ipsec_rsm to also call ipsec_kfree_skb()
    
    I removed the call in ipsec_rcv_unclone() with an added bonus of removing
    a goto statement

commit b4faa455880aff2d47546628eeb8c100c08daf63
Author: Michael Stevens <mstevens at etla.org>
Date:   Thu Jul 7 22:47:05 2011 +0300

    Bug #1264: Fix a teeny typo in changes for 2.6.34

commit 65312de8bf145f0b2d93597af750078876fdb574
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Jul 6 17:51:28 2011 -0400

    * avoid using dirname (patch from openwrt)

commit 12112472a4998038651f55d47353c4c8b9f3e527
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Jul 3 16:32:47 2011 -0400

    updated changes

commit fd29db8d488d2edfe454748c60707cf91982c0d1
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Sun Jul 3 16:28:20 2011 -0400

    * SAREF: Added null check of secpath_dup(NULL)

commit 929dadfbdd7f48456d4b219731bed6ee62c0aa66
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Jul 3 16:12:25 2011 -0400

    updated changes

commit bd2c78b677e0c02470854b31423cb03864c22574
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Sun Jul 3 16:10:25 2011 -0400

    * SAREF: ip_cmsg_recv_ipsec_refinfo() doesn't initialize refs array.
    
    It causes uninitialized content of kernel stack is passed to the local user.

commit 9385e067a9dc7759d1ba1ca821efba4fcc70c044
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Jul 3 15:28:47 2011 -0400

    update changes

commit 2d421ff4c5f7259120d4050b2f59db8dd57176a8
Author: Bart Trojanowski <bart at jukie.net>
Date:   Sun Jul 3 15:15:23 2011 -0400

    remove forced debug_mast enable

commit df6f04b1ee0b09223e7e78fe6be69c84639ac9b5
Author: Bart Trojanowski <bart at jukie.net>
Date:   Sun Jul 3 12:01:52 2011 -0400

    be more careful about which {mast,ipsec}priv structure is being used
    
    This fix addresses crashes in ipsec_set_dst() when the ixs->physdev was
    NULL.  The problem occurs on transport mode connections in mast mode.  In
    mast mode the physdev is undefined, but was still being used to route
    packets out.
    
    Here is what was actually changed:
    
    - prevent blind casting of netdev_priv() to {mast,ipsec}priv
    - netdev_to_{ipsec,mast}priv() wrappers get private data from net_device
    - mark {mast,ipsec}priv with distinct cookies
    - panic with BUG_ON() if the wrong structure is being used
    - in ipsec_set_dst() allow for ixs->physdev to be NULL, and use route's device

commit 0f8318af3f006b8d39fd883efa0dda4da4858db7
Author: Bart Trojanowski <bart at jukie.net>
Date:   Sat Jul 2 13:08:43 2011 -0400

    ldsaref: need to specify the location of the libsaref.so for LD_PRELOAD to work

commit 38eed94e996e62d640b8a408befb0ef80c5b91b9
Author: Bart Trojanowski <bart at jukie.net>
Date:   Sat Jul 2 10:24:27 2011 -0400

    run depmod even if /sbin is not in the PATH
    
    (this happens when running sudo make minstall)

commit 66e81748ae2248a51941642dee2c8a7863803fe7
Merge: 7ef683b 5b50e54
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Jun 16 13:41:05 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 5b50e54326eea08d967f8df8de1dda72f42fa185
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jun 14 18:36:17 2011 -0400

    update CHANGES

commit aaf8080e6db73bb70e5ee47356e5628942f33fb4
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jun 14 17:31:42 2011 -0400

    mend

commit 9b68045bff4a0cfda1198434f19345eca027e6bf
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jun 14 17:30:06 2011 -0400

    MAST: Add the ipsec_xmit_sanity_check_dev() check in the mast path,
    similar to the ipsec path.

commit cbeab0221a0e16751e4a09783988cdd40916a0c3
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jun 14 17:16:21 2011 -0400

    Exclude the virtual interface to physical interface check for mastX
    in ipsec_xmit_sanity_check_dev(), so that we can call this function
    in the mast xmit patch as well.

commit 7ef683b9859dd2fb424afa43d85a70164c1947a8
Merge: 62bbcbc e634277
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Jun 14 11:05:25 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit e63427748d1a465c523ba0e1c43d1194539f3feb
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jun 10 09:12:37 2011 -0400

    updated changes

commit 6c67964cc6a45cac42490862912b1232137eaa69
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Fri Jun 10 09:04:29 2011 -0400

    Fix a null pointer dereference panic when ipsec is unloaded and kernel
    is saref patched.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 97e564d3d0e9c96acf6176c585e6b11c26a0052e
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Fri Jun 10 08:58:24 2011 -0400

    Fix accidental redirect (">") to file that was meant to be a -gt comparison
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 2d02b39a354021470b704a654da79758909f8ca2
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Jun 8 14:09:34 2011 -0400

    start 2.6.35 changelog

commit c583887a157920ea780b1ec23117826979254dc8
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Jun 8 13:54:46 2011 -0400

    remove blank line in CHANGES

commit ffd7776e0a4ca196c999c48f82d854800cbf1a1e
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jun 6 22:58:46 2011 -0400

    updated changes

commit c703b622c201e5e0eac62a87dfbe389d4dedd8b7
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jun 6 22:56:57 2011 -0400

    Fix for below oops by David
    
    [  139.484734] BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
    [  139.484767] IP: [<ffffffffa022902e>] ipsec_set_dst+0x7e/0x290 [ipsec]
    
    [  139.485433]  [<ffffffff8100f34f>] ? xen_restore_fl_direct_end+0x0/0x1
    [  139.485454]  [<ffffffffa022c917>] ipsec_xmit_send+0x37/0x400 [ipsec]
    [  139.485474]  [<ffffffffa022940f>] ? ipsec_nat_encap+0xef/0x1f0 [ipsec]
    [  139.485495]  [<ffffffffa0233061>] ipsec_mast_xsm_complete+0x91/0xb0 [ipsec]
    [  139.485515]  [<ffffffffa0228d00>] ipsec_xsm+0xe0/0x390 [ipsec]
    [  139.485538]  [<ffffffffa0243d11>] ipsec_ocf_skbq_process+0x21/0x50 [ipsec]

commit 62bbcbc85e6ac3c0ffd6fa2efefd31a83832e470
Merge: 9ecebde 9544d04
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Jun 7 09:26:05 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 9544d04d9ed43bc1ffb1b6c343338cfd30b1a939
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jun 6 11:06:59 2011 -0400

    updated changes

commit 5982ef556f46b64a377450a7477d6dee7e900396
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Jun 6 11:05:37 2011 -0400

    KLIPS: Only fixup the ethernet header it might be on
    
    PPP devices do not have ethernet headers,  so no need to fixup the
    protocol in the header if it can't possible be an ethernet header.
    The fixup is needed for ip4inip6 or ip6inip4 ethernet packets.

commit 6ba1f576865203fa548de67046ebb7b02db72b7b
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Jun 6 14:45:07 2011 +0300

    fix acquire_netlink broken by b20993af4618e7c10cdb9dab5e4900e06bdf32ad

commit 9ecebdecbcbe380f57eac6562add20edfb36a6e8
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Jun 6 16:37:16 2011 +1000

    Only fixup the ethernet header it might be one
    
    PPP devices do not have ethernet headers,  so no need to fixup the
    protocol in the header if it can't possible be an ethernet header.
    The fixup is needed for ip4inip6 or ip6inip4 ethernet packets.

commit 6c47add795d7cdd868b3063180a8da1d7889ddea
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Jun 4 17:11:06 2011 -0400

    updated changes

commit 86a5945e20ffa61936e93b52c499e06b465c4403
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Jun 2 15:26:48 2011 +1000

    Routing cache corruption due to ip_select_ident
    
    The comments in the code said that dst has to be set before calling
    ip_select_ident, but dst wasn't set correctly.
    
    It was corrupting a private value (rt->rt6i_nfheader_len) that would then
    result in ip6_output calculating invalid mtu/packet sizing and rejecting the
    transmission of a packet with EMSGSIZE.
    
    Rework the dst settings and ip_select_ident code so that is all gets done
    in the correct sequence.  This helps clean up the flowi code a little and
    it is easier now to clean it up properly at some point w.r.t. IPv6.

commit cb423a95d215606fa4bc53d74d4e1b71daa58f41
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri May 27 19:31:01 2011 +0300

    Removed reference to http://www.freeswan.org from ipsec --help

commit 6feb1466d892048743f89ab17d9214a6523736ca
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri May 27 19:24:14 2011 +0300

    remove refence to www.freeswan.org

commit 2adce40c9e925b192742d299c2dd721a00e93e20
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri May 27 15:52:49 2011 +1000

    A couple of small fixups for linux-2.4 compiles

commit 84cc7d7f292803be77f0313227a189b3b0224797
Merge: 861dfb3 157cd31
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu May 26 21:28:53 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 861dfb39ad31eebf848d71341f390ffef63b3fab
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu May 26 21:21:22 2011 -0400

    deleted two useless scaffolding files in docs/HACKING/

commit 157cd317de791bba7ea8c0cc41cf7e14e8473f34
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu May 26 16:29:42 2011 -0400

    updated changes

commit e663652c94dfd187ebbd5266f40ee0dcd5f08719
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu May 26 16:28:17 2011 -0400

    2. Protocol port issue when using hostnames instead of ipaddress in
    connection definitions (rhbz# 703473): leftprotoport/rightprotoport option
    does not work when using hostnames with ipv4. With ipv6, this issue can be
    reproduced even with ipv6 addresses, if you dont specify
    "connaddrfamily=ipv6" in the connection definition.  The reason is that the
    ipv6 address is considered as string and is tried for name resolution
    leading to wiping of ports from the connection. However, the ipv6 connection
    gets established. IOW that to make an ipv6 work, it is not really needed to
    specify "connaddrfamily=ipv6", however breaks protocol/port stuff.

commit f14d6de160f385f731752cb6a1370d8268f73b9e
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu May 26 11:28:28 2011 -0400

    update changes

commit a7489395a43cbdb4fc13c2f3a4434354d07fb9d7
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Thu May 26 11:25:19 2011 -0400

    1. Broken AH support with NETKEY since ages (perhaps since 2.6.15/16) (rhbz# 704548): AH protocol does not work when setting as phase2=ah, leading to
    unsuccessful connection. This ends with error "unknown encryption algorithm".

commit f3912301a780f3da73ccc98dfa93a0a5535277ff
Merge: 61fa46b d04c1ff
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu May 26 10:37:47 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 61fa46b833edd6d4c1755fcd6cf1c6b360311ac7
Author: Michael Richardson <mcr at sandelman.ca>
Date:   Thu May 26 10:37:27 2011 -0400

    more warnings about strict alignment: use pluto_crypto_req buffers
    instead o f buffers of long
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit b20993af4618e7c10cdb9dab5e4900e06bdf32ad
Author: Michael Richardson <mcr at sandelman.ca>
Date:   Thu May 26 10:36:58 2011 -0400

    gets rid of warnings about strict alignment: code should run faster on
    Sparc , not-core dump on Alpha, and fit in caches better
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 6d1e499bdbb598f4e5bc8045d65fdf6ed3147994
Author: Michael Richardson <mcr at sandelman.ca>
Date:   Thu May 26 10:36:41 2011 -0400

    make do_command an external so it can be referenced
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 13227de78e2949368422a331cbea5e654c4618c6
Author: Michael Richardson <mcr at sandelman.ca>
Date:   Thu May 26 10:36:24 2011 -0400

    the %li needs to always have a long, particularly on 32-bit platforms
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 6d658673e46b177986c9b24e68ab8432d826a28b
Author: Michael Richardson <mcr at sandelman.ca>
Date:   Thu May 26 10:36:05 2011 -0400

    get rid of unused variable
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit d950f768eb8978795dd8599bb7e00c24aab46c9f
Author: Michael Richardson <mcr at sandelman.ca>
Date:   Thu May 26 10:35:08 2011 -0400

    with -Werror, the exit routine need to be marked never returns
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit d04c1ff4f5d20c19076f49f3d14867b31a276d44
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu May 26 22:59:38 2011 +1000

    Clean up IPv6 logging
    
    A few spots that weren't being handled nicely and producing incorrect logs
    for IPv6 cases.

commit 536bde334f918a74a41a066f6331f2445d81f5ad
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu May 26 22:54:08 2011 +1000

    The policy check should check against flow family
    
    Since we are checking the innner policy,  the flow family is the one we
    should use,  as the flow addresses are what we compare and report..

commit 5a843c9e017121004c4f4d75695f895ea843fa1b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed May 25 09:11:59 2011 +1000

    Fix ip_route_output_key usage after 2.6.39 changes
    
    The call to ipsec_route_dst got lost in the translation.

commit 49e9ea175219591beee0d5df03543a38f04c3812
Merge: 465a933 d8c07ad
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue May 24 09:47:55 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit d8c07adb13c8100d76fb03fe9f2e03b280622dde
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue May 24 09:07:31 2011 -0400

    updated changes

commit cfa9861ca4c06acc9f8cb2ded457208d4a739c34
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue May 24 14:00:30 2011 +1000

    Further cleanups for #1233
    
    I wasn't happy with leaving things undone in the last patch. This one
    ensures that any calls to destruct after we unload will be ok,  we still
    prefer to wait a bit first though and try to exit cleanly.

commit e7a88c921ab7b34f6d8117a1a4dd844589e1d6bd
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue May 24 12:55:52 2011 +1000

    Compilation support for linux-2.6.39
    
    Here are the safest set of changes I could come up with for now.
    The struct flowi bits definately need a clean up.

commit a07572d5528677ff65ba5a1c8ebaa7903e7fc8e1
Merge: ecb4717 10af2ed
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue May 24 11:09:03 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 10af2ed8a6edc711500e900e8cb4daf668156406
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon May 23 19:04:44 2011 -0400

    updated changes

commit ed0c0aef365e158d544ba2de44cf5f5214b5481f
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon May 23 19:03:32 2011 -0400

    Various file descriptor leaks and minor memory leak fixes from Avesh,
    looked over by Hugh Redelmeier.

commit ecb4717f8bd3d298d051e26c08a4bcafc3eeac85
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon May 23 13:14:43 2011 +1000

    Race with nat-t and driver unloading
    
    A race condition with the unloaded of klips and the closing of
    encapsulation sockets meant it could happen after the driver
    was unloaded and or during,  causing an oops.
    
    https://gsoc.xelerance.com/issues/1233

commit 465a9334ce14d20673e09c55778b1cdcba878464
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun May 22 17:29:16 2011 -0400

    Set CONFIG_KLIPS_MODULE to 1

commit 73153205e89518ecf07343dfdd0a71c5f8ed0853
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 14:34:44 2011 -0400

    fix comment

commit c08fd4def1dcf680e9d94803a2f3fa597a489784
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 14:34:15 2011 -0400

    updated changes

commit eae17541a4bb32e55477229b564e452102d2217c
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 14:32:08 2011 -0400

    Enable cryptoapi in ./linux/net/ipsec/defconfig to match the stock
    packaging/linus/config* files

commit 693bec1cac134819f941d84609235ae5652f048b
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 14:00:13 2011 -0400

    remove unused but set len variable from do_md5_authentication()
    and two occurances of set and unused dns_idx, wins_idx attr_type

commit 93a0ed73b8b32f2333ab562b5237a4dd62e861ef
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:59:49 2011 -0400

    fix adding the new vendorid VID_CISCO_IKE_FRAGMENTATION

commit cd81e9a03650acb99222debad1b4a8a22cde4255
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:58:54 2011 -0400

    removed unused but set variable dh_matched from ikev2_acceptable_group()
    and oldgotmatch in ikev2_parse_parent_sa_body() and ikev2_parse_child_sa_body()

commit 64d76056df583e9b5c293bbb1c2f32693feafa59
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:57:27 2011 -0400

    out_sa() had a really weird loop construct to "figure out how many
    proposals we are going to make". After reading it with Simon a couple
    times, it made no sense and we simplified it.
    Remove unused but set variables in preparse_isakmp_sa_body()

commit ce07482f62aa28b76153ab6a3132b5aec08969db
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:56:40 2011 -0400

    remove unused but set extn_oid from parse_ocsp_single_response()

commit fa2809569839f2b2c1e12faa6fc68f58139e05e5
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:55:53 2011 -0400

    pfkey_add_sa() calls pfkey_msg_parse() but did not use its return
    value. Log it now in case of error (which can never happen but gcc
    doesn't trust us on that)

commit 96b90cf70e228ddf81bbdbb162126134873e62ac
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:54:32 2011 -0400

    In netlink_raw_eroute() satype was set but unused. Logging it now.

commit 0a326ff5dde41d152a1f3b0fbbe20d26b5ab16a8
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:53:54 2011 -0400

    Removed unused but set variable ero_top in could_route() and
    route_and_eroute()

commit dab3025f6937a0657bdeb9cb1fda8b8e7a7ff05c
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:53:26 2011 -0400

    Revmoed unused but set variable kind (from c->kind)

commit 2df55a51f84ec4e85de34d01c22788e9b192c633
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:52:59 2011 -0400

    Removed unused cert_hd

commit f78b3959221b0c7b8ce45f63041c341a83892dc5
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:51:47 2011 -0400

    iif'ed out the variables best_tsr,best_tsi in ikev2_evaluate_connection_fit()
    they are set, but unused. The same for connection b; in ikev2_child_sa_respond()

commit 493c8880791982d08c86136ca8d7670bd853e935
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:50:36 2011 -0400

    In process_v2_packet() we check if we are the responder or not. If
    we are, we expect an rcookiezero. We stored the check result but
    did not use it. Added logging a warning now.

commit dc27877b6d6f40ed4a7d44c47626a46a076b30dc
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:49:27 2011 -0400

    quick_outI1_continue() calls quick_outI1_tail() but ignored its return
    value. For now, log any result that is not STF_OK

commit 9b702ef21cf56dec610a772eb0edf48bfc6f9428
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:49:09 2011 -0400

    Remove another NULL cast to time_t for time()

commit f6c57f5de7bf0db1f0f6726688633cdf688dd340
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:47:48 2011 -0400

    dpd_outI() picked the last entry of p1st->st_last_dpd versus st->st_last_dpd,
    but then ignored the actual result stored in the variable last

commit df780dbd1e15580dcd03c803fc68072effa76500
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:47:13 2011 -0400

    calc_skeyseed_v2() took chunk_t gi,ge; but did not actually use these.

commit fa16a2e47278790d97daa5c1cc41e10afc818680
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:46:32 2011 -0400

    log the (ignored) result from waitpid.c in send_eof() to make gcc happy

commit 0d7fcbbeb9d9af8c9d0994e157bb7efb910c1a98
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:45:49 2011 -0400

    fix format warning in in_struct() to use %li instead of %d for remain=

commit 331145da14ccd825e8fbcd3e05d8b80922b1f6ee
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:45:13 2011 -0400

    Check return value of initaddr(), even if we never expect it to fail

commit 476649a07162f5e9bfd533b64dd139b1af90e18f
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:44:53 2011 -0400

    Remove unused time_t created

commit 4dd63ff3033b401dc2dd7d05683048be2c7c5952
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:43:26 2011 -0400

    No need to cast NULL to time_t for time()

commit 33a78ab8298d85b1595ffaeee3f09e94d5e3f455
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 13:43:07 2011 -0400

    remove old rcsid

commit 612a8683cd98bdc656e7bf63d7bde85c9f0f3ef9
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 20 11:38:09 2011 -0400

    updated changes

commit 19d744e43b44b6b88602ef64834710cdaafbbea8
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri May 20 23:24:16 2011 +1000

    Return default stack to klips over mast
    
    During one of the cleanups,  mast overrode klips when --use-auto
    was invoked.  This restores it to the old default.
    
    So "auto" effectively means:
    
    	1.  netkey (if support compiled and present in kernel)
    	2.  klips  (if support compiled and present in kernel)
    	3.  mast   (if support compiled and present in kernel)
    
    Although 3 is unlikely to be reached as 2 will already be there.

commit db1e22fe141740bd63fd14106a426f3608a179f2
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri May 20 23:17:52 2011 +1000

    Remove bogus build warning about override ALGs
    
    The warnings about inbuild DES/AES overriding the cryptoAPI
    versions are wrong.  If cryptoAPI is present with appropriate ALGs
    and opneswan support for cryptoapi is compiled in, it will be used
    in preference to builtin ALG's,  but one or the other is chosen,  not some
    blend of both.

commit e509d8f7fa0031488af98161baa16a9ae9d15989
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu May 19 11:15:43 2011 -0400

    updated changes

commit 8c056194347f9a51955fcf2a63bbc2f15df33d07
Merge: 4faca9f 60f5ff6
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu May 19 10:11:52 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 60f5ff6d3366eff99c99fe455c18a322daff1719
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu May 19 18:40:32 2011 +1000

    Fixup some of the OCF build support
    
    Add a defconfig anf fixup some warnings when building OCF+openswan
    as external modules.

commit adf1c910d0451ac5acfde4b94be5d524ffe5b621
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu May 19 18:39:38 2011 +1000

    Fixup the paths in the default make help target

commit 813cfd330d324bc87b2f0ce7c8116b5b04e1c322
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu May 19 14:38:25 2011 +1000

    Fix oops if packet is received on detached tunnel
    
    If a packet is received while the virtual device is detached from the
    physical device we crash in netif_rx because "skb->dev" is NULL.
    
    To reproduce:
    
    	Start a tunnel then attached to PHYSDEV
    	ifconfig PHYSDEV down
    	Start a flood ping over the tunnel from the other side
    	ifconfig PHYSDEV up
    	crash .....
    
    We only crash after the "up" because the virtual interface comes up at the
    same time,  but we have not been re-attached.

commit fbbd8b242aaedea0a2bccf5e7bc19d2fad4484a9
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu May 19 14:37:16 2011 +1000

    Fix some formatting so you can see the code
    
    Code after a comment is just not easy to see ;-)

commit 4faca9f309d2bc188898e9317c3f7a06ca02e762
Merge: c49bc7b 3fcc338
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 13 18:19:32 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit c49bc7b46f6fb490deb20c7368b0029b683e31ee
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri May 13 15:51:07 2011 -0400

    Added Cisco IKE Fragmentation vendor id

commit 3fcc3386b196df68c4cbc03034de6e882df50626
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed May 11 12:52:36 2011 -0400

    updated changes

commit ce8634bec26188f9019164d87796139dc0754e40
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed May 11 12:50:37 2011 -0400

    cleanup various config-* files. Removed the ones we never tested in years,
    and were mostly identical duplicates anyway. Removed arch specific fedora
    ones. Fixed the #define XXX 0 to be #undef XXX (the OCF and NAT ones)
    Removed CONFIG_KLIPS_REGRESS as it is not used anywhere anymore.

commit e2ecfaf93932e1527f69c34d00f82d174c71ee78
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed May 11 12:25:10 2011 -0400

    updated changed

commit da08a88da69be759730f0c40ff874bf67771eb65
Author: FURUSO Shinichi <Shinichi.Furuso at jp.sony.com>
Date:   Wed May 11 12:22:46 2011 -0400

    [MAST] refcount bug when using transport mode prevented ipsec.ko unload

commit b59cba64392eae978e794d25b696de6208fddf7c
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue May 10 16:19:42 2011 -0400

    updated changes

commit da9a995d2bb64fbd38a55a34b0b6e74c0d6ea7e9
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue May 10 16:19:06 2011 -0400

    Fix a few gcc unused-but-set-variable warnings

commit a1f8bc92ffcf646d65b7706512c65bf7910e06c9
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Apr 29 13:47:44 2011 +1000

    Fix compile warning for ippkttotlen
    
    We don't need a %lu for ippkttotlen,  %u is just fine,  but we do need to
    cast our argument to match on all systems.

commit afc7ef395a92c1c68bdbd66e008f2c633738ce20
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 28 13:13:53 2011 -0400

    fix updown.mast.in - missing fi's

commit 1704d9341b390ff0dae0467acb6cfb2635af1d91
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 28 12:11:01 2011 -0400

    update changes

commit 4c022b29d561ea5570ced021b6ca8d8719c0e0c5
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 28 12:09:27 2011 -0400

    Added PLUTO_CONN_ADDRFAMILY=ipv4|ipv6 to updown.* (to disable SAref on v6)

commit 3b35e50fb869d8743602229b93453372fbcc5a50
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 28 11:42:07 2011 -0400

    the ntohl() call was missing from the previous ipv6 fix

commit e78a7f0d70bc464b551bd4b55092e4684265b7bb
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Apr 26 20:40:02 2011 -0400

    updated changes

commit 6f5770fe3330626c0b5fc0c560355a1e50ce8653
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Apr 26 20:33:35 2011 -0400

    KLIPS IPV6: Fix packet fragmentation.
    
    We were not sending an ICMPV6 because we supressed sending on icmp,
    meaning ping tests with packet sizes wouldn't trigger any fragmentation.
    
    We were also sending ICMP_DEST_UNREACH instead of ICMPV6_PKT_TOOBIG.
    
    icmpv6_send needed ntohl() over the mtu compared to icmp_send()
    
    It should be safe to send ICMPV6_PKT_TOOBIG, as that packet in itself
    should never be too big.

commit 906372284b1b413836ee50be9271872fb4cc1e4f
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Apr 26 18:28:40 2011 -0400

    Rever 33d6bfe19c6a600a1db7c2af87dc4385515f03aa partially. It did
    not work and caused more problems then it fixed.

commit ccc06d0a5c881db91fb5b239875d7b1e3015d2ad
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 25 19:37:01 2011 -0400

    Fix conn name in ipv6-v6-through-v4-klips-klips

commit 37b36e400ddc9490a69857b839acb3eff5eaa717
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 25 19:35:12 2011 -0400

    Fix conn name for ipv6-v4-through-v6-klips-klips

commit ecd3cc2270761568f4c9a2c7fc29d8de8b729106
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 25 09:37:29 2011 -0400

    ipv6-v6-through-v6-klips-netkey/east.conf needs protostack=netkey

commit 003795a715ee81542af0d03a929a7b2daafb1e16
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 25 09:14:27 2011 -0400

    supress an error in prepare-client-v6 when a v6 route is not there to
    delete.

commit 60b22e1ef50779b3fe0ddfa84f69419b6f671938
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 25 08:57:32 2011 -0400

    net.ipv4.tcp_syncookies is no longer a kernel sysctl option.

commit 4f6f9645d4c9a154e75614ff523248dee4af3c88
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 25 08:39:54 2011 -0400

    Fix ipv6 6in6 testcases to use westnet-eastnet-6in6 not westnet-eastnet-ipv6,
    which is only the subnet definition. Fix ordering in ipsec.conf.common
    for als= statements

commit e7765bb9c6b8527aee27cc48fa42526acb4588f0
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Apr 24 18:34:06 2011 -0400

    IPv6: updown.klips/mast needed some checks for 0.0.0.0 expanded to ::/0

commit 33d6bfe19c6a600a1db7c2af87dc4385515f03aa
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Apr 24 17:56:19 2011 -0400

    Remove a check for ipv4/ipv6 inconsistency in check_connection_end()
    that would prevent us from doing 6in4 or 4in6. Though oddlly, it
    seemed to have never triggered?

commit cdbcfe3bae5d33baf70b37e0c6e790e134c80dd9
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Apr 24 17:04:48 2011 -0400

    updated changes

commit 33e41006df0600d4bc9ab26fe82c287d33fbced1
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Apr 24 17:03:00 2011 -0400

    Remove wrong duplicate define of HAVE_KMEM_CACHE_MACRO for 2.6.22.
    It is set for 2.6.23+. This resolves compiling klips on 2.6.22.14-72.fc6

commit 97cfa6ba11dc6e28c76a3e8001f673cd13c5b996
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 21 23:56:23 2011 -0400

    update ipsec.conf man page with updated connaddrfamily= information.

commit 1f711b281703572b876c01e6256d0c04ceb07bac
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 21 23:42:26 2011 -0400

    Since ipsec.conf.common now loads properly, don't use manual whack
    for the 6in4 4in6 testcases anymore. I left the whack workaround
    in comments, it might be useful.

commit 48fc0537188e817c67d93b227a4019f6d5202e07
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 21 23:33:08 2011 -0400

    Fix confread.c parser to not fail on nexthop= settings with ipv6.
    
    Moved the proper configurations in ipsec.conf.common, which now loads
    with these changes for the 6in4 and 4in6 cases.
    
    This issue is a little tricky. Currently, the parser assumes that
    the family for left,leftnexthop,leftsubnet is always the same. This
    is false for 6in4 and 4in6 tunnels.
    
    I've made the parser more lenient but it might now allow really bogus
    combinations of left=1.2.3.4 and leftnexthop=::1
    
    The problem is that the parser starts in validate_end() with pulling
    the connaddrfamily value and base all checks off of that. What we will
    need to do is determine the family of (1) left/right/leftnexthop/rightnexthop
    and (2) leftsubnet/rightsubnet and see if the two sets are consistent.
    
    This is somewhat hard due to %defaultroute, %any and vhost/vnet options.
    
    connaddrfamily= as an option is horrible when configuring 4in6 and 6in4.
    Currently, best results are to keep the connaddrfamily= to the family
    of the subnet, and in absense of that, of the left/right

commit 05a4d1b43a0305f1bdcb62a3318f40efe97fed07
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 21 23:24:36 2011 -0400

    Added readwriteconf-24 and readwriteconf-25 test.
    The first one tests for valid ipv6 host,subnet and 6in4 and 4in6
    configurations. The second one is a test that should fail with
    bogus combinations of ipv4 and ipv6.
    (second one might need to be split in different tests)

commit 0982274f7e752942a54216b3616d1ba7580cf70a
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 21 16:29:44 2011 -0400

    added auto=ignore to 4in6 conn

commit 1eaf903840e0d47820a4f86813552a357cd184ed
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 21 16:28:39 2011 -0400

    log my two failed methods for filtering unencrypted pings with netkey.

commit 4151b23d040edef1c5b3a448ed5b923ed132d3ca
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 21 12:50:34 2011 -0400

    The --pfsgroup XXXX option was missing in "whack --help"

commit 04dcd65f8e3696ff354588ab6c135517a09cd4e2
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Apr 19 16:48:57 2011 -0400

    Fix initrd generation for i686 assuming rootfs is an updated Lenny distro

commit 75b69685900246b9960c608fa61d46da4f00de39
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Apr 19 00:28:17 2011 -0400

    Temporary workaround for the parser not understanding if we want to
    do ipv4 tunneling via ipv6 endpoints

commit 3d1c228e9ecf313c55f576f68c137b44a454b214
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 22:41:49 2011 -0400

    minor maintenance in BUGS, file should be phased out for bugs.openswan.org

commit 857924f7e7912ac186629133c237907b7dd8ae4b
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 22:37:35 2011 -0400

    updated changes

commit e58f9269d472446ff25f9c19d86ffb9ab9058a0f
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 22:28:57 2011 -0400

    Add ip6tables table and mangle to existing iptables output in ipsec look

commit a6dca2b2ab4ea58f0a617b8ef40ba65865e5041b
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 22:27:10 2011 -0400

    Add ip6tables output for regular and mangle tables (there is no nat
    table for ipv6 yet?)

commit 06f50e3526c4a781099ab64d59aa3eb7bbc1da5f
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 22:20:29 2011 -0400

    Kernels upto 2.6.24 do not have init_net, and ip6_route_output() takes
    only two paramters. Patch by Sony Japan

commit 0ec078b2c3c8a6481c38ce6b3a5fa25296915415
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 22:17:56 2011 -0400

    IN6ADDR_ANY_INIT and IN6ADDR_LINKLOCAL_ALLNODES_INIT are not defined on the
    SLES10 kernel when IPv6 is enabled. Patch by Sony Japan

commit 45363a1a95325df22af70bf6012d3965cd37eb14
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 22:08:54 2011 -0400

    ipsec_mast_check_outbound_policy() checks each bytes of ip6 addr, but
    one of the indexes is wrong. ipsec_rcv.c has the same code.
    Patch by Sony Japan

commit fb4b53d177fe82813a2d573e8d96792f8fa03207
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 21:59:24 2011 -0400

    change FreeS/WAN -> Openswan in testing configs

commit baaacdb5fd10c88dcf58b13ea00b4d1a2689ecb0
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 21:56:54 2011 -0400

    move west-east-4in6 and west-east-6in4 to ipsec.common

commit e12a0b57cb64a3fb9510a7afec6cc4655e899a7b
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 21:53:01 2011 -0400

    removed old copy of testcase

commit bad49d67e17203d8f53594ea4f9956a84a6961f7
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 21:21:41 2011 -0400

    Added ipv6-v4-through-v6-klips-klips and ipv6-v6-through-v4-klips-klips tests

commit b1c43bad583e22c361b58e101df99c6669fd7b62
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 19:22:51 2011 -0400

    fixup ipv6-v6-through-v6-netkey-netkey similar to the -klips-klips case

commit 4bd481ad73a6bccd65e36981383bd7c812bfb9fc
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 19:18:38 2011 -0400

    Add ip xfrm display in "ipsec look" when we detect XFRM support.

commit a2c57a044f4e04b492acdb85de073d1d7ef7d177
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 19:12:48 2011 -0400

    fix ipv6-v6-through-v6-klips-klips ping commands. It also will need
    new output (once fixed) for the new "ipsec look" that now also displays
    the ipv6 routing table. This test also needs a fixup to not need ping -I

commit a187576f42d84e3ac36abc6f20483e12b87fafb9
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 19:06:20 2011 -0400

    Added NEW_IPSEC_CONN table display to ipsec look
    Added ipv6 route display to ipsec look

commit 8a4f8ec56b1e8e7416abd4c69404891239875a64
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 18:35:23 2011 -0400

    Move the wait-until-pluto-started right after pluto starts and before
    trying to send it auto/whack messages.
    Add a ping to the testcase, on purpose without -I sourceip, to show
    this fails because of a missing route in _updown.klips. This needs fixing!

commit 1599bc9959a69df767c2d8b6491198c87663f908
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 17:53:13 2011 -0400

    westnet-ipv4 and eastnet-ipv4 were references but not present and
    thus ignored, causing basic-pluto-01 to builda host-host instead of
    a net-net tunnel.
    
    Note that I filed a bug for this: https://gsoc.xelerance.com/issues/1239

commit 88ec140e62101c311e8f7c046d3b4fa258c057b2
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 13:26:17 2011 -0400

    Port of David's commit faa0133d 'Fix family check when policies are not set'
    from klips to mast. Patch by Sony Japan.

commit 44c9912f4493d6338d07cdca1d7540c9076f3c8f
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 13:21:43 2011 -0400

    SLES-10 kernel also needs FLOW_HAS_NO_MARK. Patch by Sony Japan

commit 40c742a290a14051beecb058932879a7770037e1
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 18 13:20:08 2011 -0400

    Missin #ifdef CONFIG_KLIPS_IPV6. Patch by Sony Japan

commit c48b76387849b0b70def1752a83376ce5dffa5c8
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sun Apr 17 01:13:15 2011 -0700

    Fixed syntax so that if the two variables are not set, the default to false.

commit f478fc51258cd4cda0ea13bea97d017ed3f4c13e
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sun Apr 17 01:12:03 2011 -0700

    Formatting changes for consistany.
    Bits of code missing fixed up, including a critical missing "then".

commit 7cfd728c39d4bc6d5072449eddcc7dd80915dba1
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sat Apr 16 23:45:54 2011 -0400

    In lib/libwhack/whacklib.c line 148, the comment is wrong.  19 should
    probably be 28.
    
    in lib/libwhack/whacklib.c, lines 83 through 87 are redundant.  If you
    delete them, then the value for len can replace the use of len and that
    variable can go.  Then the code matches what I wrote.

commit 5690a3c8a2aaeadafcd4b492952f128c48adcea8
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Apr 16 12:51:11 2011 -0400

    updated netkey, plain and swan kernel configs for 2.6.38

commit 4e09a5089ed9fac89e9b4db41a1d6b9ab1f96252
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Apr 16 12:40:26 2011 -0400

    we had removed the building of klips for the swan26 kernel. This
    puts it back in slightly differently, because we now use different
    EXTRA_VERSION strins for modules, so we can install all kernel modules
    in the BASICROOT.

commit 0ec05cb381dd754bd2b2055f7099cb89f967e0e1
Merge: e1a766e e73723c
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 22:52:59 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit e73723c6df484c723516a69c2fd6b719ca2851d3
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 20:57:18 2011 -0400

    changed NG references to SAREF references. Disabled NATT patch per
    default (as we don't need it since 2.6.22+)
    
    make sarefpatch still needs fixing, as it does not yet look in the
    patches/kernel/saref/ directory for a "best match" to apply.

commit bf0cb0d37f925eedae8e7b4f8d68873725447d43
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 20:29:27 2011 -0400

    redo the EXTRAVERSION= check/replace, as somehow in subshell land,
    things caused make to abort with an error with no details on why.

commit 0d6f5bc8568bc81705574378369a92a93263b680
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Apr 15 08:28:31 2011 +1000

    Fix inbound policy --addin, add --replacein
    
    As far as I can tell the --addin option is to set the inbound policy
    for an SA,  but,  we were not setting the flags appropriately.
    Fix this up and also add a replacein option for completeness.
    
    This code is only used when using eroute to configure tunnels rather than
    letting pluto handle it.
    
    Currently the manpage does not document --addin (and now --replacein)
    and needs updating.

commit 5dbbd66f417f4df031a1265a9ec627fe4b987db3
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Apr 15 08:25:13 2011 +1000

    Make sin_family setting the same as addflow
    
    Make sure we are running IPv6 settings if needed.

commit faa0133d785b6f6abdb3c39fde9cf34383d82a07
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Apr 15 08:23:19 2011 +1000

    Fix family check when policies are not set

commit e1a766ea383239971f1bea91df1c580c7eaaad06
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 17:56:02 2011 -0400

    remove old cvs id

commit 896c0532d8b43525f7016ece0cc81e0d43cafd9a
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 17:55:32 2011 -0400

    prevent double replace within EXTRAVERSION

commit b195c03ff55416f2a1129adfdf762c8911d64c7b
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 17:35:26 2011 -0400

    Don't make building swan26 special from the other kernels. This also
    fixes the 'make modules' target for this kernel.

commit cfe35724f9a2f73046bead0ce123a416c9802788
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 16:16:05 2011 -0400

    Add netfilter and ipv6 to umlswan.config

commit c510e968f5780b2f97a832e349cf8acded780069
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 15:23:21 2011 -0400

    Change utils/make-uml.sh so that "make check" builds kernels with the
    EXTRAVERSION set different for each flavour (plain,klips,netkey).
    
    Also always build modules for these kernels - this is to allow us to
    have things like iptables/ip6tables modules. Since we need different
    modules for different kernels inside the same rootfs, we need to make
    their uname -r different, hence the EXTRAVERSION

commit 60aed5c26cd280c19aadf7ac8e68ec68f1b911ae
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 14:53:15 2011 -0400

    Adding a route for ipv6 is "ip -6 route add" not "ip -6 addr add" :P

commit e54c88b51f122a82e8cef39d7c20bfc68bfbb92e
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Apr 14 11:59:33 2011 -0400

    updated changes

commit bca92033da9c27d8bcc709ef777f18d820aa9955
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Apr 12 12:55:22 2011 -0400

    added %v6:fd00::/8,%v6:fe80::/10 to virtual_private

commit 888df9d440898a167f27ed50a2802dca06bfcd4a
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sat Apr 9 03:16:36 2011 -0700

    This was just the wrong place to put the link.  Now done in the testing script.

commit 4b6906017a77b8532375b7539d25b8c1cbb72bb8
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sat Apr 9 03:11:45 2011 -0700

    Updated to make the tcl-8.5++ interpeter not fail on old (bad) syntax.

commit 6b54bc9f78910a7aaa2d291c4e1675a3bdb55902
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sat Apr 9 03:06:20 2011 -0700

    The compile caught a type mismatch for vsnprintf, this change fixes it, but
    not in a typesafe way (I don't see typesafe extensions for *printf...).
    Since the two arguents are now 8 bit, putting them in a "int" should always
    work (unless someone wants to go back to 4 bit computers...).

commit 33e8e9b7bbc85e2f468e746ef05731e3c8db911f
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sat Apr 9 01:48:45 2011 -0700

    Revert "This was breaking the compiler deeply, was never used, and then only in debug land.  Away it goes."
      This worked for two weeks for me in testing, but now, just after I comitted
    it is fails in a simple "make programs".  I am pulling it out till I know
    why it's failing now.
    
    This reverts commit 40fe9cf2ec2e8f06c092be7c7ca0b1901c81711c.

commit 361ad99643dc8eb8d3c04bc9e1aeb54407750cca
Merge: 06d065c 3b1ae5d
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sat Apr 9 01:30:40 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 3b1ae5de130e68d7e4ed467be375ccc57d7f9ff4
Merge: 40fe9cf 982a9fe
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sat Apr 9 01:28:53 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 40fe9cf2ec2e8f06c092be7c7ca0b1901c81711c
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Sat Apr 9 01:20:42 2011 -0700

    This was breaking the compiler deeply, was never used, and then only in debug land.  Away it goes.
    The oswlog.h file had what seemed to be a related type-o (double cut&paste error),

commit 06d065c04b6dfca9918433887beb439323fcc8c1
Merge: c191418 982a9fe
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Wed Apr 6 19:21:05 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 982a9fe786f2575e288d327bf2e4242b3cbacea1
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Apr 6 20:51:51 2011 -0400

    add ipv6 netkey related modules in umlnetkey26.config

commit c191418dadbd220f9aa71f8b696a6e8db5e8b3ca
Merge: 819b780 671314a
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Wed Apr 6 16:25:16 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 671314a3d61846cc2b4344e5b0b47383e025095b
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Apr 6 17:50:31 2011 -0400

    Fix the generation of start-netkey.sh with fixes similar to start.sh
    that can start the modern uml kernel.

commit c7647680ce7228567974dfe73469ce550b5607c7
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Apr 6 13:02:24 2011 -0400

    split the ipv6 testcase into 3 to test klips-klips, klips-netkey and netkey-netkey

commit bb17f0aeb98c3fb619d618b632484741833b80db
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Apr 6 12:34:53 2011 -0400

    fix netmask in westnet-eastnet-ipv6 connection (should be /64 not /48)

commit f1eea399eea72bf39d0bd527aa6080bcd969a599
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Apr 6 12:07:25 2011 -0400

    subnets cannot be included via also= as this gives either a [non-ipv6
    address may not contain `:'] or a duplicate key 'connaddrfamily' error
    So these are now hardcoded in westnet-eastnet-ipv6

commit 3ef2aa94076172622801b09acbaa42956e564488
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Apr 6 11:29:20 2011 -0400

    Re-enable ipv6 autoconf inside the umls, but disable IPv6 DAD because
    the mcast uml interfaces hear themselves back and then fail to use IPv6.
    
    Using the sysctl "all" and "default" is not enough. It has to be
    explicitely run for lo, eth0, eth1 and eth2

commit 819b780f734cec6b9794de23bfa59f141e35cacf
Merge: 834c479 f6cdca3
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Wed Apr 6 06:08:37 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit f6cdca374a27d0a6b18dedfd5ee0be03b73c7209
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Apr 5 12:17:05 2011 -0400

    Fix all uml hosts to have "auto lo" and an inet6 entry in the interfaces
    file for ipv6

commit 2983bd302b2e4ce373c7f5caed277a3fbb8cba17
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Apr 5 10:28:15 2011 -0400

    runme.sh expected to use . in PATH to execute testparams.sh

commit 2b2b16f559228bc6b0300cb5b7e5228f844920f2
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Apr 5 09:57:41 2011 -0400

    Fix pem.c password prompt 'format not a string literal' errors

commit 834c479d273b104aee6fa11735db7383041599d9
Merge: 2c0192b c3569d5
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Apr 4 18:54:02 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit c3569d5dd35c11dfb244e49062b0adedeb9a2bb7
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 4 19:52:01 2011 -0400

    add ipv6 to uml kernels

commit 2c0192b10ef2b6ac627145a606e701f2202f9755
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Apr 4 16:34:13 2011 -0700

    Genrates a symlink for index.html presentation.
    The echo should be silent, not hidden.

commit 6352a627ad1c2748b8ca766cfd5143125f11923c
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 4 19:18:55 2011 -0400

    Added ipv6-v6-through-v6, ipv6-v6-through-v4

commit 7f65d1ac1cdd51cb152d76eb64cb0044a4f20e6b
Merge: f12339d a3b875e
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 4 17:32:38 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit f12339ded65ee67b116562e98ea6903fff2ee52e
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 4 17:29:41 2011 -0400

    updated ipsec.conf.common to have ipv4/ipv6 versions of westnet-eastnet.
    The names are conn westnet-eastnet-ipv[46] though I added the alias for
    conn westnet-eastnet to point to the ipv4 conn.
    
    Also updated ipv6-basic-pluto-01

commit a3b875e5080e8030dc8acefd06cff04d889dab45
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Apr 4 14:24:07 2011 -0700

    Fixed calling deeper makefiles to work better, pass args/results up/down.

commit 1679bc5678e475e28b5af8f84cd8d13a85e3e79e
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Apr 4 14:23:06 2011 -0700

    Turned off pfkey testing for now as it was broken.
    Fixed calling deeper makefiles to work better, pass args/results up/down.

commit c83c2e819308409794a8b9f8d267c6a1c2bc40dc
Merge: 4de879a 35c3bda
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Apr 4 14:20:08 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit d35eb7e894939b1f8cd09ebbb8b054b7216b0aed
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 4 17:12:13 2011 -0400

    Added IPv6 /48 networks to nic, west and east based on RFC3849 example
    space.  I tried to make a logical mapping based on the existing ipv4.

commit 4de879aaddb0690e9077881776a5de7500798e32
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Apr 4 14:09:03 2011 -0700

    Fixed calling deeper makefiles to work better, pass args/results up/down.
    Added an end of target tag so we can tell it finished.

commit feec0c73728624cb78264695d7f485b09f3ebd32
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 4 17:06:59 2011 -0400

    Fix openwrt example build line in Makefile (lingering commit)

commit 4012e82e080aec871469fd03eca92893c0c4282d
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 4 14:02:38 2011 -0400

    added ipv6 sysctl.conf parameters

commit 35c3bda0d978bf120c1f9fb026e6243efae3af02
Merge: d3a1fba 54d863a
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 4 12:44:17 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit d3a1fba08ba6914dc59dde9829876a9a4f7be1b8
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Apr 4 12:43:52 2011 -0400

    updated --use-* options in man page for pluto

commit 54d863abfe3ba0c8817a3a1c387e45f048c1cfb0
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Apr 3 16:28:30 2011 +0200

    Use protocol values from netinet/in.h instead of hard-coded values

commit 58202792882e2c010517b788e0e689ecb9163d50
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Sun Apr 3 16:24:55 2011 +0200

    Fix duplicate defines for various encapsulation modes (pluto vs ietf constants)
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 3d5bbbe32241fb01d4c48bc03e239a63002c498c
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Sun Apr 3 16:14:50 2011 +0200

    IKEv1-cisco-xauth issue: While testing ipsec connection with cisco vpn,
    it seems that cisco assume that no xauth and modecfg should be done
    during rekey. The changes are under "remote_peer_type=cisco" so should
    not affect other stuff.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit bbc4cf78426b1cbc462ec99b89d254e7942738f3
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Sun Apr 3 16:04:18 2011 +0200

     Openswan (IKEv2/IKEv1) icmp issue (redhat bz 681974):
    
    It seems that Openswan does not have explicit support for processing
    icmp traffic as specified in RFCs 4301/5996. Although IKEv1 (RFC 2409)
    does not state explicitly about icmp, but this seems relevant to IKEv1
    too. For some background, as per RFC 4301/5996, icmp type is put in the
    most significant 8 bits and icmp code is in the least significant 8 bits
    of port field. Although Openswan does not have any configuration options
    for icmp type/code values, it is possible to specify icmp type and code
    using protoport option. For example, icmp echo request (type 8/code 0)
    needs to be encoded as 0x0800 in the port field and can be specified
    as left/rightprotoport=icmp/2048.
    
    Now with NETKEY, icmp type and code need to be passed as source and
    destination ports, respectively. Therefore, code in the attached patch
    (openswan-icmp-processing.patch) code extracts upper 8 bits and lower
    8 bits and puts into source and destination ports before passing to
    NETKEY. I have put this explanation in the patch too for better clarity.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>
    
    (This needs a new test case for both KLIPS and NETKEY)

commit da6f8b1a25adce1045227b08dd42d4bff7b638a0
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Sun Apr 3 15:55:00 2011 +0200

    IKEv2 hard-coded port issues: In the IKEv2 code, port range was always
    hardcoded to 0-65535 regardless of local policy. The attached patch
    (ikev2-hardcoded-ports.patch) fixes this.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit ad0f150107235ee4e93a1f2487c19af64ec8c0dd
Merge: d414f82 3de2f1e
Author: Simon Deziel <simon at xelerance.com>
Date:   Fri Apr 1 08:51:02 2011 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 3de2f1e552daebae4eccb8242ae31919255a41f4
Merge: ef9a7b2 1ac4cf6
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Fri Apr 1 03:39:20 2011 -0700

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit ef9a7b241e13ce9a0b6eef6b32672c337186eb55
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Thu Mar 31 09:33:18 2011 -0700

    Changed how WERROR is define, letting a make/script from above supercede the definition here.

commit d414f823950c7fc7f4719c9e968345afd9d4d1ea
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Mar 31 10:13:27 2011 -0400

    Remove useless define (already commented out).

commit 1ac4cf62738398b4d8c200658cb60dd867e5b51f
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Mar 31 10:04:50 2011 -0400

    Replace "source" by "." as the first one is a bashism.

commit d214f62ed49de2dfe92a15f7054c8b6439318e7b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Mar 31 14:29:20 2011 +1000

    Fix oops on module unload with mast in use
    
    Code was calling ipsec_dev_put twice on the same pointer.

commit fb5d7aa6720b1d9746e4f82c646f4484d83e4b62
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 22 02:29:46 2011 -0400

    Fix the paths for REF_WEST_FILTER in the ikev2 test cases.

commit 31b540025b7dfb82aef9281e1f82a06f395c2c3e
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 22 02:25:21 2011 -0400

    Remove all obsolete debian etc/network/options files and add one
    unified /etc/sysctl.conf with the right settings into the baseconfig
    for all.

commit 828fde19ca65c2044d0e906c905736ef08a7a5be
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 22 02:15:32 2011 -0400

    fix typos in westnet-eastnet testcase base config

commit 8208baaea05d6b933f9678e7793c132be15d2c43
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 22 01:49:42 2011 -0400

    Include stdlib.h when building for userland to avoid a warning about
    main() being different from the builtin.

commit b17b6866188d775f868a7893b863da8d60d77889
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 22 01:49:07 2011 -0400

    Do not define YY_NO_INPUT in parser.l. It is not used and failed -Werror,
    as the comment above it states :P

commit 8dd9d10f7033b27cef78448470df55420e967dc5
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Mar 21 22:40:56 2011 -0700

    Fixed the casts, compiles.

commit d837a4aafe4d81dfa8515b47a32c45f5d5341694
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 22 01:13:29 2011 -0400

    Update the pcr_init() function in testing/lib/libpluto/seam_crypt.c

commit 3f1fb6967f820200156001c657d6368ab8406e00
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 22 01:03:09 2011 -0400

    Fix prototype mismatch for initiate_ondemand() between connections.h
    and whackmsgtestlib.c

commit 9409e1cc7f664db6f3bbb5c2b3e81735c47b7562
Author: Hugh Daniel <hugh at xelerance.com>
Date:   Mon Mar 21 19:30:57 2011 -0700

    Fixes the script so it _can_ run (adds ./ twice).

commit cf650e670bd7f0fdac7022e3be337aadfd3226cd
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Mar 21 22:25:31 2011 -0400

    Fix all the REF_CONSOLE_FIXUPS= arguments to have spaces at the end
    when they are added using "+".

commit 6aac7c68e80d86d4c2e4d8ee69935cd8f9750935
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Mar 21 21:44:28 2011 -0400

    Fix the testcases to properly use ../../klips/fixups/no-arp-pcap2.pl where
    they had specified it without full path (which failed because "." is no
    longer in the path)

commit 95aa2a105b2c8600ec231a39d82f12644382196a
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Mar 21 21:41:48 2011 -0400

    Added leftsourceip/rightsourceip in the base config for westnet-eastnet.
    As far as I know, this is needed. *swan in the old days might have added
    the route automatically (eg in 2.4.x) but we control this now via the
    sourceip options - for both netkey and klips. this surpresses the routes
    when done on netkey.

commit c02851a76db64d9baef4e9f4a6daf3d00d6ae7f2
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Mar 21 03:43:59 2011 -0400

    use LOGDROP to doubly make sure at the end of the test when we check
    the kernel logs, we see the packets filtered.

commit 67ac4aa2a2c78657fb69056104bd460c18e5bf05
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Mar 21 03:41:50 2011 -0400

    ensure the root-XX runs a sysctl -p, our lenny based root-36 did not,
    breaking forwarding.
    
    Initialise a LOGDROP table for use in tests

commit d2feb2544583b683848afe1c0dd1b699a2830df9
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Mar 21 03:17:40 2011 -0400

    Fix login prompt in loginuml. This was temporarilly set to
    "maintenance mode" as that is what the root-36 was doing to us.
    Now that is fixed in the rootfs/starting code, we can go back to
    the regular login prompt. However the old commented out one also
    does not appear anywhere, so we changed it to the new one, which
    is simply "login:". This is confirmed working.

commit 3682af5b53dc86cb98c9c9fdadb908a110ecd151
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Mar 21 01:26:58 2011 -0400

    Add protostack=klips to basic-pluto-01 test

commit ec54dd0aafe35baba1d5a377dbe58c5675104b35
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Mar 21 00:49:19 2011 -0400

    Set protostack=klips in the baseconfigs for our test cases, so we
    don't start with the mast stack (which we are not supposed to auto-pick,
    but we do at this point)

commit 036e3344d7e523ff7c37aec51b5cb62612793fb9
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Mar 21 00:37:12 2011 -0400

    updated changes

commit 8c67543eafc8f12f1bc5ea30072da6cbd0720bea
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Sat Mar 19 14:02:31 2011 +1000

    AUTOCONF_INCLUDED not defined by linux-2.6.38
    
    One choice is to check the kernel version,  and this commit uses that
    to decode what can/can't be included.

commit 3d1a918cc4bc09e9f2c5cd29e27ddf13c9d20294
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Sat Mar 19 12:20:30 2011 +1000

    Fix typo in comment

commit 6e3b071b5dda2d833ff05f00e09b0837cbed6f74
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Mar 18 19:36:34 2011 +1000

    Improve build speed, calulate version once
    
    Build time on a core2 duo reduced from 5m20s to 7s by only loading the
    version once (when build within a git tree).

commit ccfb191add71510b43078263fcab24e51abc2e19
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Mar 10 17:55:05 2011 +0200

    update CHANGES

commit b646bfd95ce3841d0a28c2737087a64f2d5b0728
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Mar 10 17:48:40 2011 +0200

    add dpd to l2tp sample configs

commit 74efbe733b221781e57964819d7388dbd7011f9c
Merge: 4fe05bb ddaafbc
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 8 23:48:32 2011 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 4fe05bbd642d83898953c24037978fa0abc334db
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 8 23:01:24 2011 -0500

    Added example on openwrt call to build proper KLIPS with OCF.
    openwrt versions of config-all.h and defconfig to use with
    MODULE_DEF_INCLUDE= and MODULE_DEFCONFIG= included in packaging/openwrt/

commit d9904e1518713efeb78fbeeea406f880f8e4e00a
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 8 22:36:52 2011 -0500

    added commented out entry for plutostderrlog=/null

commit ddaafbc53f521fc6d32341f22a9fa54e0bc3fbb6
Merge: 49e655d 011df14
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Tue Mar 8 20:07:31 2011 +0100

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 49e655d93fc106424c8fd80a4ce0c8937b1f8bac
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Tue Mar 8 20:06:13 2011 +0100

    fix various occurences of "/usr/local" paths in documentation

commit 011df14e66062085a2f3affa5f9abce6805b1307
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Mar 7 09:58:53 2011 -0500

    Import OpenWRT packaging updates from OpenWRT

commit 17806c2719e8b1ea9731f2f73ddb694457707da5
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Mar 7 09:24:41 2011 +0200

    Re-fix compile without USE_EXTRACRYPTO by compiling libsha2 by default

commit d735e448a034f39bdd1c2cb7a17e127bf89a0ab2
Merge: fbad5ac e089d54
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 1 20:14:06 2011 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit fbad5acc3d213545e13151f5433d7fe476c6377a
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 1 20:12:50 2011 -0500

    added patch for 2.4.37.9 to make openswan-2.6.33 work.
    Patch by Yannick Koehler <yannick at koehler.name>

commit e089d5425e9fb27748e75e5884a451b5b74e3845
Merge: 5ca5859 078cffe
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Mar 2 00:24:19 2011 +0100

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 5ca5859a0e1f8261308b9256758c36d92cc2432d
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Mar 2 00:23:47 2011 +0100

    fix manpage installation name

commit 078cffeae1164d8533996f990fd844a0f2c07bc4
Merge: ebb2b87 a28e1df
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 1 12:30:47 2011 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit ebb2b87937994fa0f6c2d0b01a485cef8a565241
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 1 12:29:56 2011 -0500

    updated changes

commit e73e3ce38c6b5a3d644c05c0ba904adc2ac33978
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Mar 1 12:28:16 2011 -0500

    The new mtu= option did not yet get passed via fmt_common_shell_out().
    Patch by Mattias Walstrom <lazzer at vmlinux.org>

commit a28e1df133702ca33f55be17823c418d5812dfe3
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Sun Feb 27 23:38:49 2011 +0100

    small spelling fix

commit aefbf0e508ff6c1b002e734dd1496a2fca6a1572
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Feb 23 11:31:59 2011 +1000

    Fix warning for 32 and 64 bits systems
    
    For whatever reasons the 32 bit x86 compilers are complaining about
    the format/arg sizes now.  Force it to be unsigned int so that all
    targets get it right.

commit 4ef946a66a5d558403d6f51ba36f4a8ac993608d
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Feb 22 10:39:50 2011 +0200

    update CHANGES

commit bc4f646e1e1461d6d55f2e222b613a91abb1d505
Merge: a52f310 9364069
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Feb 22 10:37:18 2011 +0200

    Merge branch 'master' of vault.xelerance.com:/xelerance/MASTER/git-master/openswan

commit 93640690f8a1753a8a9bac721732bc99926efb67
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Feb 22 10:36:23 2011 +0200

    CHANGES: add release date from announcement email

commit a52f310717affad87a777d9b7d637e20075456d9
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Feb 22 10:13:48 2011 +0200

    fix compile without USE_EXTRACRYPTO by compiling libsha2 by default

commit 381894cf80f935baa1086d40f648ea835ea75e59
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Feb 21 13:25:52 2011 -0500

    updated changes

commit 7a4f8a707aa009dad30fb34b0f063dccc31ce137
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Feb 21 13:23:29 2011 -0500

    updated changes

commit e7f1fc658d11a19af9f96886ef62c5c888aae337
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Feb 21 10:56:33 2011 +1000

    Don't use ixs until its been validated

commit e737f135957b6c0b738ba06cd6d49674106abbaa
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Feb 21 09:44:43 2011 +1000

    Do not access ixs->dev after we have freed ixs

commit 44062156ad52c1444fdc8fbc480fefd451de5fa0
Merge: 8471da9 8f759e6
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Feb 21 09:42:24 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 8f759e6bfb021cdf24155dd01cbe3188b8097858
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 18 12:37:28 2011 -0500

    fix dumpdir to point to proper place (/var/run/pluto, not /var/run/ipsec)

commit 0ba0c64c3e10b5e83a5b35e5627e00ab702cb5cf
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Feb 17 23:34:53 2011 -0500

    KLIPS: log success of klips26_rcv_encap registering with the kernel

commit fb5c45ebe13c2a616f17493bb04791013be36e4d
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Feb 17 21:49:13 2011 -0500

    OCF: Fix gcc warning for ntohs(osw_ip6_hdr[...]) casting in ipsec_ocf_xmit_cb()

commit ba4158320e37cdb77be4f0a105fd62e592d7c24f
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Feb 17 21:08:36 2011 -0500

    OCF: updated version of ocf-compat.h

commit 19f516397a3ab95e98b97f139219d69fa1303216
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 15 16:55:43 2011 -0500

    updated changes

commit dbf06100cc605c0037b5ca2a1d74a69f20db8f93
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 15 16:54:10 2011 -0500

    KLIPS: arp_broken_ops is no longer exported in 2.6.37+ [Paul]
    
    I don't think we actually depending on this - we might be able to
    just take out ipsec_tunnel_neigh_setup() completely?

commit b599fbbd13d2cecbfa50bd69a0fc122abd59b710
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 15 15:08:03 2011 -0500

    renames of docs

commit 772d8464fd3132320d91a1fc9cfffc063f134e8e
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 15 15:07:17 2011 -0500

    more doc cleanup

commit d90db0f0a4a6854104805e50ecf7dc472611a8a9
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 15 15:05:56 2011 -0500

    removed two more old drafts

commit 8471da9a772996304bd1a51936990cad86b65ad4
Merge: 55c3af8 66d5fe4
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Feb 15 12:57:42 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 66d5fe41a85ccd82cc9acf20866a66e446bdc0b6
Merge: 9496d7c 54da8db
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Feb 14 21:15:26 2011 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 9496d7cca57a2418ba9b9721f0e64720cf30180a
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Feb 14 21:14:54 2011 -0500

    updated changes

commit 0d48b5d2cae09d040b5775bf79bbafce364fa54c
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Feb 14 21:13:54 2011 -0500

    updated changes

commit 52de55dcacf746c06cd1c191b407da23db9645aa
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Feb 14 21:13:07 2011 -0500

    MAST: increase traffic counters for mast0 [David]

commit 54da8db16769e96df08ee2312b3fe3793e14c5ba
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Feb 14 21:44:01 2011 +0200

    use PLUTO_MTU and _PLUTO_METRIC in _updown.netkey and _updown.klips

commit a760df581c7e8153d9ba143639f75b3ac8060726
Author: root <root at bofh.xelerance.com>
Date:   Sun Feb 13 20:46:06 2011 -0500

    Clarified --ikeport (and mislabeled --port option)

commit 55c3af8ffca0113971aac4da440de61befe0a71e
Merge: 7aaa81a da21a44
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Feb 14 08:11:43 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit da21a44ee33a45cad82763fcc43d3b2c5a93c4b0
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Feb 13 11:56:08 2011 -0500

    missing #endif

commit ce611166e3c2e98a67abe198fd869eec3bc3e60f
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Feb 12 14:07:36 2011 -0500

    updated changes

commit 7a057c0be84b14e7b530a3dc316dd8e051b95bc2
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Sat Feb 12 14:05:28 2011 -0500

    Fix for: xl2tpd[4229]: control_finish: Peer requested tunnel 21 twice, ignoring second one.
    
    See http://lists.openswan.org/pipermail/users/2011-January/019978.html
    
    The iPhone/MaxOS clients proposes to be natted, but didn't send a NAT-OA. The
    client sends the l2tp packets with the public ip through the tunnel and
    therefor the answer packet were routed over the default gateway.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>
    
    This is bug #1204

commit 5816037d7ed728fa898ce03d802abd9cc4c58224
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Feb 12 13:43:56 2011 -0500

    updated changes

commit b35882771669113693a26f098b6cb2a1aeffb9cb
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Feb 12 13:41:31 2011 -0500

    Avoid conflict with _res macro in uClibc-0.9.31. Patch by mb at openwrt

commit 7091b70859804e930eb132ee2dbdb48f073785b2
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 11 18:29:44 2011 -0500

    updated changes

commit 18e502b5f1a661031646708435969209cf6dca1b
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 11 18:28:57 2011 -0500

    phased out doc.old.freeswan

commit b591598bac9de2ccc63a18b84a9e6c216cc1e986
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 11 18:09:54 2011 -0500

    updated rfc.txt

commit 84408d477098b2e3d6141c98490ea06535d66e11
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 11 17:54:20 2011 -0500

    updated changes

commit 6587857d59bfb877855afee72f0b150eed0643d2
Author: Anthony Tong <atong at TrustedCS.com>
Date:   Fri Feb 11 17:35:08 2011 -0500

    search the pending list for the connections host pair in add_pending()
    and not procede with the queuing if a phase2 request already exists.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 4a6ca4eb77343d9f5f00786fd401909279433120
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 11 16:30:57 2011 -0500

    Second part of mtu= per conn commit

commit 17c52678e51a67c611ada25d6f15ce0c52dbf6ea
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 11 16:29:54 2011 -0500

    updated changes

commit b22a56fc18e653b2589aec0204bcb4ed577ad86a
Author: Mattias Walström <lazzer at vmlinux.org>
Date:   Fri Feb 11 16:28:26 2011 -0500

    This is to solve issue #1201 (dpd + ddns does not work), the entry
    conn->dnshostname is used through out the system but it never will
    be set if using addconn to add the tunnel. This patch will make sure
    that variable is sent in the whack message if the user has entered
    a domainname.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 49c1ef7ee2e9fd0f31e788decd40fdfb8abedc28
Merge: 7399df4 486584c
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 11 16:25:47 2011 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 7399df48e4f8c42f792f5a9ca8ece4a8b975acf2
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 11 16:25:24 2011 -0500

    updated changes

commit 0b51b0c52460b0da9783be8c1ddd50ec3b9f4b9e
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Feb 11 15:40:48 2011 -0500

    Added connection keyword mtu= to set the mtu on a per-tunnel basis.
    
    This sets PLUTO_MTU= which is used in the _updown scripts.

commit 486584cc3fd27cd900984ed8c850ea9bb9734463
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Feb 10 10:08:36 2011 -0500

    check for /proc/sys/net/core/xfrm_larval_drop in ipsec verify
    
    If this value is set to 0, this causes the connect() to return immediately
    on a non-blocking socket with an appropriate POSIX compliant errno.
    This param has been set to value 1 by default in RHEL 6.0, but not in
    RHEL 5.x.  -- Deepak Gupta

commit 7aaa81a1211f5bcb6fd240d0faf72cc59184640b
Merge: fe539ff 388f2c0
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Feb 10 08:10:04 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 388f2c0b0ca4944d87710ea582dbce01226433fd
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Feb 9 16:00:46 2011 -0500

    updated changes

commit c01dd99a3a06bd487984625ce8097a9b9422d6dc
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Feb 9 16:00:04 2011 -0500

    enable dumpdir= in stock ipsec.conf for use with abrtd

commit b5c2251519182e84b9ef26e951a841eb75d0c806
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Feb 9 14:28:08 2011 -0500

    Fix the DISABLE_UDP_CHECKSUM code segment added recently.

commit 39b862c4ca58250ec8f43865ead54c927fe7d7f9
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Feb 9 14:23:15 2011 -0500

    ippkttotlen should be unsigned long, not int

commit df348984bed173bf2d5156e8d9b810c71f69e301
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Feb 9 13:24:55 2011 -0500

    updated changes

commit aa83b7d56512d57d792023a80153a875d309fe83
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Feb 9 13:24:15 2011 -0500

    Add aesni_intel to the crypto module list we try to insert in the kernel.

commit 577ee1d625d3a9487eeea05ee0afcc62b72b0127
Merge: 91ba69c bb1b51e
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Feb 9 13:06:04 2011 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 91ba69c98bceec43b3c1c412ac8ee97023677c5f
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Feb 9 13:05:37 2011 -0500

    update changes

commit 15b824df3176ec24cdc296ee06e638963bcc3426
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Feb 9 13:04:08 2011 -0500

    KLIPS: Add a new option to override the replay window via /sys
    (echo 0 > /sys/module/ipsec/parameters/ipsec_replaywin_override)

commit bb1b51ed2d0ac68fb7aaca426ce4ec3515fd323a
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 9 18:56:01 2011 +0200

    copy _updown.klips addsource fix to _updown.mast

commit 12be19ca46fca88d3bdb514073337ef2aad871f5
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 9 11:27:22 2011 +0200

    update CHANGES

commit e751404fe22ec55eecb9d2acb879e3b1bb789501
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Feb 9 11:24:16 2011 +0200

    Fix addsource to always use /32 netmask. This is bug #1199.

commit fe539ffcac8e07f7bd4d151c01677db2d4ce03b6
Merge: 171bf97 0ea158b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Feb 9 17:56:10 2011 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 0ea158bb37bb6659ae46e4a575185687a15c4fef
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 8 22:15:51 2011 -0500

    update changes

commit 6c55c133ce7653a9e3954384c7f821c5fba8373e
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 8 22:14:21 2011 -0500

    Move SHA2 to the basic build, so people who want just sha2 but
    not blowfish/twofish/serpent can disable USE_EXTRACRYPTO

commit 46764d515d8d6224e593d119f6a1dcd6b56ee3c9
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 8 20:23:54 2011 -0500

    updated changes

commit bcbab4db0b642596db19e714af3ecad208a6042f
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 8 20:22:17 2011 -0500

    Use ipsec addconn (--configsetup and --checkconfig) in "ipsec verify"
    
    This will now show syntax errors in the config. It also removes a bunch
    of yucky perl

commit 62d16893176b4d6421c52ac1bb9bc45cd058c548
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Feb 8 19:53:51 2011 -0500

    - %ghost the rundir as per https://bugzilla.redhat.com/show_bug.cgi?id=656649
    - removed very incomplete changelog in spec file

commit ff929c1146f275ebc05e613762547cb6d9ab1837
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Feb 7 11:47:27 2011 -0500

    Added labelled networking with selinux patch in contrib with note.

commit 171bf972d01de987e4458928332015ecb6a9a215
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Sat Jan 29 12:32:38 2011 +1000

    Fix compilation with DISABLE_UDP_CHECKSUM enabled
    
    Some old patch which is not IPv6ified yet :-)

commit 30669e08b91b8d318a4cbd87f5b37129bbd873cc
Author: Tom Rini <tom_rini at mentor.com>
Date:   Thu Jan 27 13:20:02 2011 -0500

    Fix for parallel build race condition in lib/libipsecconf/parser*
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 6e11c70d572d3ddbc91e25e3287b09f4a2857d55
Author: Greg Ungerer <greg_ungerer at mcafee.com>
Date:   Thu Jan 27 10:59:21 2011 +1000

    Removed the printing of the net_device "refcnt"
    
    Removed the printing of the net_device "refcnt" when unregistering the
    device. From linux-2.6.37 the field is not an atomic, its type has changed
    to a __percpu pointer, and name changed to pcpu_refcnt.
    
    The display looked only to be informational trace (of questionable value).

commit c0eb23ea05c551003d7075482f6e1694ba731d1f
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Jan 19 08:41:55 2011 +0200

    Cleanup CHANGES.

commit f34fe62d433181d84459683098e74ca7c1ade2b7
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jan 18 18:46:13 2011 -0500

    fixes to man page

commit 1da2ae7221bff11bba375f4a4996f94b2384f112
Author: Simon Deziel <simon at xelerance.com>
Date:   Fri Jan 14 19:54:52 2011 -0500

    Fix a small typo in a man page.

commit 5a1ed9c4ff78c3f36c092a8d3f871a1e8a1726fa
Merge: f7a0c2f b3c589b
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jan 14 19:49:58 2011 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit f7a0c2f756bdb109c210bbe06d212d69d0246623
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jan 14 13:23:06 2011 -0500

    Clarified vhost/vnet in the leftsubnet/virtual_private man pages.

commit b3c589bb4bf02cc4a3e005d9cebaa18be8467d24
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jan 13 16:39:24 2011 -0500

    added clarifying comment on udp nat-oa from mcr

commit f6c2f2f740cee0a18ca5df77a38aecb3bb23594f
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jan 13 15:14:03 2011 -0500

    typo in parameter

commit 43f24195d40b364c60916f36b682b1842ba87abf
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jan 13 14:29:29 2011 -0500

    update changes

commit 943d92b2efe6972b8251d6b1d181f406f7775fa2
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jan 13 14:27:30 2011 -0500

    OCF: Fix OCF tuning with klips module

commit cccee079e48d50a9fc3d3cff49f4a710a766d7b3
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Jan 12 11:41:28 2011 -0500

    Added -DDISABLE_UDP_CHECKSUM to KLIPS compile for bug #601

commit e008fac6f5ae2c1c96e959d32fbd61fc43fe442d
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Wed Jan 12 11:39:39 2011 -0500

    When OpenSWAN 2.4.5rc6 with KLIPS is used in transport mode for IPSec/L2TP
    connections and both sides are NATted, the UDP checksum created by NAT-OA
    in KLIPS seems to be bad. The packets on ipsec0 have bad checksums and,
    consequently, are dropped by the kernel. If I deactivate the checksum
    rewriting, i.e. set the checksum to 0, everything works great. Thus,
    it seems that the rewritten checksum is the problem and that the
    packets themselves are ok. When only one side is NATted, the problem
    does not occur - the checksums are correct. The behaviour is the same
    for OpenSWAN 2.4.4.
    
    Is this an error in KLIPS / NAT-OA? Is it safe to disable the checksum?
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 98115889127b61c62c80de5cf6287fc9e49cb6d7
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jan 11 23:06:09 2011 -0500

    update changes

commit 60400ecd5383ae3f70c271f9b8ee5d6bfd08daf5
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Tue Jan 11 23:04:51 2011 -0500

    bz#659709, bz#641068: Currently, openswan does not send a signal to
    NetworkManager, when a connection (configured through NM) gets terminated
    and failed.  If NM does not receive any signal, it can not clear its
    openswan connections. The patch to address this issue sends a disconnect
    signal over dbus to inform NM, whenever a NM-configured connection does
    not get established (may be for several reasons), or gets terminated by
    other means (not through NM).
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit d0ef2a2049e2a9449bf753160ed19610f0df9cfd
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Tue Jan 11 22:53:28 2011 -0500

    bz#658253: This issue is related to openswan interop with Cisco. Currently
    during rekey of phase 2, some ipsec policies are getting deleted, which
    caused connection not working during dhcp renew. The patch is only
    applicable when remote_peer_type=cisco is set, and makes sure that the
    policies are not deleted.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>
    
    Note: I'm not sure if this is the proper long term fix. We should find
    out why some policies are not deleted (or why they are in the way)

commit f4bf79e43557a9ae61f26ec09b046e9c91b6ab4f
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jan 11 22:30:35 2011 -0500

    Added "-Wl,-z,relro" to USERLINK (if unset, similar to USERCOMPILE)
    See red hat bugzilla 642722

commit fbc66c592d8a509654debd9878d1eeb2d9ed4067
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jan 11 22:23:31 2011 -0500

    Don't err (red) but ok (green) the NAT check in ipsec verify if there
    is no NAT

commit 0f90e7bdad784b2b8c6aa8658143c7d60fc83c04
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Jan 11 22:15:03 2011 -0500

    Fix ocf/crypto module param checks in _startklips.in from previous
    commit.

commit a82b7fb033f940c47fbda596c7d0d2a938ab6857
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Jan 11 10:52:50 2011 -0500

    Fix _startklips when no OCF module is present. Thanks to Ruben Laban.

commit dca081b232e63bccf16d6e103780c4dacf028c86
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Jan 10 22:25:49 2011 -0500

    Fix erronous commit 725104043a9f173338e8fb296ec522d96c9ab26b.

commit be67320488530c32b02a69685db9834f6245c8e2
Merge: 7cc0139 e9c5aa6
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Jan 10 21:59:26 2011 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 7cc01394f30c8c04d9f6bdad09940c7682211203
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Jan 10 21:58:35 2011 -0500

    Remove doc/ from Debian package. Thanks to Ruben Laban.

commit 725104043a9f173338e8fb296ec522d96c9ab26b
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Jan 10 21:13:34 2011 -0500

    Have the stable DKMS modules version number superseed the dr and rc ones when evaluated by dpkg.

commit e9c5aa60245c633a1cecdd199dc65d852df54f38
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jan 10 20:57:27 2011 -0500

    updated changes

commit e526a0647cce87abd31b0b9955a2f19e76279cef
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jan 10 20:56:19 2011 -0500

    OCF: Set the OCF queues to 10000 when 256MB+ RAM and 1000+ bogomips

commit 615345fd64f0ea35b8a990c1058a649c3bc2315e
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jan 10 20:16:51 2011 -0500

    update changes

commit 7e57259ae3b75845ff848965844edf8fb059b3d3
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jan 10 20:14:36 2011 -0500

    Revert "If pluto is started with --nofork, then also disable nhelpers"
    
    As Avesh pointed out, we always start with --nofork, because we want
    the plutorun wrapper script to restart pluto on crash for us. I
    changed this code so if HAVE_NO_FORK=true, then we disable fork and
    nhelpers - but we no longer disable nhelpers when we saw --nofork.
    
    This reverts commit 16989a3d0849ae8bb71df396d7f76ab4d6a63c03.
    
    Conflicts:
    
    	programs/pluto/plutomain.c

commit 7d33b30a9e1fc330a9328100b25af65ef68b079b
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jan 7 18:34:02 2011 -0500

    update changes

commit 539894132c9dc76d5ef8add0f7953eb30eeecf36
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jan 7 18:31:39 2011 -0500

    MAST: Fix NAT-T new style detection with protostack=mast
    
    Apparently, we cannot call ioctl(sk, IPSEC_UDP_ENCAP_CONVERT, &ifr);
    using ifr_name "mast0", so we use the old "ipsec0". Note that this
    needs looking after because in the future there will be no ipsec0
    interface when mast is used.

commit 6f0d042a6166fe201633f07cf4427b3684863c8e
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Jan 7 18:21:07 2011 -0500

    NATT: cleanup of nat_traversal_espinudp_socket()
    
    This should also re-enable NAT-T detection again for BSD/OSX

commit b96779f5516eaf1fcfa79b810d14dd1622162969
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Jan 6 20:50:22 2011 -0500

    regenerated rsasigkey man page.

commit a875f69a641533250f41ab713d9e5f4c67f7922e
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Jan 5 00:59:11 2011 -0500

    remove doc from SUBDIRS

commit 6fe612e620560b161d19006c88f02638dc67aa85
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Jan 5 00:58:12 2011 -0500

    dont try to rebuild stuff in the ancient doc/ dir that got moved.

commit 24b79bb08ee7bf357b631aea0a01c68bb9e6da94
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jan 3 04:34:59 2011 -0500

    Fix the "login" prompt in debian single user mode. It does not
    mention "normal startup" anymore but "press enter for maintanance"

commit c66b32a4573bde30cb499f9247dea3c9c5f2a30d
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jan 3 04:32:40 2011 -0500

    Fix uml MAC's to have the "2nd rightmost bit" set to 1, so uml_*
    tools won't whine about it being a global address. The 2nd rightmost
    bit is the third bit from the right....

commit 65df01b83c7670654bfc0d9c1233781d3a856e1b
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Jan 3 04:32:26 2011 -0500

    fix typo in error msg

commit 6e74a71ba6bd14eebb638409c470da59590e6c91
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri Dec 31 12:37:33 2010 -0500

    Typo for --debug-all argument for whack.c

commit c519325665ac79fe60225b6b9dc72163908f0a9d
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 30 01:16:18 2010 -0500

    renamed doc/ to doc.old.freeswan/ to avoid users accidentally reading
    this old documentation.

commit e6a5f9bd772a6634998194ade5da8a6da82ef9bb
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 27 18:26:19 2010 -0500

    logged the leaks in the function header comments for init_vendor().

commit 2ea15f29adfd387605bb54965c122a6053afca93
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 27 16:09:26 2010 -0500

    DEBUG: Fix a few mostly cosmetic memory leak reports

commit 62d521b085c27523038a003c75fc978a3a9ce25f
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 27 14:30:13 2010 -0500

    Remove unused struct pluto_paths

commit 27b3ebb1199eb3fddbf2cf550e70dd878cf6a079
Merge: e0cc786 8f121af
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 27 13:52:40 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit e0cc786806e837dd88ab3415e9483dab9c17fcd1
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 27 13:51:08 2010 -0500

    IMPAIR_SA_CREATION and IMPAIR_DIE_ONINFO did not have their corresponding
    pluto options --impair-sa-creation and --impair-die-oninfo

commit 8f121af14795684bb2b748bf60765e07afc1ff9e
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 23 18:24:02 2010 -0500

    When using USE_BSDKAME, disable USE_KLIPS and USE_NETKEY

commit 1143b844e3e696c30dc02b012ed31eb92d9f36c5
Merge: e3cba3c 45a346e
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Dec 22 19:11:33 2010 +0100

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit e3cba3ceb7e6c4f02904632c122148325bd46c76
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Dec 22 19:09:43 2010 +0100

    on debian based systems the init script should exit with 0 if the main binary is missing

commit 45a346e82fa93a0ef9126bc02ae4df8b97697a59
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 23 01:26:50 2010 +1000

    Fix KLIPS compilation for 2.4 kernels
    
    Mostly IPv6 related compilation issues on a 2.4 kernel.
    
    For now IPv6 support is disabled under 2.4 as there are some functions that
    need different args (perhaps more).

commit a10973fa584c5bda0ea59d4f83f30f3407edea90
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 23 01:22:11 2010 +1000

    Add skb_header_ptr and eth_hdr
    
    Function that we use now that don't exist on 2.4 systems.

commit 9135f4fa790ab8308269aaee3854878cfab679ca
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 22 00:42:29 2010 -0500

    DEBUG: log used --impair-* options given to pluto on startup

commit 832c42095ba6b9ba3d389dde5e5312d4585734ac
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 22:42:53 2010 -0500

    updated changes

commit a13b2f15d6d683cc34c87cf316b0766325129fdb
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 22:41:08 2010 -0500

    Added %v4:25/8 to virtual_private, as T-Mobile and Rogers/Fido have
    started using this range as "private iprange". It is currently not
    announced and not routable - but we'll see how long that lasts....

commit 3813d9c4bad82b1c1da5eabad829b7212c33146b
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 22:34:41 2010 -0500

    Added note about the 25/8 network to man page on virtual_private=

commit 505e111b87d90c430fc12c1f729665122def499c
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 14:09:49 2010 -0500

    updated changes

commit e0a3a307c08e9878ccec36d2ed2cd81ec7e3f261
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 14:08:12 2010 -0500

    modprobe more cipher, compression and hash crypto modules so they become
    available for both netkey and klips(cryptoapi)

commit f171e7c9d077dd450396ffd87ed7741728d66797
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 12:23:57 2010 -0500

    updated changes

commit 98e2372ccaab3c585029dede2f1f6c7240a3c354
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 12:21:59 2010 -0500

    X.509: Fix SHA2 family support inside X.509 certificates [fryasu at yahoo.co.jp]

commit 672c16c4648c55c78f8b531b7bf425c70715f9e6
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 12:14:22 2010 -0500

    Ensure nat-traversal has proper ifdefs for linux. #warn on other OSes

commit 62f58557d3394cec40d24c70ce66b1812393e80b
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 11:32:55 2010 -0500

    BSD: netkey/keydb.h moved to netipsec/keydb.h
    BSD: netinet6/ipsec.h no longer exists

commit 917830b8396dfd1a01fa0aeb0d2bf9e09650fdd7
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 11:31:35 2010 -0500

    clean up freebsd sysdep include. Remove the #if 0

commit 10f682e6aa67c4cd83f43c4f001144ae43127402
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 11:18:11 2010 -0500

    Add netinet/in.h include - resolve.h on freebsd needs it.

commit 1be91b627c17ac678e663a5432443c14343de506
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 11:17:36 2010 -0500

    remove duplicate include

commit 27dfe8b4c577940076d7f8ba0f52c27c49763e00
Merge: 8ff9c9a 1e50d6d
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 10:32:50 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 8ff9c9a7eb2ec8b04752f0f665348a471f370183
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 21 10:31:02 2010 -0500

    BSD: Fix <sys/queue.h> include (for CIRCLEQ_ENTRY and friends)
    
    Instead of the ifdef in connections.h, move include to the sysdep_*.c
    location.

commit 1e50d6d4236e428dea234f0356e99f460034e4d3
Author: Tuomo Soini <tis at foobar.fi>
Date:   Tue Dec 21 12:13:49 2010 +0200

    Update changes.

commit 79511d2cc748b59beb1097b658c6776597642ad8
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 20 18:06:55 2010 -0500

    updated changes

commit 0f10410a67d3b11663a7117e569d0670621927bd
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 20 18:06:28 2010 -0500

    regenerated ipsec.conf.5

commit 012c0601d52a8a45872351f8fcd77890c56d73b4
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Dec 19 16:35:32 2010 -0500

    updated changes

commit 7dc9194575d63eec95f63467210dd39f2fa1ee3c
Merge: ff0389e 616eb0a
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Dec 19 16:34:27 2010 -0500

    Merge branch 'klips-ipv6'

commit ff0389e0df2d06d23adad0ba917c83abad7f5da9
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Dec 19 20:03:59 2010 +0200

    Fix typo in ipsec.conf man page, bug#1183.

commit 616eb0ac0f4340517ea1088163978d97b8946f2e
Merge: dd2709b bf73db3
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Sat Dec 18 22:40:06 2010 +1000

    Merge branch 'master' into klips-ipv6

commit bf73db3799ebfead2f5d77092188ae83c28ba545
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 17 20:21:06 2010 -0500

    Remove bogus double ##

commit aff20d8ea926b64566c2de72a7c2c0bdc9ce768c
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 17 20:19:52 2010 -0500

    Rewrap a CHANGES entry

commit e03ff703376595646a6f5c6f3d89a1e24f5e21b4
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 17 16:33:59 2010 -0500

    Disable HAVE_OCF by default - sneaked in by accident

commit 9b506c57cf70ea2e80633a9fd018e1ad91a96c3f
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 17 15:18:14 2010 -0500

    OCF: change cryptodev.c logging to show this is IKE and not IPsec OCF
    we are talking about.

commit f5970513f51046cdae88872f011259058c49d88a
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 17 12:25:49 2010 -0500

    updated changes

commit dd2709bbd86bd90049c27bae57e6cb765e805f1d
Merge: 6edb8a9 f8dba48
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Dec 17 22:25:12 2010 +1000

    Merge branch 'master' into klips-ipv6

commit f8dba485b130085cc60a0528ff2308cc94048b8e
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Dec 17 22:24:37 2010 +1000

    Make cbimm and batch modes configurable at runtime

commit f6c4f3bf1a6022c245994e88e9c21aeac3e47151
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Dec 17 22:17:42 2010 +1000

    rename ipsec_ixs_cache_allocated_count_max
    
    rename ipsec_ixs_cache_allocated_count_max to match ipsec_rcv's version.
    It is now ipsec_ixs_cache_allocated_max.

commit 6edb8a952c3b35fca088bfb89c6da2a1ad81a6c1
Merge: e3644d0 70f574c
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Dec 17 21:29:33 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 70f574c009c81b9f7724f902ff703cb7dfb15530
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Dec 17 21:28:00 2010 +1000

    Minor change to code flow
    
    Basically the if can be converted to a while to handle multiple
    requests at once.  This version seems to perform the best.

commit dce78c8758bd3f8ed7aed341ad22de964d7ecd3a
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Dec 17 21:25:32 2010 +1000

    Clean up the prng locking
    
    It's not a real problem,  but it could make decisions that are affected by
    race conditions, even though they are non-fatal.

commit 0fa7d25227faa1f0915116d2ad1ba9091ded0b92
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 16 18:49:09 2010 -0500

    updated

commit 4c381956c9afdd1f6d07670b179482a4df33a1a9
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 16 18:47:49 2010 -0500

    OCF: Attempt to load OCF kernel HW module on startup
    
    Add cryptosoft to the modules to load in _startklips. For now added
    commented out version to load cryptodev (userland acceleration)

commit f29c32f293fc72e3cdb1884c886299de10db1fdb
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 16 13:59:27 2010 -0500

    Change the use of "source" to "." as that is a bash-ism.

commit fae250a6f39b3a623b62d97054cc45cc59ba35f0
Merge: 0a3e8cd 1c2a378
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 16 13:51:38 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 0a3e8cd09db79b291377d6f9a1a377478592afa0
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 16 13:46:46 2010 -0500

    Clarified OCF support in IKE a bit better. Also log a warning if
    we cannot find /dev/crypto.

commit 1c2a37840fbadea5376f3fd67b9a84e06513c426
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Dec 16 09:31:35 2010 -0500

    source is a bashism, "." should be prefered in scripts

commit e3f3eca8b02b2b061ca7eb645aae60889b9b298a
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 15 23:53:22 2010 -0500

    Fix last ones of the source cwd issue with setup.sh and TESTLIST

commit 2f432a93d6dca4f52d6fdf403c765c84d63d3308
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 15 23:33:35 2010 -0500

    Another source ./ issue

commit cb0ea0a30de6f217c5d80faa76e5b312b0213cfd
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 15 23:29:03 2010 -0500

    more cases of where source (.) needs cwd

commit f96ed16feb6e1e66034329d0857f3989d839eee3
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 15 23:26:00 2010 -0500

    source no longer has cwd in the path for its arguments

commit cb7c7d97d1b2672c6acde09d4b83b6e7331ac0b3
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 15 22:13:23 2010 -0500

    the etc/network/interfaces files did not have proper auto statements
    for most testing VM's, most notably east and nic.

commit 795cec1511d0453d7e852be0d229f136babdcac4
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Dec 15 21:04:02 2010 +0200

    Update changes.

commit 2f121c8f83e936fed95d0d3611f48de11c918a3e
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 15 14:01:39 2010 -0500

    updated changes

commit ff5fae5d066c4facc8f6d414b1d2817a923f7f86
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 15 11:23:57 2010 -0500

    updated changes

commit e3644d09e0a367824048f2facb4a4c683f6fbc2d
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 16 00:42:16 2010 +1000

    Fix use of CONFIG_INET_IPSEC_SAREF for klips-ipv6
    
    I got a bit carried away with the use of CONFIG_INET_IPSEC_SAREF
    and broken the marking version of SAREF support.

commit 481ec63b33414cc80f7da5a1d191a1e2b501346b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 16 00:38:09 2010 +1000

    Call with appropriate void * arg

commit 9b38bec108934f6e967dd08ade84ed35a929e708
Merge: 9f825bc 023ecdd
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 16 00:17:00 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 023ecddc6b0a419c29028fa835a402b17d70df52
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 16 00:09:06 2010 +1000

    Fix up queue stop/start on SMP systems
    
    Make sure we manage the queue starting/stop consistently
    and within a lock.

commit a6712b2335218736b7802c868d802776f7ad367d
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Nov 16 16:22:26 2010 +1000

    Fix string compare, == won't do it
    
    Also fixes a compiler warning.

commit 72f95a15f7ba24260e0a2afc691c13c70982b28d
Merge: b32f6dc 2de1bc5
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 14 15:50:31 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit b32f6dc8de89a94fc005f80363380b249e4c19cb
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 14 15:47:46 2010 -0500

    update changes

commit 18ddaf8c8093a265fa4c91b29ebecca33ffc9fbd
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 14 15:46:06 2010 -0500

    NAT: Put old/new style chatter into DBG_NATT - only loglog() failure for all NAT-T

commit b676ce2855f645f1bcaabb643eccfb580e60e3d2
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 14 15:38:11 2010 -0500

    NETKEY: Reduce noise about Old/New NAT-T support
    
    The NAT-T detection for ESPinUDP hooks were noisy and wrong on netkey, because
    it tried to use "ipsec0" to send the ioctl() to test for IPSEC_UDP_ENCAP_CONVERT
    It now uses "mast0" for mast, "ipsec0" for klips, and "eth0" for everything else.

commit 2de1bc5504e9c9c3f65a5f87c08a3e5c3214f181
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Dec 14 11:59:08 2010 -0500

    Fix the conditionnal ipsec restart in DKMS postinst script.

commit e2496fe7d462fba0d3694a229a57bf773f63ddd4
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Dec 14 11:36:47 2010 -0500

    During DKMS installation, only restart IPsec if the ipsec.ko module was loaded and IPsec was running.

commit b4255bf65e0d2f806050bb5759e6f757463cd835
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 14 09:37:56 2010 -0500

    update changes

commit 740d8e9d785708f30b0f8d3d45e3c6dad10cea4b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Dec 14 09:35:16 2010 -0500

    OCF: move netif_wake_queue inside the lock in ipsec_xmit_state_delete
    
    > 3) I think is just a logic issue with locking and I need to double check the
    >    locking for holes and take it from there.
    
    Ok,  I think this just needs the netif_wake_queue to be done inside the lock
    in ipsec_xmit_state_delete or after the unlock,  looks like an obvious hole
    to me as we haven't updated the counters yet but we have enabled the Q ;-)

commit 40d49731a0438ee6d46248734f2b1e6b1838ccb7
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 23:51:47 2010 -0500

    places some indenting in ipsec verify

commit b8928f7f0add22d5e88b9fa68e5e4347886c2e8c
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 23:31:51 2010 -0500

    use a copy of cryptoev.h instead of a link, because debian copies
    the linx/ contents and it breaks the link.

commit 27f8f4e685fc9b0102e504ff82cf0da281e8a20c
Merge: e40c393 73aa9c7
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 22:31:02 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit e40c393c0cbecd3b58c0a0284e263fcb127cc503
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 22:05:20 2010 -0500

    Added ocf-compat.h for now, as cryptodev.h depends on it.

commit 73aa9c73db360aaff734833e8bf361626db78d7b
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Dec 13 21:09:26 2010 -0500

    Temporary include the OCF dir for DKMS module building. This will need a cleaner fix later.

commit ca9fa6bcadbccd3792cc625fca58732e3a5d4249
Merge: 04444cd 3bc9a8b
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Dec 13 20:39:55 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 3bc9a8bd26cbff7862770435a143fcd8e9b058a1
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 20:38:59 2010 -0500

    added copy of cryptodev.h for kernel code

commit 04444cd19bbdec07f89276be0744608f4d799d81
Merge: da04239 031b06c
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Dec 13 20:37:50 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit da042392b5dab2b8808ff9df6611e362e4158c1e
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Dec 13 20:27:58 2010 -0500

    Include packaging/ocf as this is required to OCF builds of DKMS and source debs

commit 031b06c2c4f247043b5d4b8bb0d9df4a13087557
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 19:01:32 2010 -0500

    Add check for OCF kernel support in ipsec verify

commit 8ecd2e26bce91a13b9590ec538d42aec1bb8dd0d
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 18:48:45 2010 -0500

    updated changes

commit d0c802d34e3483f6e20faafb7eb5f366b60931ac
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 18:48:02 2010 -0500

    OCF: Added /proc/net/ipsec/ocf to indicate if we support OCF or not.

commit 832e275cfbaa972448ce7e543d27c238680497d2
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 18:31:42 2010 -0500

    added help on ocf compile line when just typing "make"

commit 7791e3accd90d5cbd51b8a73221716a62513e9de
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 18:22:04 2010 -0500

    Revert "Always enable CONFIG_IPSEC_NAT_TRAVERSAL on 2.6.22+ kernels, as it"
    
    This reverts commit fd957234bac18a81f8b82a5e5c46a2573c59bf73.
    
    This actually only enables to OLD style NAT-T - which we don't want
    to do on newer kernels.

commit fd957234bac18a81f8b82a5e5c46a2573c59bf73
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 17:53:00 2010 -0500

    Always enable CONFIG_IPSEC_NAT_TRAVERSAL on 2.6.22+ kernels, as it
    needs no separate patch.

commit 3aac0fdb23a40b78019ecee16da52923038ab6bd
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 17:49:06 2010 -0500

    disable CONFIG_IPSEC_NAT_TRAVERSAL setting in module build params

commit cfa6683903d4f60f6f3f8c38b660ce4de904d191
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 17:46:49 2010 -0500

    comments and settings for ocf version of klips/modules

commit 9adbaa0bda296484a880f433f8c09e5e04d36034
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 17:36:39 2010 -0500

    Added ocf default module paramters

commit 5109a73c09364a7a2814683256a20ae507e2c2c0
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 17:22:06 2010 -0500

    updated changes

commit c895de54099cba5b030518dfceabca941d20058c
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Dec 13 17:20:29 2010 -0500

    OCF: Update to OCF for SMP systems to allow using multiple CPU's
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit ae844ea21009a06273757035198e13d84267fa60
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 17:05:43 2010 -0500

    Change the mast0 fixup mtu to use 16260 instead of 1452.

commit 7300c3dc4881913da75865f4f840c24e6e35feae
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 16:51:00 2010 -0500

    enum_name() fix was not picked up in last commit.

commit d961057912c6d7c33eb09ef8071dd6c72b3d3843
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 13 12:59:04 2010 -0500

    It's enum_name(), not enum_names() to display the name.
    Dpd also needs to include pending.h for flush_pending_by_connection()
     prototype.

commit 9fc8c29666c19b1401d4b392a841f4ed834aa3de
Merge: 7e1cedd b6aae3f
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Dec 12 16:10:37 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan
    
    Conflicts:
    	CHANGES

commit 7e1cedd62a8381e4ce26d70d6bbe74e1940976b0
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Dec 11 19:42:29 2010 -0500

    update changes

commit 005846b84ce34060e10f2d6b671e1104276c81f4
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Dec 11 19:41:19 2010 -0500

    RSA: Fix generation of ipsec.secrets when missing on first startup
    
    newhostkey called rsasigkey with wrong arguments.
    rsasigkey usage string was not listing all options.

commit b6aae3fdad03f50686e0178e7f8bd3587df803f2
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 10 17:32:05 2010 -0500

    update changes

commit beced7a4b52682b2eb2d8c24a1326544ee463c20
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri Dec 10 17:30:11 2010 -0500

    When we delete in the dpdaction=clear case, also remove any pending
    phase2 requests we have for this connection.

commit 1540b2b8f84bec6f91ef2283ad61f12edfa3d48e
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 10 17:09:39 2010 -0500

    Make it clear with a cast that we're ignoring a return code in one
    call to terminating_a_connection()

commit 9abe43f6142161a719d662e96e014e1cd4bdb25d
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 10 17:07:11 2010 -0500

    log the kind of connection we're unrouting in the DPD clear case.

commit 9c22456b53202a4def5334ade700c75a31da5f25
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 10 12:57:15 2010 -0500

    added comment on last commit explaining why we "accept" an interfaces=
    with mast0

commit 5c45f4483cd131ce2f2e7082a03abdf05b13589e
Author: Simon Deziel <simon at xelerance.com>
Date:   Fri Dec 10 12:52:58 2010 -0500

    Fix support of interfaces="mast0=eth0"

commit 4e912d31826114ead61444dd3e77bd4e94d1292b
Merge: 2437b5b ca6c690
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Dec 9 21:45:38 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit ca6c6901343e3fb060eb2e2621f2ffcc6421e2cc
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 9 21:44:12 2010 -0500

    Automatically setup some dependancies in Makefile.inc depending on user
    choice. Also enable USE_MODP_RFC5114 per default.

commit 2437b5be75858a02907edd82b6c62c7856f1842a
Merge: 6e0a1a1 ccbca9a
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Dec 9 20:25:41 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit ccbca9abbedaf7a65d27094837952dc6d06db22f
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 9 17:32:57 2010 -0500

    fix typos in changes

commit bb05b34822c0cfe2997b5fdd74fa916e164ace34
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 9 17:32:32 2010 -0500

    supress output in /bin/dash check if not installed.

commit 6e0a1a1dfb69cfdb3f4167dca1f3b451e7b0edd6
Merge: 20c9e21 404fa24
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Dec 9 13:26:12 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 404fa248c5b39dfe0295d631729454549a0e8790
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 9 12:32:12 2010 -0500

    Clarify Tuomo's fix a little bit in the comment

commit 20c9e21fea7320e2763af26a0f68ba2c461c0d1f
Merge: 4ab9f3d 921c4be
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Dec 9 09:00:09 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 921c4beab060768f1737312b28e231cad4415304
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Dec 9 10:46:12 2010 +0200

    Update changes.

commit c999293ea8def3eab5ca871a9a74ad53aa5ed670
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Dec 9 10:42:58 2010 +0200

    Fix for crash with dpdaction=clear on CK_INSTANCE.

commit 9f825bcf73a5d4e6c5c17c59affb46e819534fb1
Merge: 8bc4b25 a914ccf
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 9 17:14:41 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 4ab9f3d4e9dae2cfdd74844675cf3b2dceafdc9a
Merge: e7b0637 a914ccf
Author: Simon Deziel <simon at xelerance.com>
Date:   Wed Dec 8 13:07:04 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit a914ccf13a99cf2d012f3ac4208306db14662729
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 8 01:32:23 2010 -0500

    updated changes

commit ffa3a10fad8f8765cb6e75fa30c314f977970159
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 8 00:45:00 2010 -0500

    when building development spec, ensure all -O levels are removed (even
    ones without a number)

commit 2786ff0005afd2459f20fb2f913ea414de1e4c5c
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 8 00:06:48 2010 -0500

    Revert part of 031876ef64a475930028dc72bd335d4019db4bbc
    
    We must delete_states_by_connection() before unroute_connection()

commit 194283441253199a53a290ab777c53d7a56a8fcb
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 7 23:33:10 2010 -0500

    DPD: DPD_ACTION_RESTART would always execute DPD_ACTION_RESTART_BY_PEER
    
    A wrongly placed break statement caused these two actions to always happen.
    
    Also a cleanup of the switch statement removing checks and use a
    bad_case() instead.

commit d88936d552a69a6d037f83d08a6166d4340ceb60
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 7 23:16:11 2010 -0500

    fix some indentation

commit fe8082ec8ef805fcacdfb1c3f59f8346a6e6b944
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 7 23:13:21 2010 -0500

    Remove unused struct connection *c in handle_next_timer_event() [dhr]

commit 8127df12b8a85ff71d9f8047aa99dfa608dd6cc5
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 7 22:47:05 2010 -0500

    Remove broken code that was supposed to prevent duplicate printing
    of "processing connection". We'd rather see and/or fix the duplicate
    instead of fixing the broken code causing double printing to be hidden.

commit e7b0637d2f32137ce7dd6717b19f4c07c345dbec
Merge: 9cd1bbe 7443b0d
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Dec 7 16:19:38 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 7443b0db7abbc985da27895ee98cd35db16c0ef8
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Dec 7 15:43:54 2010 -0500

    Write out d->kind >= CK_PERMANENT fully, in case in other CK_* kinds are added.
    It also makes it more explicit we are checking PERNANT, INSTANCE, and GOING_AWAY

commit 9cd1bbe13f37af8288f0480e7260d2a89bba0490
Merge: e256f5e 4e54d7e
Author: Simon Deziel <simon at xelerance.com>
Date:   Sat Dec 4 14:03:53 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 8bc4b25876836ac40e903275a33bdce5a4a6f61c
Merge: a06f9d0 4e54d7e
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Sat Dec 4 17:43:58 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 4e54d7eb5e2d8bfa6dfee0964de2fec03997f0bf
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sat Dec 4 09:09:28 2010 +0200

    Minor changes for CHANGES.

commit e256f5e2bed763a4e8a4a9dec0327ade18864441
Merge: 126693f d3fc0b8
Author: Simon Deziel <simon at xelerance.com>
Date:   Fri Dec 3 18:10:41 2010 -0500

    Resolv a conflict on programs/pluto/dpd.c

commit d3fc0b817eab0e084489832b70d740d0c5043532
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 3 16:48:29 2010 -0500

    updated changes

commit 031876ef64a475930028dc72bd335d4019db4bbc
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 3 16:32:15 2010 -0500

    unroute_connection() before deleting it, not after it.
    
    This might fix a DPD crasher.
    
    Also, add a warning when dpdaction=%hold triggers on an instance.

commit 126693f914921d39bc8dfc6e73fe4172e5056872
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 3 16:39:17 2010 -0500

    updated changes

commit c5984de5ce05112eb3a3392f0d9fedc5f916fa2f
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 3 16:32:15 2010 -0500

    unroute_connection() before deleting it, not after it.
    
    This might fix a DPD crasher.
    
    Also, add a warning when dpdaction=%hold triggers on an instance.

commit e4c05f55a00a82cd2fdec62c2207eaf487970f1a
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Dec 3 14:15:18 2010 -0500

    OCF: Show whether we are compiled with OCF support on pluto startup

commit a06f9d0ea2411dcd93eb71df1bc7bd1bf453813d
Merge: f17622e 261731a
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Dec 3 15:56:07 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 261731a50386e1f919d471cead14f91ab79ce770
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 2 20:49:32 2010 -0500

    fixup of echo line

commit f17622eab8cbb210fb93d674662e0965f3aa5850
Merge: 961a8ee f4145ad
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Dec 3 09:34:13 2010 +1000

    Merge branch 'master' into klips-ipv6

commit f4145addb248dbd692907320d72b12a8ae83810f
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 2 16:31:47 2010 -0500

    updated changes

commit 7d65a2ef31d180ccf8bf541ccf285a1d4861de35
Merge: f768401 2c0a805
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 2 16:14:58 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit f768401c7c50a9a22d0ab1a4c6b6a508ef45cd2d
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 2 16:12:15 2010 -0500

    updated changes

commit 2c0a80535d36b3c04ad100cbd1ef895c91537a89
Merge: 5e679e7 2df63b6
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Dec 2 22:05:28 2010 +0100

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 5e679e7094292eaa71d701aef3aa7a84e0f78ffd
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Dec 2 22:03:32 2010 +0100

    Make the init script check for errors in the config prior to execute
    start/restart/reload actions.

commit 2df63b67ffd4e0bc2f1264e5b6133b13d3aec6e1
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Thu Dec 2 15:49:05 2010 -0500

    osw_alias_cmp has a bug.
    
                    s += nlen;
                    while(*s!='\0' && *s!=' ' && *s!='\t') s++;
    
    Why?  We should advance in s to the next possible match.  That is not
    nlen characters hence, but only 1 character hence.  And then we should
    start the attempt AFTER the next whitespace character, not at it.
    
    So this code has probably never found a match that didn't start at
    offset 0 in haystack.  Why?  Because every search after the first
    starts looking at a whitespace character and that cannot match.
    
    But the actuall bug that caused the dump is that the remainder of haystack might not
    even be nlen long, so scan of s may skip the NUL at the end.
    
    Does that mean that the scan is redundant?

commit 9cd6e6aad4f85d2f2218364062f2ca4bd87812b1
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Dec 2 21:41:15 2010 +0100

    Add --checkconfig option to addconn in order to just check a config
    file for valid syntax in all sections and bail out on an error.

commit 7259945179b026905de655537d99f7a1e5e9b94f
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 2 00:51:10 2010 -0500

    UML: newr uml kernels needs to be started with rootfstype=hostfs

commit dbd87fdeb7ef76c5f742b7382231c61e9f2db1a9
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Dec 2 00:09:47 2010 -0500

    Unset CONFIG_STATIC_LINK in testing/kernelconfigs - it causes uml to
    crash on too modern (two year old :) gcc's.

commit 961a8eeb4fe894fcd0ad91937b44ed4824c37e03
Merge: 636c2c9 7124065
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 2 13:35:05 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 7124065bb6e6073bf206f66d1c206df6fa1d71ce
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 2 13:34:05 2010 +1000

    Order algs correctly for OCF processing
    
    When mixing AUTH/CIPHER algs,  the crypto descriptors need to be in the
    correct order for OCF processing,  otherwise,  depending on the driver,
    in correct results or EINVAL will be returned.
    
    	rcv:  auth + cipher
    	xmit: cipher + auth

commit 636c2c97118be5d837b8a55455c3dbb7bb355c16
Merge: c1f5bcd 319ebea
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 2 12:09:44 2010 +1000

    Merge branch 'master' into klips-ipv6

commit c1f5bcd83c364d23cb14f4f630c6e3ee7884d7e1
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Dec 2 12:04:37 2010 +1000

    Order algs correctly for OCF processing
    
    When mixing AUTH/CIPHER algs,  the crypto descriptors need to be in the
    correct order for OCF processing,  otherwise,  depending on the driver,
    in correct results or EINVAL will be returned.
    
    	rcv:  auth + cipher
    	xmit: cipher + auth

commit 319ebea8bd204a411e346fc7fda1761ef843fb88
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 1 18:56:16 2010 -0500

    delete a makefile patch meant for linux 2.2

commit cf7b5852fc79cfc5a91b7419f5a79b2073efe9e2
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 1 18:47:31 2010 -0500

    Fix the net/Makefile patch to modern 2.6 kernels. Instead of trying
    to tag on at the ever changing end of the Makefile, change it near
    the alternative stack (XFRM) which seems pretty static.
    
    This fixes building via "make check" on our uml testing infrastructure

commit 4299fe20761bca4e5ec11d51ea53ee1e26aa1df9
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Dec 1 21:29:25 2010 +0200

    Add define development which removes optimization from optflags.
    Cleanup efence stuff.

commit 52fa63a0b49118a7840944fbe5a1b2797f5b30cc
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 1 13:24:05 2010 -0500

    updated changes

commit f7177b19047f1e00dd7b45eb54413bb863db4000
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Wed Dec 1 13:21:33 2010 -0500

    quick_inI1_outR1_cryptocontinue1 calls start_dh_secret.
    
    After start_dh_secret returns this code will then execute:
    
            if(e != STF_SUSPEND) {
                if(dh->md != NULL) {
                    complete_v1_state_transition(&qke->md, e);
                    if(dh->md) release_md(qke->md);
                }
            }
    
    In the STF_INLINE, this is probably wrong:
    quick_inI1_outR1_cryptocontinue1 has already called complete_v1_state_transition
    and it has freed *dh.
    It called quick_inI1_outR1_cryptocontinue2 which did the release_md too.
    
    So this code would be more correct if the first line were
            if(e != STF_SUSPEND && e != STF_INLINE) {

commit f53bd270792a1d745bc32f6c4377892016d0a51e
Merge: 2a55f91 4b473c9
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Dec 1 16:25:17 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 4b473c90c0acb045d45d7f8a52023dd97dc78454
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Dec 1 01:12:30 2010 -0500

    remove weirdly placed "0" in comment.

commit 56c06bf83c8764ed11a4f1c927361da138806a1f
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Wed Dec 1 00:09:20 2010 -0500

    When logging with plutodebug=all, in ikev1 we called DBG_dump()
    with the wrong length cause by using pbs_room() instead of pbs_left()
    
    This used to be undetected - linking against -lefence caused this
    to trigger a segfault.

commit 2a55f91158354d3434603690a99b13e855239cac
Merge: f43c224 6448936
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Dec 1 09:12:20 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 64489360bbc3907da44ab6a09d73c54093a3eb85
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Nov 30 16:17:03 2010 -0500

    Add buildefence flag to openswan.spec file for easy enabling of efence

commit 21476ada0919a86a36fcc32c93ac95963e6007f9
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Nov 30 09:35:39 2010 -0500

    Do not remove IPv6 IPs when removing IPv4 ifconfig's style aliases
    The problem was reported by Davidm.

commit f43c224b959d9c34f011f71a442fcdb15f6efc99
Merge: 0977220 cefd1df
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Nov 30 13:32:29 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 09772208abde2dadabb32f7a546ae7bc6d96ec77
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Nov 30 13:27:20 2010 +1000

    IPv6 support for non-OCF users inc. IPCOMP
    
    Bring all the IPv6 support up to date for all non-ocf
    code paths.  ifdef out unused code that is not ok
    for IPv6,  we should delete it all ASAP,  it's just confusing
    when looking for code use.

commit 12dc4ea15cebbe6ed2de896b9889bcba86ad3537
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Nov 30 13:23:43 2010 +1000

    Switch to KLIPS_PRINT to reduce noise
    
    If OCF can't do something, log it with KLIPS_PRINT,
    it's really only DEBUG info that you need when things are going
    bad,  not something that is needed otherwise.

commit 9f9f6642a388b440d2840ca18587e0db1b73971b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Nov 30 10:51:28 2010 +1000

    Prevent long DNS lookups on alt. addressing
    
    Not that ttoaddr handles IPv4/IPv6 notation properly,
    we can just use the one call,  preventing big hangs in
    pluto while DNS times out.  This code should be moved to
    use async DNS if possible,  though it isn't usually needed.

commit 741ea26ca8c2730f8438c1df8b9c096d43c86afd
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Nov 30 10:49:41 2010 +1000

    When family isn't defined, match IPv6 addresses
    
    Need to ensure that we never go to DNS for IPv6/IPv4 addresses
    in ';"/'.' notation if the family is not defined.

commit c09b80e85919455a5aa5cfb21643a1b3a08d343e
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Nov 30 10:44:17 2010 +1000

    Remove ipv6 protocol at unload properly
    
    So that we can be reloaded or switch to netkey :-)

commit cefd1df98bd756212d36bb0e57ef6ef2946bbceb
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Nov 27 21:49:25 2010 -0500

    Added a check in "ipsec verify" for /bin/dash, because it is just too
    incompatible with /bin/bash. We try, but today I found another issue
    in testing/utils/make-uml.sh

commit b90fbae3077c7d8a22d650dfa5b7b1d7d307211a
Merge: eab5802 c447a2d
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Nov 26 14:20:38 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit eab580291de5a86f228edadb4d0476dd7808fa0c
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Nov 26 14:19:41 2010 -0500

    Added nat-pluto-08 and nat-pluto-09 testcase to test vnet: keyword
    and vnet: per-conn subnet addition.

commit c447a2d687f603b75b9f4afcc5d9d30c5db87643
Merge: 74e67e7 46d5a4e
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Nov 26 14:02:02 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan
    
    Conflicts:
    	programs/algoinfo/algoinfo.c

commit 74e67e7cdcb9ae746bd409b5a0d1ef630a1269e6
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Nov 26 14:00:35 2010 -0500

    Remove unfinished old algoinfo code

commit 46d5a4e6d3f1696f69ccf16d30713df81bb97da1
Merge: 2a8ea05 9298031
Author: Simon Deziel <simon at xelerance.com>
Date:   Fri Nov 26 13:20:24 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 9298031b5557945d5c47f588b98b281fdee332bc
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Nov 26 13:13:34 2010 -0500

    updated changes

commit 24ca1cc42b235d55043c1920cc5d4b10d28b0136
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Nov 26 13:09:51 2010 -0500

    Revert "Added pluto option --impair-shared-phase1 which causes pluto to never"
    
    This reverts commit e31f38dcfd1bfabee26c7348c5d8edad59fe9624.
    
    When specifying separate leftid/rightid for each conn, we already skip
    sharing the phase1. This patch actually caused a crasher on --down.
    
    example:
    
    conn c1
    	left=@c1l
    	right=@c1r
    	leftprotoport=17/1
    	rightprotoport=17/1
    	also=base
    conn c2
    	left=@c2l
    	right=@c2r
    	leftprotoport=17/2
    	rightprotoport=17/2
    	also=base
    
    conn base
    	[...]

commit 2a8ea05ced5e82e4233eb9fe6fd1e56e13342840
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 22:10:54 2010 -0500

    Replace RCSID with ipsec_version_code()

commit b6f841986f4115aeb20a1f4185764ba8dbf0a00d
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 21:50:27 2010 -0500

    Make GCC happier with initialization style

commit 57a73274b6b32b10cd8b4e9f5ca726171392853b
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 17:58:58 2010 -0500

    sizeof() return type is size_t

commit 44998c411838e40b83b3a15cef978b42cf334d0c
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 16:49:06 2010 -0500

    Silence an unused variable and make some functions static.

commit 89f6f165c1986f9009df7197353246a4893104d3
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 16:26:09 2010 -0500

    GCC prefers to have the static keyword before the structure definition.

commit 412cb525e456978309c34f738b016fad2edeb238
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 16:20:27 2010 -0500

    Properly identify aliases interface

commit cc8e9614089d3da833f6a179d99a7dd2359ead1b
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 16:01:29 2010 -0500

    Remove ifconfig style aliases when creating ip aliases on virtual interfaces

commit a592691a31fe50fd27956358d50b6a388192fb36
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 14:01:21 2010 -0500

    Fix the empty if body to include the DBG call.

commit 6e3509b9603bc21088c3835b745c9ea3e9037732
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 13:49:05 2010 -0500

    Set environment in plain English using LC_ALL consistantly everywhere

commit 2648f8e906928977cb7d8da93b26a0bb79c73aa8
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 12:42:18 2010 -0500

    Set environment in plain English using LC_ALL consistantly everywhere

commit a26cefe781f875fc768895e39960abfbd5367aee
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 12:38:12 2010 -0500

    Use variable substring removal for uniformity

commit 1376e87675b782245c3cea891d5bf0800c68de8d
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Nov 25 12:34:59 2010 -0500

    Enable init script debugging when IPSEC_INIT_SCRIPT_DEBUG is defined in the environment.

commit 62ee556f2c780ba6e43c061af9a59871f6560174
Merge: 3f39a2b fa0fce1
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 25 14:46:04 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 3f39a2b6edbefe62ade7011db1a9080ee7698085
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 25 11:56:09 2010 +1000

    remove duplicated copy of code

commit fa0fce14e0ce1af50ca617f706d488f2dfc30302
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 21:00:52 2010 -0500

    Warn if bytes read from cert-blob coded file is not what we expected.

commit 64f82d502bfaa4193598cc18d4d700f43e3f766b
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 20:35:01 2010 -0500

    Update the man page of ipsec.conf to reflect the change for sareftrack= which now defaults to yes

commit 35ad2f2818b2b768a289eaa57db95637c727079a
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 19:34:28 2010 -0500

    Revert "Make the file descriptors const as they are not reused."
    
    This reverts commit a0feb2f47da3d7acd4b29924d0c40325d8f8f604.
    
    Conflicts:
    
    	lib/libopenswan/certload.c

commit cf1d2159a5c0eba1f28881986e32b9b0a8ccb5c5
Merge: b05f39f d7ecd23
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 17:26:37 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit d7ecd23df4ff1ba14b8640e2f24c0de083943b75
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 17:14:56 2010 -0500

    fix type of bytes to size_t

commit 37a218d5d6ceb33a634ea5018d5b0cf59f63e0ee
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 17:11:47 2010 -0500

    missing ;

commit b05f39fde978d3c6a206461beeb9a66568d42c07
Merge: 8c5e50a d3a5279
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 17:11:19 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 8c5e50ac8fca7a23de6a319f19759f3c54b0b710
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 17:11:15 2010 -0500

    Fix printf format.

commit d3a5279108f4819ef7e15fc7075adb5018db8628
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 17:10:03 2010 -0500

    Warn if bytes from cert blob read is not what we expected.

commit e10b92d701557d3686526c82dac5643c410b70c5
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 17:09:54 2010 -0500

    remove temp marker

commit 344e8a62565be75ada382cf3d39a57b10dea85b5
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 17:00:25 2010 -0500

    updated changes

commit e9556509c43eef0049f6776612a59a3b97f071ea
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 16:59:21 2010 -0500

    Set sareftrack=yes as the default policy (unused on non-mast stack)

commit 14cb6dacbd8449a872fc8e1838173d988e6a838b
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 16:55:22 2010 -0500

    swap two declarations (putting one with initialiser last)

commit 3ed28c10bfb832922fb7c50916f22a27ffcf5972
Merge: b8889cf 60f0d7b
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 16:49:08 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit b8889cf4aaca5a6eafeed97589aaa144da4142f1
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 16:48:56 2010 -0500

    updated changes

commit 60f0d7b45852b5035e31b4d37d82eda31248feb5
Merge: a0feb2f b905b75
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 16:45:23 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit a0feb2f47da3d7acd4b29924d0c40325d8f8f604
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 16:45:17 2010 -0500

    Make the file descriptors const as they are not reused.

commit 9a3355c0598e254f2497f79acedbb65a9d8224c6
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 16:44:53 2010 -0500

    When AUTH fails (PSK or RSA) return STF_FATAL instead of STF_FAIL in IKEv2.
    This deletes the current state/cookies. Without this, in IKEv2 we would try
    to rehash_state() on the next retransmit packet from the remote and crash.
    
    There might be a better fix, though I'm not sure why we should keep the
    state object when AUTH has failed. The connection will not repair itself
    
    (though we might end up redoing the same to delete the same, causing more work?)

commit d524491b503eca2a1b9f2c2eec8cb958ab249185
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 16:40:14 2010 -0500

    Fix printf format arguments.

commit e6cb2455ed3dd1b41828285522d785389d3b82f6
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 16:05:55 2010 -0500

    Change echo -e to printf to remove a bashism in postinst script

commit b905b750358b65c3fdf0ea597f5e638b26034714
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 15:05:12 2010 -0500

    Make the id->id_vname clone string names unique.

commit ea014fa3cfc9c7609b91a4e0fd7c4161a5ffab3c
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 13:31:58 2010 -0500

    Fix printf arg: "0" is not a valid flag for %p

commit eb1d14b97d1ef5fcae4e272879d70df722282cc4
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 12:32:02 2010 -0500

    updated changes

commit f2f9cbf6687d92fff76e0e5067ed13c085df23f4
Merge: a698f38 5accd71
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 11:34:06 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit a698f384a12d66ebf3273ddd549da08fa9174f29
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 11:33:17 2010 -0500

    Ensure the mast0 device is up, now that we no longer call "ifconfig"
    in kernel_mast.c since it no longer requires setting an IP address.

commit 5accd71761b687bd2c0f5a20c6003331e54c0e29
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 11:23:43 2010 -0500

    Fix printf format arguments.

commit f5144b7e498e3006e7a9542263abc2636c407fe7
Merge: 10e666f 53d75d7
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 10:43:33 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 10e666f9d6f4a0621db11c660a5dd04437c80fed
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 10:43:20 2010 -0500

    Add a missing then in _startklips

commit 53d75d7c9dc6b77afac312c30a190fc7f3ec8664
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Nov 22 10:38:36 2010 -0500

    Do not configure an IP address for mast interface. We route into it
    using the route 50 table from the main routing table.

commit 65cd43530a47aeb8ac782d54678f2e54cb2ec2c6
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 22 09:07:53 2010 -0500

    Do not link the builds for Debian against lber as USE_LDAP=false (default)

commit 1d2d32ed158dceebd8d29030cbb9b4a619821814
Author: Simon Deziel <simon at xelerance.com>
Date:   Sat Nov 20 15:51:37 2010 -0500

    Remove useless virtual interfaces in reverse order.

commit 693ecb745d33935a980b3cc1b2dcce6f682956c1
Merge: 63ee302 218dc3d
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Sat Nov 20 21:35:18 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 218dc3d65ded02257e12c726f01c0d186f941c9f
Author: Simon Deziel <simon at xelerance.com>
Date:   Fri Nov 19 14:26:59 2010 -0500

    Remove all ipsecX when protostack=mast

commit 7a6cc9e9f2a4692f1e5da7c78b52fa2f32ced38b
Author: Simon Deziel <simon at xelerance.com>
Date:   Fri Nov 19 13:46:26 2010 -0500

    Cleaner removal of the "secondary" keyword that was used to create ip aliases on virtual interfaces

commit ac11f13e3bc9ed6b3414354cc36cc1b5cfde281f
Author: Simon Deziel <simon at xelerance.com>
Date:   Fri Nov 19 13:36:57 2010 -0500

    Remove "secondary" keyword that was used to create ip aliases on virtual interfaces

commit fb30cbd32eaa3d04eee575f8ac538c86068da020
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Nov 19 12:46:23 2010 -0500

    updated changes

commit f98730ef732fa025b652534c5b2f01181a1f3f35
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Nov 19 12:42:24 2010 -0500

    KLIPS: Better interface handling in _startklips
    
    Some code assumed ipsecX already existed. This might not be true anymore
    in the near future (and was never true for ipsecX > 2)
    
    We now tncfg --delete mast0 if we use protostack=klips
    We now tncfg --delete ipsecX if we use protostack=mast
    
    This should reduce clutter of unused interfaces.
    
    Note that currently, ipsec0 cannot be deleted. This will get fixed soon.
    Perhaps the code needs at least one of ipsecX or mastX for safety reasons
    on handling /proc/net/ipsec/ files. If so, the module init code will have
    to ensure we always have one type of virtual interface set.

commit 63ee302c2cacc7ed40a285f80c3ec6790ff616a5
Merge: c32a029 4d65a79
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Nov 19 15:19:53 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 4d65a7946824b24a92515289ff691cc30a6f0306
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 18 23:19:00 2010 -0500

    updated CHANGES

commit a57c494aa76395ffdcbfb3c30fedc9664659e81b
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 18 23:11:08 2010 -0500

    updated changes

commit e31f38dcfd1bfabee26c7348c5d8edad59fe9624
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 18 23:09:53 2010 -0500

    Added pluto option --impair-shared-phase1 which causes pluto to never
    share a phase1 with multiple tunnels. This is used for benchmarking and
    stress testing

commit ccb855a7e81e1a5fcb23500e89c442948d974f97
Author: Bart Trojanowski <bart at jukie.net>
Date:   Mon Oct 25 11:26:25 2010 -0400

    avoid routes towards virtual ipsecN interface
    
    The issue was discovered by Roel van Meer, who provided the original patch.
    
    * Roel van Meer writes:
    > When openswan is used with klips, it creates a virtual device at
    > startup. The virtual device is associated with a physical device and
    > the ip addresses present on the physical device are also assigned to
    > the virtual device. By assigning these ip addresses to the virtual
    > device with the same netmasks as they have on the physical device,
    > routes for locally connected networks are created through the virtual
    > device. In most setups, these routes are never used, since the route
    > through the physical device takes precedence because it was installed
    > earlier.
    >
    > However, in some setups, the route through the virtual device would
    > take precedence, breaking connectivity to these networks. This happens
    > with Ubuntu 10.04, which has non-zero-metric routes and when using
    > Julian Anastasov's routing patches.
    >
    > Avoid creating these routes by assigning ip addresses to the virtual device
    > with a netmask of /32 (for ipv4) or /128 (for ipv6).
    >
    > This also means the ubuntu route metric fix is no longer necessary.
    
    Signed-off-by: Bart Trojanowski <bart at jukie.net>

commit 84d22b9c1f9922a3981350e0d912dddb2ebfbc59
Author: Bart Trojanowski <bart at jukie.net>
Date:   Mon Oct 25 11:24:24 2010 -0400

    fix interface parsing in getinterfaceinfo()
    
    - otheraddr needs to be returned even if empty (thanks Roel van Meer),
    - return type as before IPv6 port

commit c32a029f3d105ff458ab30244c9132f3b4c912d5
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 18 22:44:49 2010 +1000

    Compilation with CONFIG_IPV6 undefined
    
    Make sure it still builds for kernels with IPV6 support disabled.

commit b1e438f2a08fbe2e64c6c785382bee30707b50e3
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 18 21:51:05 2010 +1000

    Switch to normal C style comments

commit 774711b34376aa827c2efce936ee98be2acb7967
Merge: 3408e36 e1541a1
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 18 21:50:07 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 3408e36fa4c895286e0a0bbefe537f39c130b6bd
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 18 21:48:12 2010 +1000

    Fix args to inet_addrtot
    
    Compiler warnings due to incorrect args passed to inet_addrtot.

commit e1541a10548cdcd65a6d6c699bf895a12fd9e31d
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Nov 17 10:20:43 2010 -0500

    updated changes

commit f1fa738e3a5530a1b6972407e138043e4dddf301
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Wed Nov 17 10:17:00 2010 -0500

    This is related to redhat bz #646718, which is related to interop issue
    between Openswan and Racoon2 in transport mode.
    This patch has been tested by redhat QE. It specifically checks all
    received notifications to determine the presence of USE_TRANSPORT_MODE
    as there may be multiple notifications, and USE_TRANSPORT_MODE may be
    or may not be the first one.

commit f100262e4e9739789be5dca298fed437d8b3378b
Merge: b19ed5a d57e51f
Author: Simon Deziel <simon at xelerance.com>
Date:   Wed Nov 17 08:59:33 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit b19ed5a79d0957fb50ac939559860d287cf762da
Author: Simon Deziel <simon at xelerance.com>
Date:   Wed Nov 17 08:58:08 2010 -0500

    Support ipsec10 (or mast10) and higher in the interface="ipsec10=eth10"

commit 4cc750be24f5a90f6eb782a40d32651dc211d107
Merge: e6c8167 d57e51f
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Nov 17 10:33:56 2010 +1000

    Merge branch 'master' into klips-ipv6

commit d57e51f66f61bc78460cc799d0558be8892aa3b8
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Nov 16 10:58:19 2010 -0500

    added comment

commit 4ac19dbe595eb2317a5b7a3b6f77610f31070718
Merge: 78428c2 0768ab8
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Nov 16 10:51:14 2010 -0500

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 78428c288d602f0b8d778441b4ff4d9c8b0841dc
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Nov 16 10:50:54 2010 -0500

    updated changes

commit 2358dcf5f324a819fb1c19da92befbd5a2823816
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Nov 16 10:47:22 2010 -0500

    Log and ignore IKEv1 private notification type 40001 for Netscreen.
    (payload contains the internal IP address)
    
    Furtunately, the FreeS/WAN forefathers were strict about proprietary
    extensions - rejecting unknown extensions is the way we get to know
    about them in case we need to add any (non-IETF) interop code.
    
    Patch by Andreas Steffen and Daniel Fritz

commit e6c8167e0a533224784f054fdad08635ceb7c834
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Nov 16 16:22:26 2010 +1000

    Fix string compare, == won't do it
    
    Also fixes a compiler warning.

commit 0768ab88228e92470af7163db0587d2e69466bfe
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Nov 15 14:50:10 2010 -0500

    Fix the duplicate help about tncfg --attach

commit e2b6d04c80947c0f692d9e18656cda7b9262b6a3
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Nov 15 22:01:28 2010 +1000

    netkey interop with IPv6 and IPCOMP
    
    Tested all combinations of IPCOMP/IPv4/IPv6 against netkey,
    everything tests out ok with large and small packets.

commit cb2814674bd4ce8b4d8d9f84cdb857b94286332b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Nov 12 20:16:41 2010 +1000

    Fix up OCF ipcomp for ipv4 packets
    
    Fix up a miss-merge from cfbb62e7dc1bdd67dbabb77557739c87beb8f13b

commit 9fd563586d9fb16391bd5b24189d5b57d0a20c7d
Merge: cfbb62e 4bbd87a
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Nov 12 14:04:33 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 4bbd87a36ef47cd677a04d676e11a5cb86fc395f
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 11 21:49:38 2010 -0500

    Move some initialisation code around to work on older compilers.

commit 1cb0652942a2e803c9322804fe5ca204856155ba
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 11 18:26:18 2010 -0500

    David's nicer patch for compilers with no PRINTF_LIKE(x)

commit 896a7049cdea8b0ff3967ac860da124ccef3da61
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Nov 11 18:18:50 2010 -0500

    David's patch for compiling on older 2.4.x kernels that have no moduleparam.h

commit cfbb62e7dc1bdd67dbabb77557739c87beb8f13b
Merge: 4960e5b ab0f51b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 11 15:14:15 2010 +1000

    Merge branch 'master' into klips-ipv6
    
    Conflicts:
    	linux/net/ipsec/ipsec_ocf.c

commit ab0f51bdc4c3631c7c942cd327f9db67d2a3d018
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 11 14:57:26 2010 +1000

    Fix up usage of crp_olen as returned from ocf
    
    Fix up use of crp_olen for the returned length of operations. Add some
    useful debug to OCF's ipcomp handling.

commit 1937a90c4aa4946e7d717982805dc111f114e235
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Nov 9 21:31:20 2010 -0500

    Allow assymetrical protoport= lines when loading a connection.
    
    This is needed for situations like leftprotoport=tcp/80 rightprotoport=tcp/%any
    to support "http only" policies.

commit 4960e5b4513aa385634bb608edd04a0009e60a45
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Nov 9 21:31:20 2010 -0500

    Allow assymetrical protoport= lines when loading a connection.
    
    This is needed for situations like leftprotoport=tcp/80 rightprotoport=tcp/%any
    to support "http only" policies.

commit 056cac0a186daabc302efe7415b24004a2af1d70
Merge: 8de7928 140962d
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Nov 8 14:50:55 2010 +1000

    Merge branch 'master' into klips-ipv6
    
    Conflicts:
    	linux/net/ipsec/ipsec_ocf.c
    	linux/net/ipsec/ipsec_xmit.c

commit 140962d2fbe99bfc6bec549a0337c36274a622d0
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Nov 5 16:41:17 2010 +1000

    Allow LZS compression to be selected
    
    This is at kernel level support only,  pluto would need more changes
    to be able to select/negotiate LZS.

commit 288158a1d09c422181cdaed12a642ffb01566ddc
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Nov 5 16:34:08 2010 +1000

    OCF accelerated IPCOMP support
    
    These changes allow ipcomp to use OCF based HW acceleration.
    
    Currently the uncompressed data is saved in case of error so that it can be
    sent uncompressed in that case.

commit 8de792887507bdc3e3cab9516c9fd74c2f30ba8f
Merge: cd4e4ae 75ed381
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Nov 5 16:31:25 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 75ed38199b900d0e90c0548792c9ee78f566233d
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Nov 5 16:25:12 2010 +1000

    Rename IPCOMP_DEFLAT to IPCOMP_DEFLATE
    
    Rename IPCOMP_DEFLAT to IPCOMP_DEFLATE to match the names in ipsec_policy.h

commit cb435402026c40d2a459a8854fb32f6f46cc8797
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Nov 5 16:21:22 2010 +1000

    Add IPCOMP_NONE to match ipsec_xfrom.h defs

commit 1da8410c3d49ec4f3ebb540cdc665bd9c57e1403
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Nov 5 16:16:53 2010 +1000

    %pI4 not supported by standard sprintf
    
    so exapnd out the old NIPQUAD options to get useful output in the testing
    code.

commit cd4e4aec1e546631313bf3e0a75f74e13bd14421
Merge: c4a1960 ce114c5
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 21:20:30 2010 +1000

    Merge branch 'master' into klips-ipv6

commit ce114c555cb956e0411619e509a0eda64fbb4a17
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 21:10:09 2010 +1000

    Remove last bits of NIPQUAD and friends
    
    Follow Harald's lead and get rid of NIPQUAD altogether.

commit c4a19605b8b080bb4a358b7a433b916ef4fb0ee9
Merge: ccdb0c7 b329af3
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 16:38:31 2010 +1000

    Merge branch 'master' into klips-ipv6
    
    Conflicts:
    	linux/net/ipsec/ipsec_xmit.c

commit b329af3de7bd326036304f61a6d3c81c768247a0
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 15:55:02 2010 +1000

    Handle heavy loads gracefully
    
    Under heavy loads (usually with HW crypto) openswan will exhaust
    is TX descriptors.
    
    Oepnswan was only stopping it's queue once it was full and a further
    transmit was requested.  This was inducing a memory leak in the kernel.
    It is also not the accepted way to report an overly busy device.
    
    Clean this up to stop the Q as soon as we fill up.  This prevents the leak
    and plays nice with the kernel.

commit 20857a148793bf5215e98216902a3f76a3801f91
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 15:31:03 2010 +1000

    Cleanup use of IPSEC_NUM_IF and IPSEC_NUM_IFMAX
    
    This was a bit of a mess with IPSEC_NUM_IF used when IPSEC_NUM_IFMAX was
    intended in a number of places.  Also a couple of bad edge cases where
    arrays could be indexed at IPSEC_NUM_IFMAX which is off the end.
    
    Get all the usage consistent and fix the bugs.
    
    As a side affect,  you can now configure ipsec4 with tncfg without having
    ipsec3 configured,  which seemed to be the intent,  but was not possible.
    
    /proc/net/ipsec_tncfg shows all configured devices now and not just those up
    to IPSEC_NUM_IF.  Which is traditionally less than IPSEC_NUM_IFMAX.

commit 4207d72af0540a17a92ffae5bd929d19346b57b4
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 15:26:58 2010 +1000

    Allow you to configure IPSEC_NUM_IF
    
    Allow the user to configure IPSEC_NUM_IF via the CONFIG_KLIPS_IF_NUM
    option.  This is the number of ipsecX interfaces to create at init time.
    As before, more can still be created by the user with tncfg --create, up
    to IPSEC_NUM_IFMAX.

commit 943f283fd0e1d3aeaf751735e4de36ded209e55b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 14:51:31 2010 +1000

    print formats argument missing on new kernels
    
    Don't just ifdef the argument on new kernels or it will not match the fmt,
    include the appropriate new value :-)

commit 9276c6e3db2d4e452ea3646c8840a90f0a817306
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 14:46:12 2010 +1000

    Updates for linux-2.6.36
    
    route dst and NIPQUAD/NIPQUAD_FMT changes in the new kernel
    me some more kversion changes are needed.

commit 34d16e6d6e3a325d4a72e539e3ec4a47e19f3b07
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 14:36:31 2010 +1000

    update to latest OCF cryptodev.h

commit ccdb0c7811da91404ac2d48e990d87ba2fab7a7d
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 13:53:22 2010 +1000

    Post merge from master fixup
    
    The changes from 0b02a5ab6fadcdabe33b295c95e581f7a505d326 did not come
    across completely in the merge.  Fix that up now.

commit 3245451edb1389886acb706d4a0bfce268027180
Merge: 13c9381 b7e63fc
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Nov 4 13:47:56 2010 +1000

    Merge branch 'master' into klips-ipv6
    
    Conflicts:
    	linux/net/ipsec/ipsec_tunnel.c

commit b7e63fc98e5db495f9ba6fbf3eec4ea773daff12
Author: Simon Deziel <simon at xelerance.com>
Date:   Wed Nov 3 15:07:07 2010 -0400

    Add a proper Default-Start for Debian packaging

commit b62537a790e9bfee46fdd078e2b6b7a95d680af5
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Tue Nov 2 07:50:07 2010 +0100

    fix internal manpage number to comply with external one

commit d39cd607d920d26a623a82be19483fa7b0842fac
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Mon Nov 1 13:44:45 2010 +0100

    fix little xml/manpage naming issue

commit 204e3d99484267fc8b2016ec31381f7453d58707
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Sun Oct 31 23:05:47 2010 +0100

    modified manpages for doclifter compliance and used them to produce xml files
    (unintentionally reverting previous change)

commit 85adb2be418a23187421e76ce37f20b0a16d4c75
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Sun Oct 31 21:42:46 2010 +0100

    modified xml files to later produce better manpages (added ipsec_)

commit 65262a9c873e2d24ea0cb00d1734b101527d27ec
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Sun Oct 31 03:59:51 2010 +0100

    fixed some little manpage problems

commit 550e85477760307c2f81ca540b093efacca57674
Merge: a629afe 46a7b65
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Sat Oct 30 16:13:50 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 46a7b65f774590f69879b3d05fddf90e55bfb8c5
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 29 17:28:37 2010 -0400

    Set pluto_listen to NULL instead of "";
    This avoids the bogus error message when no listen= option is specified:
       | invalid listen= option ignored: empty string

commit 12d898847eaf58543d9f506971ff39e3be316f97
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 29 15:38:30 2010 -0400

    update changes

commit 2694109d3fc1a756c1ba9131db037d67761c9540
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 29 15:36:28 2010 -0400

    Added HAVE_NO_FORK?=false option to Makefile.inc. If set to true,
    this will force the --nofork option to pluto, and change the adns
    worker to use vfork() rather then fork()

commit a629afe077a23c465196aeb3dbed8c134a98ba80
Merge: 92dcf66 9cde00e
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Fri Oct 29 20:20:39 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 9cde00e2f54919b98044f3c4740a99df424a05a5
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Oct 29 15:59:22 2010 +1000

    Fix nommu workaround to set length to 0

commit d183e1f6231c58ba6b3e453ef087be6308e0f392
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 29 00:16:46 2010 -0400

    On __uClibc__ if init_adns cannot find /proc/self/exe, try to find
    lwresq without using a path. It seems some nommu kernels do not have
    /proc/self/exe.

commit 221442bc1df98f07d25bad5a15264f927122c5f9
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 28 23:53:55 2010 -0400

    updated changes

commit 16989a3d0849ae8bb71df396d7f76ab4d6a63c03
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 28 23:53:00 2010 -0400

    If pluto is started with --nofork, then also disable nhelpers
    This is needed for systems without the fork() system call.

commit dc49223c008cc2e4ad7307fe5d6f566a1ba7f61b
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Oct 27 23:11:28 2010 -0400

    Rewrite NIPQUAD() using %pI4 as the macro has been removed from 2.6.36

commit 92dcf66d2ab8c8230e160ae40d5566d6377e4026
Merge: 7904955 af3f3f5
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Oct 27 12:08:30 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit af3f3f5ac0fd25ae3d642265d0795400ed499fb2
Merge: 4d3fcc5 aa4337b
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Oct 26 16:12:49 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 4d3fcc5fd4e62ee33312448fd1bc8a2878a7b8d2
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Oct 26 14:01:44 2010 -0400

    Update the Lintian override file about long man page line

commit 7d94aeca6623fad25454955a559ec6e45ac6ab63
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Oct 26 13:57:53 2010 -0400

    Move the comment about the LSB header of the init as Lintian complains about it.

commit 0c60580633c361187d9894531881fd6681a8f5f2
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Oct 26 13:56:39 2010 -0400

    Fix Vcs-Git to make debcheckout happy

commit aa4337b77617ecb309ef184a731c65e31fcbc97f
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 26 12:46:52 2010 -0400

    Fix CROSSCOMPILE.sh doc

commit 74e38119e8ae1ad28500e641962398859eeb0ead
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 25 20:56:24 2010 -0400

    Fixup of previous pushed patch. I used an older version my mistake that
    had one error

commit 3fcc4a7c581c766dc36acb2dd3a3b3031b898e62
Merge: 7e34a6f 5c5e1d0
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 25 20:51:20 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 7e34a6fd309ebaae46a42fd0b0726c0f26fecc78
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 25 20:51:02 2010 -0400

    updated changes

commit 348239c29e4f4b84ca53a6b9b416a4cf3c82c1f1
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 25 20:47:47 2010 -0400

    Added COMPILER_HAS_NO_PRINTF_LIKE to work around using an arm-elf
    cross compiler that fails to use PRINTF_LIKE(x). This has no effect
    unless defined in USERCOMPILE (or CFLAGS)

commit 5c5e1d05b277e40d52ed8200eec647dd060ff98f
Merge: f62010e e04cf7f
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 25 17:32:27 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit f62010eb2e5364fe51d49594b170193d7bfb5281
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 25 17:30:47 2010 -0400

    Remove a bashism for a better Debian compatibility. Thanks to Harald Jenny.

commit 790495598a6d579152e99327f60b4a40f6e2942a
Merge: 200416a e04cf7f
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Mon Oct 25 22:21:36 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit e04cf7f246cb5a794b9830fa4aaacb8591b48eea
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 25 16:18:51 2010 -0400

    updated changes

commit bec648a46690cac1281b0fd8cb0373cbdce00839
Author: James Mead <james.mead at gofreerange.com>
Date:   Mon Oct 25 16:17:12 2010 -0400

    Bug #1160 init.d script not reporting correct exit status on parse error

commit 33db54019b482ec446c12e29760234fe149bc116
Author: Paul Wouters <paul at xelerance.com>
Date:   Sat Oct 23 13:15:48 2010 -0400

    updated changes

commit 0b02a5ab6fadcdabe33b295c95e581f7a505d326
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Sat Oct 23 13:12:39 2010 -0400

    Fix for https://bugs.openswan.org/issues/1095
    
    When local esp or ah packets are marked with iptables like:
    
    Chain OUTPUT (policy ACCEPT 5080 packets, 958K bytes)
     pkts bytes target     prot opt in     out     source               destination
     5080  958K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK or 0x1
    
    packets will rerouted due to the change of the mark in the OUTPUT
    chain. The packet appears again on the ipsec device and will be dropped
    with
    
    klips_debug:ipsec_xmit_encap_bundle: shunt SA of DROP or no eroute:
    dropping.
    
    I think there must be also an exception for local esp and ah packets
    in ipsec_tunnel_SAlookup (see patch) as for udp/500 and udp/4500. The
    problem concerns both versions 2.4 and 2.6.
    
    This was tested on kernel 2.6.22.19 and openswan 2.6.24 and openswan
    2.4.15.

commit 200416af1b4efd8643b6ba51094ab8df8e7eea47
Merge: f565faf 2964e05
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Sat Oct 23 09:27:41 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 2964e058347a1b8c2ef18ee40a36979943bef9a0
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 22 14:43:29 2010 -0400

    Fix missing brackets on saref=conntrack check

commit 5804e8391d89609d482b8d5ee130e38f2a728e15
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 22 13:34:44 2010 -0400

    Fix/workaround for https://bugzilla.redhat.com/show_bug.cgi?id=636572
    We pick the Fedora over the Debian interpretation, because we'd rather
    not start then start too often by accident

commit cf8bfa7710d824a68a1b3573d6eb0de15ed566b2
Merge: f39e73e a736ba2
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 22 12:17:52 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit a736ba293babf6706b75deaad5c69dfc32930b66
Author: Bart Trojanowski <bart at jukie.net>
Date:   Fri Oct 22 11:44:51 2010 -0400

    fix a couple uninitialized variable errors

commit f39e73e5cd49dc75eb0dbb2a11047d0d6d8eb4aa
Merge: d627b9b bdd6181
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 21 15:06:30 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit d627b9b0fefaa5852b7662670aff384e260810b6
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 21 15:05:31 2010 -0400

    Rename cross-compiler.txt -> windows-cross-compile.txt, as it is
    different from generic cross compiling (as described in CROSSCOMPILE.sh)

commit b614dae2a05f5d2a40a8638ebe6c32ca4e0e2d5b
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 21 15:04:35 2010 -0400

    Move programs/pluto/routing.txt into docs/

commit f565fafd291bf7034e13b3e50e1b142676a056cb
Merge: ab66bf1 bdd6181
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Oct 20 22:24:53 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit bdd618100e0bbb08ce7bbf6717f353b6265ac4ca
Author: Simon Deziel <simon at xelerance.com>
Date:   Wed Oct 20 15:56:51 2010 -0400

    Remove RCSIDs

commit ab66bf1783c4514f39634db655d23c483f5f2aee
Merge: cf490ed 9ef10a1
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Oct 20 21:32:54 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 9ef10a1a98febbd0144ee2e7a42c74f6e3bed33b
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Oct 20 14:04:26 2010 +1000

    IPv6/iproute2 changes from klips-ipv6 branch
    
    Bring in the iproute2 only version of this script from klips-ipv6.
    As a side affect,  all IPv4/IPv6 addresses will get added to ipsecX now.
    
    Also fix a small issue with the maxmetric stuff not ignoring errors
    and then going on to do things it shouldn't be.

commit 13c93818fd16275105abdd9b4a9d1af6cd42264f
Merge: 9ecb973 b8ba950
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Oct 20 11:31:15 2010 +1000

    Merge branch 'klips-ipv6' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan into klips-ipv6
    
    Conflicts:
    	CHANGES
    	programs/pluto/Makefile.options

commit 9ecb97339ec07d1f75f70b811c3fed44efab58e4
Merge: c5cbfce 11dfbf8
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Oct 20 10:49:51 2010 +1000

    Merge branch 'master' into klips-ipv6

commit 11dfbf887846b1298dbccd7550bbd917037ee3af
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 19 17:43:31 2010 -0400

    fix merge of leak code with Simon

commit 89b2c9e5755de3235a9714d2eb38226204c29579
Merge: 114f311 b8fa29b
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 19 17:38:12 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 114f31165548de35872a06caeef2559e51b13d48
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 19 17:37:44 2010 -0400

    Change direct -DLEAK_DETECTIVE into USE_LEAK_DETECTIVE Makefile.inc option.

commit e21d91268c27e0f8869bcc75479f3112145b36d7
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 19 17:36:57 2010 -0400

    updated changes

commit b8fa29bc5ec6837e86316a847bef050374ffd537
Merge: f26d3cc 2f014c2
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Oct 19 17:29:12 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit f26d3cc6aa95f21edf48b9fa0a1798aab9788e75
Merge: b2a1d2f e98d7d4
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Oct 19 17:26:55 2010 -0400

    Fix git conflict

commit 2f014c22fe7c2a99c2b35cbe5b089323f94e6657
Merge: 0154bc8 e98d7d4
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 19 17:21:39 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan
    
    Conflicts:
    	CHANGES
    	programs/pluto/Makefile.options

commit 0154bc84d644c5b23c80fdf6378b75fa23339d5e
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 19 17:08:19 2010 -0400

    updated changes

commit 6fb84a212a9c286a135cf62e4f583565c874aedf
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 19 17:07:30 2010 -0400

    LEAK_DETECTIVE was still being activated in programs/pluto/Makefile.options

commit b8ba950678210a280733876f741d538494b3daa3
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 19 17:08:19 2010 -0400

    updated changes

commit e98d7d46ecdeb8d6380418828a3dac3e5481efcd
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Oct 20 00:07:43 2010 +0300

    Update changes.

commit 887236816973efca3f262840e05bfa18aa446d17
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 19 17:07:30 2010 -0400

    LEAK_DETECTIVE was still being activated in programs/pluto/Makefile.options

commit 92442a710a4e18f72405aa699575a2cfa1123c43
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Oct 20 00:06:19 2010 +0300

    Don't enable LEAK_DETECTIVE in pluto Makefile.options.

commit b2a1d2ffb7fd283c8cacb830682ec7bfb35cca39
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 18 23:13:43 2010 -0400

    Properly enable/disable LEAK_DETECTIVE

commit 92e419543477fdd169e5f30bec411efccbf170f6
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 18 21:13:35 2010 -0400

    Make debs generated from git to have a lower version than released ones

commit c5cbfce3b708a4fb2871113fab1400afcae13a9d
Merge: cd36eff 6b2067d
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Oct 19 11:13:32 2010 +1000

    Merge branch 'master' into klips-ipv6

commit fee757fa4614cba9d61fd296187bee4c700dc7b9
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 18 21:10:02 2010 -0400

    Fix an invertions in update-rc.d agruments order

commit 6b2067d3a2cc55eaa2d2ccd290591e7b53ea66dd
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 18 19:57:07 2010 -0400

    Clean debconf DB on purge.

commit 1aa0e05728f5640f5d40e70cd302aad0e214a408
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 18 19:56:33 2010 -0400

    Add a low priority question about autostarting Openswan at boot.

commit 200c29a3c2fe8cf3eed54ed901c12526ed23299b
Merge: 66badcf 4bd27c8
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 18 13:29:50 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 66badcf7df19f461215942ef6eae932810d092d1
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 18 13:29:38 2010 -0400

    updated changes

commit 4bd27c8e12298a422fb30573b6d409fe7015a552
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 18 12:09:44 2010 -0400

    Fix a lintian override about man page long line

commit cf490ed35f5c149732179bf23eb4c36db4068bdd
Merge: f185bb9 97e25a6
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Mon Oct 18 18:00:17 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 97e25a65c4108d60aab5a2f85ce62c8e83f1a43c
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 18 11:58:11 2010 -0400

    update changes

commit aaee5c6a8d101c99693b60986d13db6c809833e4
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 18 11:57:33 2010 -0400

    Fix for OCSP compile of commit 934ce6c9443832c

commit f185bb9a453b74b7a90148313bb183043e8219d7
Merge: e9392bb bf46e61
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Mon Oct 18 17:18:59 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit bf46e619e1cdbf088cdf524b19b76470df322408
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 18 11:00:06 2010 -0400

    updated changes

commit 3b9c3920b6e0ab6c79617e174429f2988e3176ce
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 18 10:20:02 2010 -0400

    updated changes

commit 4db1bd8f8ab90e4602918dcb610a7d1e8a154b1c
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 18 10:18:43 2010 -0400

    disable LEAK_DETECTIVE. We found an issue with a double free that needs
    to be resolved before enabling it for everyone.

commit e9392bb7e52d3018bad8399e1c885bfc56919104
Merge: 5793de8 47f79f1
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Sat Oct 16 15:00:04 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 47f79f15e130b30d4565029419900a36610ff1ac
Author: Simon Deziel <simon at xelerance.com>
Date:   Fri Oct 15 20:20:17 2010 -0400

    Make the deb prodced by openswan-modules-source arch-dependent

commit 5b884a844bb2b1c30f7be076beef7b16cbf2668e
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 23:04:54 2010 -0400

    left over merge marker in CROSSCOMPILE.sh

commit 1e85e61ff6ca9adee4c343c5363dbe55220e708d
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 22:26:44 2010 -0400

    update cross compile info for BLFT file format
    
    Conflicts:
    
    	CROSSCOMPILE.sh

commit 934ce6c9443832c6c2fa1a125f79712bf896b924
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 22:02:46 2010 -0400

    Split the DBG(DBG_CONTROL call in two calls, to avoid #ifdef's within the
    macro call. Some older arm compilers do not like this.

commit 3b54afdde683c8b477d754a3af0682cc7f4813d4
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 21:52:05 2010 -0400

    Example script for ARM cross compile

commit 323858f0835b328eb09ec62d0cd06b2f1f710906
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 21:44:27 2010 -0400

    remove rcs cruft

commit 8324468640c9d2d6e690eafab8d6aec1ac81d975
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 16:57:42 2010 -0400

    Enable LEAK_DETECTIVE per default.

commit 5793de8ea399b233ebb05db3df4a60778bb8bddb
Merge: 6d72efb 37645df
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Oct 14 21:28:33 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 37645df66f2f2309ece4771bbbf6635153771102
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 14 15:23:53 2010 -0400

    Update translation files. Thanks to Debian

commit 22f73bc4329c298088853a34ac6235ea4255a7db
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 14 14:42:03 2010 -0400

    Remove unused template

commit e3a8fd303976a49e7ffa669e48007e7194e5f3a5
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 14 14:05:11 2010 -0400

    Add some PHONY targets

commit 7a71a67f210b13cb90f0c737814edfa61dd687ea
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 14 13:57:41 2010 -0400

    Update various packaging recipes after the /etc/rc.d links removal

commit 6d72efb1fd50a0707526860b35a1ad425e9557c8
Merge: e6dc6ab 3cde947
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Oct 14 19:45:06 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 3cde9478e5c809c86b15e409a97d95c6b9a97010
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 13:41:33 2010 -0400

    updated changes

commit 17835b7549070266716d1d95adc6c4db29777fa9
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 13:39:53 2010 -0400

    no longer install all the rc.? directories and symlinks. These days
    distros have their own way of handling autostart, eg with chkconfig
    or similar tool.

commit e6dc6ab89eb7de616fecd45a31f3f931d1a23497
Merge: 7545c1e ef8a3de
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Oct 14 18:58:50 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit ef8a3de5cbc4064681f22aadf85c4fe8b7c6215b
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 12:36:23 2010 -0400

    updated changes

commit e21a796076b732ce36746741fe8424054f9d6dc6
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 12:35:09 2010 -0400

    updated changes

commit a82afde71f5477dfb150183260c2c96ef75c731c
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 12:33:04 2010 -0400

    Don't try to fill in the traffic selector struct in the IKEv2 child SA
    if we did not receive them.

commit f17602d894c26f40b25df125000bcf8a8fa4a2a9
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 14 10:52:03 2010 -0400

    Put Andreas his last name in the README too.

commit 7545c1e9658b32abce7b0757a748e79eeecc15b2
Merge: e3d4c14 c8e9f73
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Oct 14 11:55:11 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit cd36effbc1a2bd6af2c39781c589b6bbbc2a5165
Merge: 6ba3582 c8e9f73
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Oct 14 15:12:34 2010 +1000

    Merge branch 'master' into klips-ipv6

commit c8e9f73f8b817eae65721f64a328144d96478db3
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Oct 14 13:51:10 2010 +1000

    Incorporate suggestions from Paul

commit dbd02a9f7cddd903180528ec0c117096ba0b8cea
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 13 16:48:50 2010 -0400

    In report_leaks(), report the total number and size of leaks. Also log a
    message no leaks where found to make it easier to grep logs for leaks even
    if none were found.

commit d01e5cf53a0b4f7a90e085f709a574645f193a0b
Merge: 28383c6 3b3789f
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 13 16:22:11 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 28383c629c9c7b55f4cd2aa327f2c3b08d523016
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 13 16:21:41 2010 -0400

    Put the report_leaks() call back where it belongs

commit 1a31a4925451e149eb6e9bd6ae6b0009fe1dc425
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 13 16:19:11 2010 -0400

    Add commented out -DLEAK_DETECTIVE option to Makefile.inc's USERCOMPILE

commit e453c360df341d72b20457bf9f89bb3c83b26b3a
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 13 15:56:25 2010 -0400

    remove rcsid

commit 36ee1996a1d8f769a96412cd310e8f9c9300e9ca
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 13 13:45:02 2010 -0400

    Add target for sarefpatch.

commit 3b3789f6d0ed0b435206031eaf72d6c81c397b94
Author: Simon Deziel <simon at xelerance.com>
Date:   Wed Oct 13 11:22:32 2010 -0400

    Do not change the runlevels on updates

commit be031c0502016a7244a6bdcbeabef190558838df
Author: Simon Deziel <simon at xelerance.com>
Date:   Wed Oct 13 11:14:14 2010 -0400

    make modclean/moduleclean will autodetect the kernel version (2.4/2.6) like make module already did.

commit 917694e9a8533e79758be077daa7a1787ba379dd
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Oct 13 22:23:45 2010 +1000

    Make README more up to date
    
    The README has been rotting for a while,  make it a little closer to
    current usage/info.

commit 2393db2b05e07613485b8601ffbbf8bda8df766c
Merge: 9337dfe a3fde3a
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 12 19:45:26 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 9337dfecca6fe827bd30acf85bfa48c8e3d53669
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 12 19:43:09 2010 -0400

    Add -D to INSTBINFLAGS so it will properly create all directories in
    case they do not exist.

commit a3fde3ad0db086a57e7f2b3c213a851bd5b10b51
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Wed Oct 13 09:27:39 2010 +1000

    Stop multiple installs and fix NOINSTALL case
    
    Setup is a special case,  we do not want to install it like other programs.
    Use NOINSTALL=true so that only our local install target is used.
    
    Fix the local install target to make any directories it may need in case you
    are install into a clean directory ie.,
    
    	make programs
    	make install DESTDIR=/tmp/some_test_dir

commit 666bccf365bacaae9b80db756a7c847d7d192ec5
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 12 15:50:14 2010 -0400

    updated changes

commit 46c375f6d743a825aff2e99733ec1fc823d181c2
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 12 15:49:40 2010 -0400

    Fix for #1151: The ipsec module is not removed by 'ipsec setup stop'

commit bfff7774cc91b3badb34ac09264a2c03e14d4f31
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 12 15:28:52 2010 -0400

    update changes

commit 2687a234ca9dc3cdbe8260c9c3983f2fa5fb5c23
Author: Wolfgang Nothdurft <wolfgang at linogate.de>
Date:   Tue Oct 12 15:26:57 2010 -0400

    In an mixed enviroment, with both windows 7 and windows xp, xp can't
    established the l2tp over ipsec connection because of a missing route
    to the client.  When the xp client connects, pluto uses an empty NAT_OA
    and therefor the l2tp answer packets go right through the default route.
    
    Attached is a patch that ignores the empty NAT_OA.
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit e3d4c1462312c416732b578d5bea5d1f3087af99
Merge: 51d4562 8ae2f92
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Mon Oct 11 09:51:42 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 8ae2f925768b0204b2015854ede18c54be68009c
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 11 01:04:29 2010 -0400

    Fix for libipsecconf crasher when there was an unexpected value for a known
    keyword that was rejected in the parser. The parser should not let this
    happen, but this at least avoids the assert() on addconn when one connection
    has a bad keyword, and the other connections will continue loading.
    
    (this happened with protoport=43 (eg missing "/0"))

commit 344583d6bbc5150fbb314114788fc44dda8418c5
Merge: 1f5b1ed f80d78a
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 11 00:19:55 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 1f5b1ed557cf93de97e7870713d2fb050ddf22b6
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 11 00:13:34 2010 -0400

    Make ipsec addconn --configsetup more robust when broken conns are defined.
    
    ipsec addconn would read the entire configuration file, regardless of how
    it was called. When called with the --configsetup option, it should only
    read the "conn setup" and return. To do this, confread_load() now takes an
    additional bool parameter specifying if this is a "configsetup only" call.
    
    Apart from optimising the call, I found when looking at another bug
    that caused addconn to segfaul reading a regular conn, that not only the
    conn, but the entire "config setup" section options were ignored. This
    was caused by the conn breaking "ipsec addconn --configsetup". One bad
    conn could therefor cause the entire "config setup" section to be ignored.
    (I noticed when the listen= option failing to take effect)

commit a503b2f846a87a6a7e77b76e24d98f6644c0b828
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 11 00:11:47 2010 -0400

    Fix listen= option when using NETKEY.
    
    The code I added was at the wrong location, because the inner for loop
    was actually left via an ugly goto statement, causing it to bypass the
    added IP address check for the listen= option.

commit 51d45629884d68a3fd8531f0bd8c24f5b9b47de0
Merge: 724cde1 f80d78a
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Sat Oct 9 13:50:34 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit f80d78af7d816d97445b514c706d291cd2a64d47
Merge: 3ed72b8 aea01b6
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 8 17:03:13 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan
    
    Conflicts:
    	CHANGES

commit 3ed72b87fc24528c415213773f0947beba3afaf3
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 8 17:02:47 2010 -0400

    updated changes

commit 5691d3121d9225b63bb25d8f5c44ea36f6a30b52
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 8 16:59:52 2010 -0400

    Fix for "handling event EVENT_RETRANSMIT for <invalid>"
    
    It seems when handle_timer_event() got refactored to add handle_next_timer_event(),
    and some events where also factored into their own functions (eg retransmit_v1_msg())
    that the setting of the peer variable was lost (and uninitialised variables for peer were
    added to retransmit_v1_msg() and retransmit_v2_msg().
    
    Since these variables were only used once within debugging, they were done directly
    without assigning a peer variable. What's left in handle_timer_event() was an unused
    setting of the peer variable, which was removed.

commit 724cde1cd7644b02b69c4e9c9e15e3ed95df47c4
Merge: 264b1fa aea01b6
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Fri Oct 8 16:53:49 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 6ba3582272128514eabda2d05641b3c0b1e8d7ca
Merge: 42deeb7 aea01b6
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Oct 8 20:25:46 2010 +1000

    Merge branch 'master' into klips-ipv6

commit aea01b69b861aad45a290dd5e324ff1f0e8ad7d3
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 8 00:45:21 2010 -0400

    updated changes

commit 0501f2d37fbd4903968d397cac37f0ae3f0cda06
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 8 00:40:12 2010 -0400

    Fix for protoport=47 (no port specified in protoport=).
    
    We now set it to 0 if not specified, as that is what goes into the
    proposal.

commit c8792d81da975188937133ecb08edb18c5652974
Merge: 5b1b51d bf504d0
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 7 19:50:43 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 5b1b51d2c285399c548fb66ec84545ca06199504
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 7 18:45:58 2010 -0400

    Scalar are better accessed with []

commit e67f5322b4b25495af16596b29ef308cd5d26167
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 7 18:45:15 2010 -0400

    Fix a typo

commit 264b1fa751580256b31671f4331be3dd33275ac2
Merge: cbdb0e0 bf504d0
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Oct 7 22:34:57 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit bf504d0bf3b079638e92965a86251a36df39b4fb
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 7 16:14:39 2010 -0400

    remove report_leaks() in main mode. Report leaks assumed it is called
    in the end, after global cleanup, which is not what happenes when this
    call was done (for each incoming new main mode packet)

commit f6bdb46f3d1c1253eb2a5d3a6d545347ad41bf6d
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 7 15:18:54 2010 -0400

    Add /usr/sbin to PATH to find lsof when invoked with sudo on CentOS.

commit b1b3c06e8fd4ad4719f1d71cc54a52fab85352e5
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 7 15:16:42 2010 -0400

    Added duplicate CVE's to CHANGES

commit 2a3b365d7df291c4c49a6c0418cfeacdb9aed49d
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 7 15:11:40 2010 -0400

    Test if binaries exist before trying to execute them

commit cbdb0e039c7b08b9180b1d402cf3422b33a41d3a
Merge: 2c65c3d 6c8851d
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Thu Oct 7 20:34:16 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 6c8851d45aac46ed1518cbb50ed18ca341dc6a9c
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Oct 7 13:48:41 2010 -0400

    Perl string comparison operator for equality is eq

commit b5d0d6b9a5d2582800e921cd2d57283cfa1a5025
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 7 13:33:05 2010 -0400

    Fix layout of IPsec SAref checks in "ipsec verify"

commit f7dff4e8f55ebb4a55ed296bd5acbc907673d307
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Oct 7 12:49:50 2010 -0400

    Add a list and copy of all CVE's related to openswan.

commit 7a93474f156a11a0580fa96f58c2ad93f58f1373
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 6 18:38:26 2010 -0400

    We do not want to passert() on a bad option value. Turn into assert()

commit 32b473930d60bbcb23031baa8be7d258aa6ab9e6
Merge: fbb6d54 be492d5
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 6 18:24:00 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit fbb6d54fd67ec6f5433bd9998cdd9c4b2913cc05
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 6 18:17:53 2010 -0400

    Quickfix for /proc/net/ipsec/version to be world readable.
    
    This is strange. The mode we set for this file in the proc_dir_entry
    struct for "version" is (S_IFREG | S_IRUGO). We call all files to be
    created with create_proc_entry() which also uses a mode to pass along,
    which was always 0400. Perhaps the idea is that the kernel initialises
    it to the mode passed, but then uses the mode from the struct later on?
    
    However, that does not seem to happen. As far as I an tell, proc_dir_entry->mode
    is completely ignored.
    
    This quickfix changes the mode for our create_proc_entry() entry when
    the name passed to it as arg1 is "version". I don't like this workaround.

commit 2c65c3d197d3126f817430a5258bf84e2803d8a8
Merge: 348d828 be492d5
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Oct 6 21:40:02 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit be492d59d087183eb1aed7748f4d0447b3154df8
Author: Simon Deziel <simon at xelerance.com>
Date:   Wed Oct 6 15:35:59 2010 -0400

    Update lintian overrides after man rebuild

commit 348d828f18a22d99f0deda06ee24707b77932334
Merge: dcfba54 ac6d745
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Oct 6 21:29:49 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit ac6d7453141f3d2ea195cad5ffb60f878f30613a
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 6 15:16:20 2010 -0400

    add {?dist} to Release: version for fedora spec file

commit dcfba54b3e3e33a9a8eb21ff14c6b738b211b5f4
Merge: 2081237 aee123e
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Oct 6 20:39:50 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit aee123ec4207ad2e868224f0c627bdf9d19bfc8f
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 6 14:35:37 2010 -0400

    Regenerated man pages

commit 62c9580a6d4236a7ef3bd2128a9cc78cc891136f
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 6 13:41:59 2010 -0400

    generated man file

commit ff0e035fb9adc23ca190ffd53f3ecc9a2934a665
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 6 13:29:19 2010 -0400

    updated changes

commit e1638044730b2d5f8c2d39125a8e4c48e9b5bb4a
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Oct 6 13:26:02 2010 -0400

    limit the vnet: check instantiation to CK_TEMPLATE only connections. It seemed
    in very busy cases (and possibly due to Win7 large modp group re-starting MI1)
    we could accidentally try to instantiate an instance.

commit 2081237e00dfafecadf1b3d9c9a3c261cf6bba56
Merge: 1f48eb2 390337f
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Wed Oct 6 09:43:05 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 390337fd18bb3fec8c8a7a002812f2a4035b53c3
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Oct 5 19:40:37 2010 -0400

    Fix a typo, s/sareftrackging/sareftrack/ in configuration example

commit 1fa996b7cbc0b7b7cf083d9add62306c3dfbc69f
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 5 18:12:17 2010 -0400

    Added example configuration for using MAST with SAref tracking

commit d34ca1755740077d71895b15e2158863480f79d5
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 5 18:11:58 2010 -0400

    regenerated ipsec.conf.5 man page

commit caeb03f30f5ef8cfc549b4351249663ef65a3561
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 5 18:04:51 2010 -0400

    fix typos in sareftrack= man page entry.

commit f811b141e033bca58253617cb0493a84372cebf5
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 5 17:55:59 2010 -0400

    update changes

commit 0d56e9bcb50515cbbacbc91cd450ed97eee53810
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 5 17:52:48 2010 -0400

    Added sareftrack= conn option. This passes (via PLUTO_SAREF_TRACKING)
    the desired processing of SArefs for ip_conntrack/iptables. Valid
    values are "no" (default), "yes" and "conntrack". Currently only
    supported on the MAST stack (and _updown.mast)

commit 2711ba08800ebd9d8dfef4376e24a7030049ab18
Merge: 3727020 100a95b
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 5 17:20:52 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 100a95b2827180a67aa4382cf2deed86763c843f
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 5 17:19:58 2010 -0400

    updated changes

commit 093e81b5f43e34ec32e9886dfc4f0ab8e15618ff
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 5 17:18:14 2010 -0400

    sa_policy_bit_names was missing ModeConfig DNS and WINS bit names.

commit 3727020498b8570920f7ae8c9a0e9f04a4ca6e51
Merge: d2df430 2976a12
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Oct 5 13:58:55 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 1f48eb25d0f4287953cb007d88af09daee578778
Merge: e5eed15 2976a12
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Tue Oct 5 19:43:22 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 42deeb70e0da50e8313a18749b307e35a6e023ee
Merge: cba4ae3 2976a12
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Oct 5 16:17:23 2010 +1000

    Merge branch 'master' into klips-ipv6

commit cba4ae39a6c24d5666edcd8718397459fa663b62
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Oct 5 15:41:46 2010 +1000

    Fixup mast changes from head for IPv6 and iproute2
    
    ignore errors when doing maxmetric check,  otherwise we try and run commands
    with bogus info when we should be doing nothing.
    
    convert getinterfaceinfo to use iproute2

commit 217aeb3e8728b9376d79f6d6347d4228a661f005
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Tue Oct 5 15:39:50 2010 +1000

    Add basic IPv6 updown support
    
    This seems to be enough to get simple tunnels running.
    See how it goes in the wild.

commit 2976a127b0788a9f9384942514b1de83889ac343
Merge: a1bd9ea a2ec7e7
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 4 19:58:48 2010 -0400

    Merge branch 'HEAD'; commit 'a2ec7e7a84ddd08e92f0dd1994fcdd1ed0b34774'

commit a1bd9ea67f0518fbb33635638a0e966a1f8dc708
Merge: ab6bc8f 9f4dcc6
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 4 19:58:40 2010 -0400

    Merge branch 'HEAD'; commit '9f4dcc631503e6bc3c0b383a24db2aa27207e0e8'

commit ab6bc8fcf090c9c2e9ad7b781b189d439966902c
Merge: be81168 734a770
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 4 19:58:35 2010 -0400

    Merge branch 'HEAD'; commit '734a770a783b0b72afd4e6cdc668902f926e4b2d'

commit be8116884d4a9582966a7ec1cd6cf7ebd70b1837
Merge: 8c6142d 8612644
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 4 19:58:29 2010 -0400

    Merge branch 'HEAD'; commit '8612644b3112371ba72f2f46bb0da5be1429aa04'

commit 8c6142d8d07aa10dc72ef723d1f83a3ef1d6826f
Merge: f252489 c15630c
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 4 19:58:25 2010 -0400

    Merge branch 'HEAD'; commit 'c15630ccc2b49c662b8dde9f85446d91e812dc15'

commit f252489bfdfd229dd66065d005031d301bc0bd3f
Merge: 834abe7 6310a99
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 4 19:58:16 2010 -0400

    Merge branch 'HEAD'; commit '6310a99bad5bac4c13d553da913682c7344ec86d'

commit 834abe7a0983e83da3dc2828b644725c638893ff
Merge: a3da783 13b35c1
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 4 19:58:10 2010 -0400

    Merge branch 'HEAD'; commit '13b35c171fb9f219a7862d8eab7cfeb62e5598d7'

commit a3da7836c275084dbb5f82e9db0a615063e8dd77
Merge: d13593c d2697a0
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 4 19:58:05 2010 -0400

    Merge branch 'HEAD'; commit 'd2697a0bdcd50f0d944b412db62e92a865314c5f'

commit d13593ccf44685ba7292f4cf63e8cc6da972d4f8
Merge: 4c81c8d d7adbfa
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Oct 4 19:57:53 2010 -0400

    Merge branch 'HEAD'; commit 'd7adbfaa4cc15b8919df4892a0a220e1490d1301'

commit e5eed15177e48e95392c376c1e2abb486ea973ce
Merge: 3f7c47f 4c81c8d
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Mon Oct 4 23:29:46 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 4c81c8d5017b890aee00c70c39ff7ba329b5f478
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 4 14:00:17 2010 -0400

    IPSECBASEVERSION got accidentally overwritten.

commit 6f19546e8932088c1dd8bad8a9a756c4b25e73d3
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 4 13:57:21 2010 -0400

    Add geode-aes to the list of crypto modules to load.

commit 34be68026593b79fa8ee28d9e7ed580058c874af
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 4 13:56:08 2010 -0400

    added --listen option to pluto man page

commit ea47c1bf29bd3aee05e874604bab621989b5ea2b
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 4 13:53:19 2010 -0400

    man page entry for listen= option.

commit 90df2399fb0b7254c458f46bb6c243658ed39eea
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Oct 4 12:33:13 2010 -0400

    Fix oscp.c for HAVE_THREADS. Note the entire file should probably be
    ifdef'ed with HAVE_THREADS, since it fully depends on it. This compile
    broke by the DEBUG define changes, accidentally moving a time_t into a
    DEBUG only section.

commit 3f7c47faebc1eb19400b76453adbabcbf5033ed1
Merge: 131037b ed9cdec
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Mon Oct 4 14:45:58 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit b811e832a5850fa74cb02d09267ab26957887fae
Merge: 27b1877 ed9cdec
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Oct 4 11:37:52 2010 +1000

    Merge branch 'master' into klips-ipv6
    
    Conflicts:
    	linux/net/ipsec/ipsec_sa.c
    	linux/net/ipsec/ipsec_xmit.c

commit 27b18776321417bc8e244d0b35a177f09ece7547
Merge: c4d6ee3 b0c3803
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Mon Oct 4 11:32:31 2010 +1000

    Merge branch 'master' into klips-ipv6
    
    Conflicts:
    	linux/net/ipsec/ipsec_mast.c
    	linux/net/ipsec/ipsec_proc.c
    	linux/net/ipsec/ipsec_rcv.c
    	programs/_startklips/_startklips.in

commit ed9cdec2ab8810c1aff94d454625fb68d125261f
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 1 18:30:10 2010 -0400

    We cannot xstrdup() an empty string. passert() to give us a nicer
    backtrace. This is caused by #1148

commit 131037bffc6b05441826e1e759f6e1e928e42b11
Merge: 9f8d6a9 a5b8d90
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Fri Oct 1 20:41:06 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit a5b8d909a3bf75096ee687e5b38e052acc07e555
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 1 14:34:08 2010 -0400

    Add --listen option for pluto and scripts. This allows listening to
    only 1 IP. This is a limited implementation. It does not support
    0.0.0.0/0 or multiple IP addresses.
    
    Note: --interface claims to support on ip address, but fails trying
    to do so.

commit 442427a1868d667b4f458f09a6a5abd95868b19a
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Oct 1 14:33:33 2010 -0400

    Debug line was missing format arguments on xauthusername changing
    after filtering meta characters.

commit 9f8d6a970dfd0d196a2574b611623390fdeb4d7f
Merge: 1784794 75ee4b1
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Fri Oct 1 09:11:29 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit d2df430b69b7162a2a372f7869d91214fcca5c5c
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 22:58:21 2010 -0400

    Remove two debugging lines.

commit 5e3ed4fec8d28d14ae47598717ff6b703f0fb614
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 22:53:26 2010 -0400

    Move the -DGCC_LINT setting from programs/pluto/Makefile.options
    into Makefile.inc's USERCOMPILE. This way one can readilly disable
    it (yes another arm cross compile issue:P)

commit 75ee4b10f2ce29b288cd18405247a989b5c9bfc4
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 19:59:36 2010 -0400

    Allow version to be "2" or "2.0". Since we no longer support NUMBER (float) in
    our grammar, "2.0" is now a STRING. We also remove any checks that causes us to
    abort on the version. We've had version 2/2.0 since openswan-2.0.0 and our config
    file did go through some changes. This keyword was a bit overkill.

commit dd46e31126ec37dc6213a3202a8a832d123a20fd
Merge: 98c1c86 fa0d8da
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 19:38:38 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit fa0d8dad4accc9c3a33b30ddefdb5b958ada4cba
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 18:57:27 2010 -0400

    Remove some more RCSIDs

commit f1b6ab087f866e1ce43c95b225c654e9e99dd7fe
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 18:34:27 2010 -0400

    Only check RHEL_RELEASE_CODE version when it is defined at all.

commit a2ec7e7a84ddd08e92f0dd1994fcdd1ed0b34774
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Sep 30 17:59:34 2010 -0400

    Fix fr.po to specify the language

commit 9f4dcc631503e6bc3c0b383a24db2aa27207e0e8
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Sep 30 17:54:03 2010 -0400

    Update the notice about USE_XAUTH flag.
    Sync compile flag of debian/rules with Makefile.inc

commit 19bf3359d0ef48f93c4816a53f3dc8834c4d7226
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 17:51:13 2010 -0400

    fix XAUTH comment

commit 734a770a783b0b72afd4e6cdc668902f926e4b2d
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Sep 30 17:42:37 2010 -0400

    Remove the unused USE_BASH flag

commit 8612644b3112371ba72f2f46bb0da5be1429aa04
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Sep 30 17:40:37 2010 -0400

    Add some lintian-overrides

commit c15630ccc2b49c662b8dde9f85446d91e812dc15
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Sep 30 17:39:41 2010 -0400

    Fix line lenght for french translation.

commit 6310a99bad5bac4c13d553da913682c7344ec86d
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Sep 30 13:05:10 2010 -0400

    Make lintian happy with the debian/NEWS file

commit 13b35c171fb9f219a7862d8eab7cfeb62e5598d7
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Sep 30 13:04:28 2010 -0400

    Fix typo, s/preceeded/preceded/

commit d2697a0bdcd50f0d944b412db62e92a865314c5f
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Sep 30 11:31:29 2010 -0400

    Fix typo, s/seperated/separated/

commit d7adbfaa4cc15b8919df4892a0a220e1490d1301
Author: Simon Deziel <simon at xelerance.com>
Date:   Thu Sep 30 10:36:35 2010 -0400

    Fix typo, s/compatability/compatibility/

commit 98c1c869cb1b0ea22d48160440b35ce9b59d1658
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 01:11:10 2010 -0400

    remove RCSID

commit a6aa70df46f0b48071523fc14ea927f200665e89
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 01:09:32 2010 -0400

    Enable LEAK_DETECTIVE in non-release code per default.

commit cb38970434ef6923767b38464f6c0e75c9b01e6f
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Thu Sep 30 01:08:13 2010 -0400

    Fix for unused variable "ago" when netkey support is not enabled.

commit 7afb0abbabc28a6693d3b772ad41176460a4e257
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Thu Sep 30 01:07:01 2010 -0400

    Fix for use of double const modifier.

commit 336da8c6ada46f068aabd0834d0134496c9191b4
Author: Paul Wouters <paul at xelerance.com>
Date:   Thu Sep 30 00:59:01 2010 -0400

    Remove dependancy on atof() which does not exist on all embedded libc's
    
    The ipsec.conf parser actually supported floats, but we have no keywords
    that can take floats. Via ascii -> float it got set to 0 anyway, instead
    of producing an error (for say keyingtries=4.5). This resolves an issue
    on an arm cross compile where the libc implementation des not have atof()
    
    Not yet fixed is the use of int instead of long for integer values. Since
    all values are converted internally to seconds, this means we cannot
    have more then a salifetime/lifetime of 0.3 days (32768 seconds)

commit d17d1bf4e035fa81264e53678e330db218576ccc
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 28 17:16:07 2010 -0400

    Added example for arm cross compile use of USERCOMPILE

commit d64f1331be5d126c19ed5824a60f016f5deab30f
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 28 13:02:09 2010 -0400

    remove spigrp_c_version

commit f52e069cb10c5218669f795bc1d399aa11fd786a
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 28 13:00:44 2010 -0400

    Remove klipsdebug_c_version variable and replace freeswan -> openswan

commit a1992b7ab58cade1f65afb1c7c56d798c3301a56
Merge: 0e0eeb0 91f2dce
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 28 12:57:56 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 91f2dce89fac3706f75fa829575bd4906c96a71e
Author: Simon Deziel <simon at xelerance.com>
Date:   Tue Sep 28 12:03:42 2010 -0400

    Remove some unused variables and rcsid.

commit 0e0eeb0504bc2c12ffdf52d30e0e6384c3e0da48
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 27 19:03:27 2010 -0400

    When no CISCO paramters we send, we were accidentally sending a non-zero
    string as value to the shell, possible confusing the updown script, eg:
    
    PLUTO_CISCO_DNS_INFO='(null)'

commit ec31515de2d3a8fcde45aef0c59422494b4fece3
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 27 18:46:30 2010 -0400

    The rewrite of the impossible() call at commit 6c6bfaab0e did not work.
    I rewrote it to simply show what it means, which I understood to me,
    there is no ESP/AH/IPCOMP transform found.

commit e6bc008af5ee35e09540a9e76346fdf04302c5a4
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 27 18:08:09 2010 -0400

    Log the enum_name() of the kind of secret, instead of the decimal number.
    (though we can only get here if the type is PPK_PSK)

commit 573cb103ad2f996fda2b882f58dc09f977021adf
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 27 18:07:04 2010 -0400

    Add missing cause for XAUTH lookup, though we should never reach it.

commit ed01cb590584cfa66cbd0c816ae7d35db5cbee92
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 27 11:05:40 2010 -0400

    Don't redefine linux if it was already defined, as -Wall will then
    abort on the warning.

commit 2a2194206b71a6d7ffd3dd4ae80290fb2f639d67
Author: Simon Deziel <simon at xelerance.com>
Date:   Mon Sep 27 10:01:37 2010 -0400

    Remove USE_OE leftovers

commit 178479477e96950f401c16f607441abdee362483
Merge: 409068c 5e272aa
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Mon Sep 27 07:13:28 2010 +0200

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 5e272aa26a70cb3efcf1e27750a493c8277ec32a
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Sep 26 22:12:13 2010 -0400

    The ipsec showdefaults gave a weird error that it could not "find" the
    pluto.info file, because it also tests for non-zero using "test -s".
    I extended the test to give a better clarification of the error.

commit 3cfc3686c4798bf4bda53474c15aa6a89c1fcfda
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Sep 26 22:02:08 2010 -0400

    IPSECKEY: ensure ns_t_ipseckey is defined for older arpa/nameser.h versions

commit 8c36f7ae4cc4c81f42b0471d37401c1cf8731fd5
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Sep 26 22:00:55 2010 -0400

    Remove rcsid

commit 183225034607bfc26fdb920d90b993aba701dae2
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Sep 26 21:59:50 2010 -0400

    Remove old cvs id.

commit db4d53afa8c29e49f230e804c439b1d0b634ea70
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Sep 26 21:57:16 2010 -0400

    CROSS: some old arm cross compiler lacked defines
    
    It had neither _POSIX_HOST_NAME_MAX nor HOST_NAME_MAX.
    In such case, fallback to setting it to 255.
    
    It also did not define "linux", but "__linux__". We now always set
    "linux" in the linux sysdep file.

commit 960c81a292845335c3eb1adae2b96a316a54e870
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Sep 26 13:42:23 2010 -0400

    OE_FLAG is an obsoleted unused flag.

commit 135f0dd92fccfe3de37e0346507b481f7bfd519b
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Sep 26 13:41:44 2010 -0400

    OE_FLAGS is no longer used anywhere, so USE_OE which only sets that
    flag is also obsolete.

commit 9e52dec49c731e8aecaa7f336916e505513d32d1
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Sep 24 18:17:27 2010 -0400

    Split a macro in two, because at least one older cross compiler complained
    about:
    
    programs/pluto/connections.c:1456:1: directives may not be used inside
    a macro argument
    
    There was some #if 0 code there. I split up the macro call in two,
    as I wanted to leave the #if 0 code there.

commit 07cd1cddb68e38f26817b93dfe9c56eff5e0c7fc
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Sep 24 13:12:41 2010 -0400

    Some linux build (currently a cross compile of kernel 2.4.20 on an ARM)
    seem to not have "linux" defined but "__linux__". This interferes with
    our code checks that have to check whether they are being compiled as part
    of the kernel or userland.

commit b848645e32c713554e796cef066630f4d9ddd892
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Sep 24 12:57:25 2010 -0400

    remove unused pfkey_v2_build_c_version[]

commit c1e43a2dc2f46d030f10950f1ffdac6e9755a48d
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Sep 24 12:52:09 2010 -0400

    bogus variable name when using 2.4 kernels without HAVE_NETDEV_PRIV.
    It tried to set dev->priv to "priv_net" instead of priv_dev"

commit 409068c3f115187b680f96b63ff3cf15f63f7d74
Author: Harald Jenny <harald at a-little-linux-box.at>
Date:   Fri Sep 24 18:43:05 2010 +0200

    fix manpage errors (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595809)

commit dd5c1a87f7032a00422135d14e1f1247b38a40c8
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Sep 24 01:16:26 2010 -0400

    Check for CONFIG_COMPAT_NET_DEV_OPS (from openwrt patch)

commit 595ad8bea81d8170eb476262be72ec522da98cf5
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 22 11:46:55 2010 -0400

    commit e9c8e57ede76 accidentally enabled USE_LWRES. Disabled again.

commit 0ad74920fbe0d92f0df89cf6d085e1e64473d4c3
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 22 00:01:00 2010 -0400

    add duplicate bug#

commit 634ff56c0a0ff4707415a441220b8aaaf22d4ef6
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 22:44:36 2010 -0400

    The 2.6.29 tag will happen likely cut at commitid a8db8204c.
    Log all newer commits/changes entries to a new 2.6.30 entry.

commit e9c8e57ede76d09a596b1a12e9d17730a4d3a6d6
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 22:38:44 2010 -0400

    Increased PAYLIMIT from 20 to 30. This is an arbitrary value.
    (Let's hope everyone can do jumbo frames, yes :)

commit 1390f2ecd7527f7a41df2166dda5d0116e344b50
Author: root <root at bofh.xelerance.com>
Date:   Tue Sep 21 22:19:52 2010 -0400

    update changes (moved two misplaced entries and added a new one)

commit 3cdcbc1dd2bf481c294b097114ded1b1dae6ed14
Author: root <root at bofh.xelerance.com>
Date:   Tue Sep 21 22:16:12 2010 -0400

    usage() now displays accepted options and arguments.

commit 7feb11e346a3ed60b1548be2381e59bf115afba9
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 21:49:49 2010 -0400

    updated changes

commit 8d6d41f4a713813320d856ba229197b3eefb74c9
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 21:47:59 2010 -0400

    Bug #860 Port --random for newhostkey
    
    Note: newhostkey calls rsasigkey with arguments not in its man page

commit 44f11f7289549c712a46b6298ce75aea8799cbc7
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 21:29:17 2010 -0400

    updated changes

commit 34ecdcd8feecc1da52803cab9988dfb55eb14f44
Author: Mike <msh at ca.ibm.com>
Date:   Tue Sep 21 21:27:56 2010 -0400

    Bug #1005 Incorrect message "R_U_THERE_ACK has unexpected sequence number"
    
    Description
    
    There are several issues in the code that logs this message:
    
    if (!p1st->st_dpd_expectseqno && seqno != p1st->st_dpd_expectseqno) {
    
         loglog(RC_LOG_SERIOUS, "R_U_THERE_ACK has unexpected sequence number (expected: %u got: %u", seqno, p1st->st_dpd_expectseqno);
    
    "expected" and "got" are actually swapped, which makes this message
    misleading. Also this message is triggered only when st_dpd_expectseqno
    is zero, which as far as I understand means that the ACK response is
    not expected at all
    
    I have seen this message when the peer was slow and hasn't acknowledged
    R_U_THERE in time. This issue may be related to 0000996
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit 275893fd39097a27bff36224fa9809d80f68641e
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 21:04:46 2010 -0400

    updated changes

commit 389a924c7bcbe7b94f1a2b3ae3f02facc9eddd10
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 21:03:24 2010 -0400

    update changes

commit 6261788f094ba2ea7ca2786adb85a86f5c3d1b02
Author: Michael Smith <msmith at cbnco.com>
Date:   Tue Sep 21 21:02:12 2010 -0400

    Bug #1054 Startup warning: "ignored obsolete keyword (null)"
    
    With forwardcontrol=yes, ipsec_starter logs a warning on startup with
    "(null)" instead of the name of the keyword. Patch attached (I just
    cribbed the right variable reference from the "conn" block handling
    further down the file).
    
    Signed-off-by: Paul Wouters <paul at xelerance.com>

commit a811024c5f0c103075c9ab79eb650276ce211e72
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 19:20:35 2010 -0400

    updated changes

commit b4692770f7583dc41127ef1f2778a4f54c49d8ac
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 19:19:58 2010 -0400

    Fix to compile without DEBUG (bug #1040)
    
    Note: sometimes there is a reliance on NO_DEBUG, so the safe way to actually
    disable DEBUG is to change -DDEBUG to -DNO_DEBUG.
    
    Mostly fixes to DBG macros, and moving variables inside the DBG macros.
    
    Since this touched so many files, I also updated the Copyrights on these
    as based on openswan-2 git history.

commit a879754ad149851b8243413cd838b7951164395a
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 17:12:08 2010 -0400

    updated changes

commit 8837b440edb3693580d0c1801d3d24fe4a8eb296
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 16:31:23 2010 -0400

    When not compiling with DEBUG, we need to include stdlib.h for abort()
    in oswlog.h.

commit 6c6bfaab0e5e95310c6dfc1cf5c459ca243de0cc
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 16:17:48 2010 -0400

    change an if () impossible() call to a regular passert() call,
    required for working without DEBUG

commit 35b92f605f915ee9041a949f5abcae5a0927a134
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 16:05:24 2010 -0400

    A struct connection c was only used to assign and then passert()
    on the assignment. Likely a leftover when more was done.

commit 08f5ec40bc057a25241015f0506b679a52fe9b42
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 15:04:41 2010 -0400

    use ipsec_version_code() instead of old RCS based spi_c_version[]

commit 7fc30bd9999a34711d57075804fb018e2a2b958c
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 14:54:36 2010 -0400

    pexect() was not defined to 'nothing' when -DNO_DEBUG (or rather not
    -DDDEBUG) was set.

commit abe5582615fa9c66018fb8f5d044220ef4d4ef17
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 13:39:24 2010 -0400

    updated changes

commit f114db0aeae27fad744be12b3eb79780af6f91a0
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 13:32:13 2010 -0400

    remove trailing spaces in comment

commit 8c395d0bd7e9283c4189795dc8fecc0282c7399c
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 13:30:24 2010 -0400

    updated changes

commit 2187c3f40b1a22594204923b1fa9f21d74a09fca
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 13:29:29 2010 -0400

    A bunch of Makefile.inc variables could not be overridden properly.

commit 452ea3c2e8775f04c07cce80bcb28b86441aa87b
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 13:25:57 2010 -0400

    remove hardcoded -g compile flags from the ISC DNS libraries we use.

commit c3aabe9db71da860c6575abe59d1540309c85f59
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 13:22:04 2010 -0400

    updated changes

commit 5b53ac3b94d7f0fc638b31dbc254649aee392aeb
Author: Henry N <henrynmail-oswan at yahoo.de>
Date:   Tue Sep 21 13:20:05 2010 -0400

    Bug #115: Fix various warnings u_char * vs. char * for sscanf,strlen,strcpy
    unpack_txt_rdata: Fix warning "u_char *"

commit f5bca7c2e18ce2767ad69a2ea42ddd726cd28716
Author: Henry N <henrynmail-oswan at yahoo.de>
Date:   Tue Sep 21 13:18:04 2010 -0400

    Bug #115: Fix various warnings u_char * vs. char * for sscanf,strlen,strcpy
    asn1totime: Fix warning "u_char *" for sscanf

commit 0b1af88b37b0125e5b83e03a1fd4b38a2a075195
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 13:12:02 2010 -0400

    updated changes

commit 0860d1457e3a96632be1452d8e2b0aa93e18c7f3
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 13:07:58 2010 -0400

    Fix for warnings of unused variables "a" and "b" in
    compatible_overlapping_connections()  when KLIPS is not defined.
    
    This was done by adding .overlap_supported = FALSE to all non-mast
    supported kernel_ops structs.

commit f56adef2fb3ac27fe55059679d531cac6ec2f9eb
Author: Henry N <henrynmail-oswan at yahoo.de>
Date:   Tue Sep 21 13:07:02 2010 -0400

    Fix for bug #1112: Prototypes only, if function enabled in c-source with
                       KLIPS or PFKEY

commit f045e5fe4b259d7b45aef9da00d146f422f75bf6
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 21 00:05:20 2010 -0400

    Added back an CONFIG_KLIPS_DEBUG wrapper around a debug line in
    ipsec_sa_init()

commit 2442d0e2307d9d7a0985e1893d048c1b54292d6b
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 20 21:12:12 2010 -0400

    Remove the MODECFG defines around the Cisco code for now, as to not
    make it more inconsistent.

commit cb41e44f122b2cacdde4453c5129c4b3667e0ee1
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 20 20:30:06 2010 -0400

    updated changes

commit c86144ad44780fdfb78cfdc9fcb7344e65956eb2
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 20 20:29:33 2010 -0400

    Add SAref checks to ipsec verify

commit 7c25097648a086c6d4760c35be8904498efbeca0
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 20 20:12:22 2010 -0400

    fix indent

commit a8db8204cb6f585bfdb6c089f127b67d22adb504
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 20 18:14:41 2010 -0400

    updated CHANGES with references to 2 CVE's

commit 5b9b0b5443445ce3bf62f87d88e81149749b555a
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 20 17:38:09 2010 -0400

    flowi mark fix for rhel5 based 2.6.18 kernels. KLIPS now compiles and
    works again on RHEL5 kernels.

commit 694b0811ecd6ac01e36f8ecc896387b4e7ef2cdd
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Mon Sep 20 10:29:26 2010 -0400

    Yup.  Fascinating that it didn't crash before since there ought to
    have been a dereferencing of a null pointer.  No, wait: only in the
    case of needle, not haystack.

commit 6752cb35463a7feddb019c114dd0eac1ef0a6e4c
Author: root <root at bofh.xelerance.com>
Date:   Mon Sep 20 00:49:37 2010 -0400

    Revert "Fix compiling klips for 2.6.18 based redhat kernel (they backported"
    
    This reverts commit 084b1e9bf0600bda4701d2461c273b9cae2d1e97.

commit 07ab2b28aea60b908728560a6097b6d8990e55a7
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 20 00:33:35 2010 -0400

    updated changes

commit 084b1e9bf0600bda4701d2461c273b9cae2d1e97
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Sep 20 00:32:25 2010 -0400

    Fix compiling klips for 2.6.18 based redhat kernel (they backported
    the 2.6.20 nfmark -> mark change)

commit db56045e37de667f018406b2a81fce6a45a3d5d1
Author: Paul Wouters <paul at xelerance.com>
Date:   Sun Sep 19 15:03:49 2010 -0400

    updated changes

commit 877454be8cefbba4ab63ccaa06109e7d9ea127a5
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 15:01:18 2010 -0400

    Remainder of grubb-fixes.git.diff affecting files not mentioned in
    the email thread.

commit ddc92b1f8059bfdc4131fdc55c4d3d304567397a
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 15:00:23 2010 -0400

    | In programs/pluto/ocsp.c at line 61 is an array of 6 strings. In
    | ./programs/pluto/ocsp.h, it shows that STATUS_UNAUTHORIZED is 6. note that it
    | skips the number 4. So this means that at line 1342, its potentially
    | derefencing beyond the string array. I would suggest adding an empty string
    | for what used to be #4.
    
    Right.
    
    Fixed.

commit 615110de0098f9398024d8ab548fe5563c5086f0
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 15:00:02 2010 -0400

    | In programs/pluto/ikev1_aggr.c at line 1092 is a return, but at line 1093
    | cur_state is set to NULL. Are they out of order?
    
    I would have expected gcc to warn of that.
    
    They look to be out of order so I've reversed them.
    
    This code should never be executed so it probably never has been.

commit 49feceddec9c2f62408d92cebd68c48c45f03a45
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 14:59:09 2010 -0400

    | In programs/pluto/ike_alg.c at line 118, errbuf is assigned to errp. It is an
    | auto variable with a scope for just that function. Any use if that pointer
    | will be invalid for any callers.
    
    Yes.
    
    And the snprintf call seems to reflect a misunderstanding of the
    length parameter.
    
    And the return_on macro has flaws: references to parameters are not
    protected with parens; the ugly do while idiom is used, but with a
    semicolon at the end, defeating the purpose.  In each invocation, the
    first argument is "ret", so it would be clearer and simpler to wire it
    in.  In fact, the macro seems hardly worth the bother.
    
    The buffer needs to be allocated by the caller OR use the heap.
    There are two callers.
    
    One (spdb_v1_struct.c line 1142) ignores the returned value
    (immediately overwriting it).  So it should pass in NULL so that the
    value isn't returned.  (Perhaps it should not ignore the returned
    value.)
    
    I've allocated the buffer as an auto in the caller and passed it into
    ike_alg_enc_ok.

commit 5aead4fae24b07c7980eba95b0c8e04a5bcef3a3
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 14:57:29 2010 -0400

    | In programs/pluto/ikev2.c at line 807, agreed_time is checked to be non-zero.
    | At line 760 it was set to false and has not been changed. Therefore it never
    | enters the if statement's true path.
    
    Right.
    
    That code seems to have been copied and mutated from ikev1.c.  The
    mutation wasn't complete.  I'd deleted the dead code.  There is a
    slight chance that that isn't what was intended, but this will not
    cause a change from current behaviour.

commit 851f699b201c68e05fe8a5712360c3c1f36fde28
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 14:57:02 2010 -0400

    | In programs/pluto/ipsec_doi.c at line 514, there is an array of IDTOA_BUF
    | size. At line 516, len is checked for its size and if too big, set to
    | IDTOA_BUF. At line 519, this becomes idbuf[IDTOA_BUF]='\0'; which is 1 more
    | than the array should hold.
    
    Right.
    
    That code is confused.  It has more than one off-by-one error.
    
    It isn't even clear why it bothers to copy the value into the buffer.
    It is used only for logging, and an appropriate format effector would
    elimintate the need for the copy.
    
    Fixed.

commit 202e6e08fd1b17cbdd8a76925aea8f7c96f15412
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 14:56:28 2010 -0400

    | In programs/pluto/connections.c at line 637, the test for id_obrackets to be
    | non-NULL will always be true since its initialized to a empty string. The test
    | is probably not needed.
    
    Right.  Deleted.
    
    | At line 830, cached_cert is checked to see if its not 0. Its initialized to 0
    | and never changed. All use of that variable is suspect because its never
    | changed anywhere.
    
    Agreed.
    
    Since there is no loop in this function and "cert" is an auto
    variable, it is hard to imagine how this could be a cache.
    
    I've removed this logic.

commit 96837fb61e5602d4c6984f6e3a920fcd79e3c92c
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 14:17:52 2010 -0400

    | In programs/showpolicy/showpolicy.c at line 185, cbuf is assigned to a
    | variable that is outside the scope of cbuf. At line 215, its used after cbuf
    | is out of scope.
    
    Right.
    
    Easy to fix: move the use inside the scoping braces.
    
    I adjusted some other scoping at the same time.

commit e8454d6b64b3f4b16a2dd8bde06dedafcad958f0
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 14:17:16 2010 -0400

    | In lib/libipsecconf/virtif.c at line 249, n>=0 will always be true because n
    | is unsigned it. I suspect this test is not needed or incorrect.
    
    I deleted it since I could think of no purpose for even a variant of
    it.

commit 0694f55c63ab1368ceba809abbd7c123f50caee6
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 14:16:38 2010 -0400

    | In lib/libipsecconf/oeconns.c at line 534, the if statement will always be
    | fale.
    
    Yeah.  connerr is useless.  I deleted connerr and this useless code.

commit 6587e4c0d55e3b7d338e2ac81d227e74ff7394a0
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 14:16:15 2010 -0400

    | lib/libipsecconf/starterwhack.c line 264 is unreachable code. I would remove
    | the else clause.
    
    Right. [fixed]

commit 3e9cd095205f2ccefc8c2ac26ebf74a54e6d2216
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 14:15:46 2010 -0400

    | In lib/libwhack/aliascomp.c at line 37, needle is checked to see if its NULL.
    | But at line 34, it was used. This would have crashed the program if it were
    | NULL.
    
    Right.  Since (I take it) this code has never crashed, the NULL check
    shouild just be deleted.

commit 92e1f968396df3be7e605ecb9ea96f74446b282e
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Sun Sep 19 13:37:43 2010 -0400

    |  In linux/net/ipsec/pfkey_v2_debug.c at line 128, sadb_type is checked to see
    | if its less than K_SADB_MAX. K_SADB_MAX is 19. At line 129, it returns a
    | pointer of the indexed location in pfkey_sadb_type_strings. There are only 17
    | elements in the array. So, its possible to have a pointer to the 19th string
    | which does not exist.
    
    That initializer was wrong.  It didn't account for the fact that the
    sequence of enums isn't contiguous.  I've fixed that.

commit 3044ef746f9ccb30264cc386897265b60b267d13
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Sep 17 21:13:05 2010 +0300

    Fix install to work.

commit 86cc1aa690dbdfe85228a78c6733f9a3d0e89826
Merge: d07ab6d b0c3803
Author: Tuomo Soini <tis at foobar.fi>
Date:   Fri Sep 17 21:12:46 2010 +0300

    Merge branch 'master' into tis-fixes

commit b0c3803842fe6dea7ed44d5a6ea2aa615da2b79e
Merge: b447b70 90831b7
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Sep 17 15:20:13 2010 +1000

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 90831b721abb7808ab4fc4398a9e399a9f976de3
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Sep 17 01:03:59 2010 -0400

    updated changes

commit 5feeffbc408eba176bf3e731305d9c14dcf81414
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri Sep 17 00:44:45 2010 -0400

    XAUTH: Avoid potential buffer overflow in cisco_dns_info
    XAUTH: Improve buffer overflow fix for cisco_domain_info/server_banner
    XAUTH: Fix possible single quote shell abuse with received Cisco parameters
           being passed to the shell (for _updown)
    
    If more then 50 bytes of caddr payloads were received in modecfg_inR1(), it
    would overflow cisco_dns_info[50].
    
    Remove first_dns_flag variable use.
    
    The xauth variables now go through a new (static) function cisco_stringify()
    to turn the received bytestream into a string. This also logs these options
    and also calls sanitize_string() on them, and removes single quotes to avoid
    these being passed wrongly to the _updown variables passed to the shell.
    
    Properly malloc/pfree cisco_dns_info, cisco_domain_info and server_banner to
    avoid any static buffer sizes.
    
    Properly use XAUTH and MODECFG #ifdef's
    
    Removed two useless calls to set strings to NULL at end of xauth_pam_conv()
    
    Ensure dnshostname is initialised to NULL.

commit f1288e844b430d1a5fba650013148e14f3006ac8
Author: Paul Wouters <paul at xelerance.com>
Date:   Fri Sep 17 00:42:36 2010 -0400

    Use clone_str(), not strdup() so that LEAK_DETECTIVE can find leaks of
    these strings in vendor.c

commit 76b9646aceea62b542fbfc72eb6d9adaa65e012a
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri Sep 17 00:41:55 2010 -0400

    Fix for GCC warning in whack_log() when not using a format string.

commit aac47658e84bdf0746991fb327a4a37f9f137589
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Fri Sep 17 00:40:52 2010 -0400

    XAUTH: log a warning when we change the xauthusername
    
    When spexcifying leftxauthname=, the name is run through remove_metachar()
    but we did not log a warning if we modified the username.

commit b447b708e6a8fcb80162d1bf6ff5a9f519f5fc52
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Sep 17 10:36:53 2010 +1000

    Fix up some hardcoded /etc/ipsec.conf references
    
    Switch to using IPSEC_CONFS path for some remaining hardcoded
    /etc/ipsec.conf references.

commit f4e3e5af7db6938fd6497a61e2f57d97e9620836
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Sep 17 10:28:42 2010 +1000

    Build setup at build time,  not install time
    
    Setup has it's own special install target,  rather than
    have setup get built at "install" time,  just use the NOINSTALL
    option so that we can add our own install target but still build it.
    
    That way openswan users who do not use "install" still get everything built :-)

commit 0a996a6b09b5053836c8ad9e755ceb1c7e7e384a
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Sep 17 10:23:01 2010 +1000

    Fix ipcomp SA setup for netkey
    
    We were always adding a cipher SA of some kind,  even when we were doing
    IPCOMP setup,  this would result in EINVAL logs from pluto while trying
    to setup the SA's.

commit d936d4042d112902047f993aa44550d051c5800f
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Fri Sep 17 10:20:05 2010 +1000

    fix put on a sock that was not initialised
    
    In the error case,  sock may not be initialised and we call sockfd_put
    on it.

commit c4d6ee3e6dcee8882b0f765da3274884a832ec35
Author: David McCullough <david_mccullough at mcafee.com>
Date:   Thu Sep 16 15:58:00 2010 +1000

    Fix iphdr length
    
    A line of code went missing in the IPv6 work and is stopped IPCOMP
    from working (under IPv4) because it relies on the ipsec header length
    when trimming the SKB.  Symtoms were short packets coming out of ipsecX
    when IPCOMP was active.

commit 10ae9b9f7ec5ba5908853adfa3775bece493f2ce
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 15 16:07:31 2010 -0400

    Added CVE to CHANGES

commit 4cc97c1869ef0e9d6bcb213113f6ea958f5fb183
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 15 16:05:27 2010 -0400

    updated changes

commit d07ab6d7a902d0459693f3e960dd8bb42e98c1e0
Merge: 6277664 3a6891b
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Sep 15 23:03:23 2010 +0300

    Merge branch 'master' into tis-fixes

commit 3c291c2bb514804c7c54ed168bcfbaa0691af98d
Merge: 0cb2347 0bb7e93
Author: Bart Trojanowski <bart at jukie.net>
Date:   Wed Sep 15 16:03:10 2010 -0400

    Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan

commit 0bb7e939545a21fda336585b74a289006839b0f9
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 15 15:57:12 2010 -0400

    Fix minimum nss requirements to avoid rhbz#453577

commit c90381e0c140a8977203321f140706f778b52e36
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 15 15:54:51 2010 -0400

    Revert "Openswan did not compile with HAVE_NSS due to a nspr bug that is"
    
    This reverts commit 6c8ff2791d13a4c56cbf8c5f76b2a3f519341c9a.

commit 0cb23470f52c2a2602bfc91be642a9475e19b6d5
Author: Bart Trojanowski <bart at jukie.net>
Date:   Wed Sep 15 14:56:43 2010 -0400

    add /proc/net/ipsec/saref to report saref support
    
    # cat /proc/net/ipsec/saref
    refinfo patch applied
    bindref patch applied
    saref enabled

commit d1df9278fd543947c15eca6f75e3e0092139ae9f
Author: Bart Trojanowski <bart at jukie.net>
Date:   Wed Sep 15 13:57:07 2010 -0400

    pass klips.ko build version to modinfo

commit 07533e7bf4ecc48d4156342c22a80b53a8eaaf86
Author: Bart Trojanowski <bart at jukie.net>
Date:   Wed Sep 15 12:23:39 2010 -0400

    change IPSECVERSION to use git-describe if at all possible
    
    Old version format looked like this: 2.6.master-201037.git-g73a41c9d-dirty
    New version format looks like this:  2.6.29rc1-12-g3359614-dirty
    
    The advantage of this form is that it tells us we are building OS
    12 commits after the v2.6.29rc1 tag, and that the new version can
    be used in git commands (like git log v2.6.29rc1-12-g3359614).
    
    Building from a tarball is uneffected.

commit 94ebb0f394d013a20c7fa86cab44d891f7019c84
Author: Bart Trojanowski <bart at jukie.net>
Date:   Wed Sep 15 11:40:24 2010 -0400

    use @IPSECVERSION@ as a replacement pattern

commit 10fbef5f38943356f22439b6d0b97b524982e7f0
Author: Bart Trojanowski <bart at jukie.net>
Date:   Mon Sep 13 14:03:59 2010 -0400

    fill in the SA and SRC address in ipsec_rcv_auth_init() error message
    
    this commit tries to avoid a scenario where the irs->ipsaddr_txt and irs->sa
    are blank and result in this error message:
    
    KLIPS klips_debug:ipsec_rcv: SA: (error), src= of pkt does not agree with expected SA source address policy.

commit 3a6891bdf91f44b7a4ab281be74d78e90241182d
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 15 01:09:55 2010 -0400

    updated changes

commit 20a8ae4a7a50d3cc100334d5a0851043c71e2c25
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 14 23:51:50 2010 -0400

    NETKEY: Fix for spurious kernel acquires landing us wrongly into
            opportunistic code. [paul/dhr]
    
    NETKEY is sending bogus aquire messages sometimes when used with
    transport mode and L2TP (protoport 17/1701). These seem mostly triggered
    by Windows and OSX clients. The acquire is notify of a %hold message in
    the kernel. pluto then failed to match the acquire to a connection (there
    was no matching on-demand tunnel or opportunistic connection) and would
    install a "failsafe" %pass eroute. Unfortunately, the transport_proto
    argument (17) was not set in this replacement eroute, and so we would
    end up with a (bogus) %pass eroute, and a non-deleted netlink-aquire
    %hold invisible to pluto.
    
    In cannot_oppo() where we detect this failure, we now properly call
    replace_bare_shunt() with the "delete" argument for the %hold.
    
    A similar transport_proto mismatch in clear_narrow_holds() is fixed too.

commit 1979f4e109dbbda6cf084b7da8080d3066f17d3a
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 14 23:51:03 2010 -0400

    transport_proto is actually used, remove the UNUSED qualifier

commit 4cf2894e1e0045910468d16793ceb61623306121
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 14 23:47:44 2010 -0400

    pexpect() claimed to be passert(). Also changed the message to signify
    that pexpect() is non-fatal.

commit 23468f1368404f6a93323218200302c13c81ceb8
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 14 23:44:29 2010 -0400

    Change comments on kernel debug - later should be fixed to use one
    unified name (DBG_KAPI?)

commit 0c5be90e13f6631f1c22dabf008e63f0cd927eff
Author: D. Hugh Redelmeier <hugh at mimosa.com>
Date:   Tue Sep 14 23:39:55 2010 -0400

    XAUTH: Avoid potential buffer overflow in CISCO BANNER/DEF_DOMAIN
    
    Where are CISCO_BANNER and CISCO_DEF_DOMAIN specified? RFC of Draft?
    What are their maximum allowed length? Are they supposed to be nul
    terminated? Are they not sent in ISAKMP attributes with a specified
    length in the isakmp attribute? Is strncpy appropriate?

commit 4c61ca4a8b5d39665ee13d2cd0dc9df1cd2af117
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 8 15:54:43 2010 -0400

    updated changes

commit beecf78ac1c5cabd99d8da33b8712a6ef9025883
Author: Bart Trojanowski <bart at jukie.net>
Date:   Wed Sep 8 15:43:25 2010 -0400

    a better workaround for rp_filter
    
    rp_filter follows the guidelines of RFC 1812 and incoming drops packets that
    don't seem to make sense.  The particular test that KLIPS, in mast mode,
    had problems with dropped packets that arrived on an interface to which
    a reply packet would not be routed to.  For example, packet arrives on mast0,
    if we reverse the src and dst addresses, we shold route that packet back
    through mast0.  Because of the iptables + policy routing tricks mast
    plays, we don't get that.
    
    This commit does the foolwing:
     - packets arriving from a tunnel, and thus having skb->dev == mast0, will
       have the nfmark set to the SA they arrived on, along with the top bit set.
    
     - updown script now installs two ip-rules:
         from all iif mast0 lookup main
         from all fwmark 0x80000000/0x80000000 lookup 50
       the first one is new, and it sends all packets that arrive from a tunnel
       through the main table, and as before the nfmarked packets go through
       table 50.
    
     - rp_filter will reset the skb->nfmark unless we tell it that the interface
       set that mark.  We do this by setting the src_valid_mark to something
       arbitrary.  In our case we set it to 0x80000000.
    
    All this to make rp_filter happy once more.

commit e62fdf120b0e29f13875de3733e99f5e31207597
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 8 00:02:58 2010 -0400

    updated changes

commit 62763205d6093a369961ef9be2cc6f4953d7fb71
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Wed Sep 8 00:01:16 2010 -0400

    [IKEv2] Fix for using MD5 and PRF conversion function.

commit d58d1a34b808c0fd699f522ae25f10b7b78f0bb4
Author: Paul Wouters <paul at xelerance.com>
Date:   Tue Sep 7 14:23:10 2010 -0400

    updated changes

commit 0b07ac31fe65c6f884f795facc7c58a5b1032fa1
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Tue Sep 7 14:21:24 2010 -0400

    bz621790: Support for SHA2_256 is missing in the current Openswan IK