PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.

Fix my previous patch to not call purge_remote() twice. Change the place
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).

Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.

Remove initial-contact entry when all ISAKMP-SA are purged via adminport.
This will avoid stale security associations if some of the delete
notifications happens to get lost.

When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
select the phase1 for rekeying the new phase2.

Get rid of the evil CMPSADDR macro. Trac #295.

Support multiple anonymous remotes and decide remoteconf based on identity,
received certificates and other information. General code clean up.

branches: 1.19.2;
Detect if monotonic system clock is available, and use it for relative
time measurements to avoid complite hang if time jumps backwards.

Introduce vendorid bitmask that can be used otherwhere to detect peer
capabilities.

From Arnaud Ebalard:
Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.

branches: 1.16.4;
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.

Change struct sched to be allocated be the caller to avoid some memory
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.

Handle RESPONDER-LIFETIME notification in quick mode.

Clean up notification payload handling. Handle INITIAL-CONTACT notification
in last main mode exchange (delayed) and during quick mode exchanges.

branches: 1.12.4;
Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.

branches: 1.11.2;
added an 'established' arg to getph1byaddr()

Add support for nat-t oa payload handling. Submitted by Timo Teras.

branches: 1.9.2; 1.9.4; 1.9.6; 1.9.10; 1.9.14;
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.

Merge ipsec-tools 0.6.3 import

Update to ipsec-tools 0.6.1

Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.

Add a prototype for getph2bysaddr(), fixes build problem for isakmp.c.

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that
multiple SA can be used in transport mode

While I'm there, patch ipsec-tools ChangeLog to reflect the changes we
took from ipsec-tools-0_6-branch

Fix simple DES support (security problems for racoon to racoon setups)
Fix broken generated policies flush

branches: 1.1.1;
Initial revision

Fix my previous patch to not call purge_remote() twice. Change the place
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).

Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.

Remove initial-contact entry when all ISAKMP-SA are purged via adminport.
This will avoid stale security associations if some of the delete
notifications happens to get lost.

When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
select the phase1 for rekeying the new phase2.

Get rid of the evil CMPSADDR macro. Trac #295.

Support multiple anonymous remotes and decide remoteconf based on identity,
received certificates and other information. General code clean up.

branches: 1.19.2;
Detect if monotonic system clock is available, and use it for relative
time measurements to avoid complite hang if time jumps backwards.

Introduce vendorid bitmask that can be used otherwhere to detect peer
capabilities.

From Arnaud Ebalard:
Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.

branches: 1.16.4;
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.

Change struct sched to be allocated be the caller to avoid some memory
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.

Handle RESPONDER-LIFETIME notification in quick mode.

Clean up notification payload handling. Handle INITIAL-CONTACT notification
in last main mode exchange (delayed) and during quick mode exchanges.

branches: 1.12.4;
Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.

branches: 1.11.2;
added an 'established' arg to getph1byaddr()

Add support for nat-t oa payload handling. Submitted by Timo Teras.

branches: 1.9.2; 1.9.4; 1.9.6; 1.9.10; 1.9.14;
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.

Merge ipsec-tools 0.6.3 import

Update to ipsec-tools 0.6.1

Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.

Add a prototype for getph2bysaddr(), fixes build problem for isakmp.c.

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that
multiple SA can be used in transport mode

While I'm there, patch ipsec-tools ChangeLog to reflect the changes we
took from ipsec-tools-0_6-branch

Fix simple DES support (security problems for racoon to racoon setups)
Fix broken generated policies flush

branches: 1.1.1;
Initial revision

Migrate ipsec-tools CVS to cvs.netbsd.org

Update ipsec-tools to 0.6.1rc1
Most of the changes since 0.6b4 have already been committed to the NetBSD
tree. This upgrade fixes some IPcomp and NAT-T related problems that were
left unadressed in the NetBSD tree.

branches: 1.1.1.2.2;
Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version
according to ipsec-tools' ChangeLog:

2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>

* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
support for patented algorithms: IDEA and RC5.
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
is not required in the configuration
* src/racoon/isakmp.c: do not reject addresses for which kernel
refused UDP encapsulation, they can still be used for non NAT-T
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)

2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>

* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
src/setkey/setkey.c: don't use fuzzy paths for package_version.h

2005-02-18 Yvan Vanhullebus <vanhu@free.fr>

* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
related DELETE_SA
* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire

2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>

From Fred Senault <fred.letter@lacave.net>
* src/racoon/remoteconf.c: Fix a bug in script init

2005-02-17 Yvan Vanhullebus <vanhu@free.fr>

* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks

2005-02-15 Michal Ludvig <michal@logix.cz>

* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN

Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS)
ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many
enhancements.

Apply patch (requested by manu in ticket #981):
Update ipsec-tools to version 0.6.3.

Apply patch (requested by tron in ticket #741):
Update ipsec-tools to version 0.6.1.

Pull up revision 1.5 (requested by manu in ticket #278):
Add a prototype for getph2bysaddr(), fixes build problem for isakmp.c.

Pull up revision 1.4 (requested by manu in ticket #277):
More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

Pull up revision 1.3 (requested by manu in ticket #274):
on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that
multiple SA can be used in transport mode
While I'm there, patch ipsec-tools ChangeLog to reflect the changes we
took from ipsec-tools-0_6-branch

Pull up revision 1.2 (requested by manu in ticket #179):
Fix simple DES support (security problems for racoon to racoon setups)
Fix broken generated policies flush

Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).

sync with HEAD

sync with HEAD

added an 'established' arg to getph1byaddr()

Sync with netbsd-4.

Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).

sync with head.

Sync with wrstuden-revivesa-base-2.

Apply patch (requested by manu/spz in #378):
Downgrade ipsec-tools to 0.7.1nb1.

Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html