Use strict prototypes, when they don't introduce more warnings than they fix.
Also localify a few functions.

Remove unused variables.

branches: 1.28.40;
From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix various typos in
comments and log messages. Fix default port used in copy_ph1addresses().

From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix memory leaks from
configuration reading code, and clean up error handling.

branches: 1.26.6;
avoid some memory leaks / free memory access when reloading conf and have inherited config. patch from Roman Hoog Antink <rha@open.ch>

free rsa structures when deleting a struct rmconf. patch by Roman Hoog Antink <rha@open.ch>

free spspec when deleting a rmconf struct. patch by Roman Hoog Antink <rha@open.ch>

fixed some memory leaks in remoteconf. patch by Roman Hoog Antink <rha@open.ch>

From Roman Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename
the functions, and remove unneeded global variable.

branches: 1.21.2;
fixed remoteconf selection when no ID specified in configuration, and added some debug to remoteconf selection

fix by Sergio.Gelato (at) astro.su.se: duplicate some dynamic values in duprmconf()

added a specific script hook when a dead peer is detected

Change remote conf matching level to matching score. This way one can
override anonymous certificate block config with more exact "inhereted"
IP specific block.

fixed address check in rmconf_match_type(), just check address with wildcard port

Have an enum for rmconf_match_type() return values to make the code a bit
more readable.

Get rid of the evil CMPSADDR macro. Trac #295.

When casting to/from a pointer to an integral type (a bad practice,
if you ask me), you need to cast via intptr_t for portability.

Support multiple anonymous remotes and decide remoteconf based on identity,
received certificates and other information. General code clean up.

branches: 1.12.4; 1.12.6;
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.

branches: 1.10.12; 1.10.14;
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues

branches: 1.9.4;
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
libipsec interface for adding and updating security associations.

branches: 1.8.2;
From Matthew Grooms:
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)

Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.

Merge ipsec-tools 0.6.3 import

Update to ipsec-tools 0.6.1

Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.

When altering the lifetime, don't modify to configured proposal, duplicate
it instead.

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

branches: 1.1.1;
Initial revision

From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix various typos in
comments and log messages. Fix default port used in copy_ph1addresses().

From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix memory leaks from
configuration reading code, and clean up error handling.

branches: 1.26.6;
avoid some memory leaks / free memory access when reloading conf and have inherited config. patch from Roman Hoog Antink <rha@open.ch>

free rsa structures when deleting a struct rmconf. patch by Roman Hoog Antink <rha@open.ch>

free spspec when deleting a rmconf struct. patch by Roman Hoog Antink <rha@open.ch>

fixed some memory leaks in remoteconf. patch by Roman Hoog Antink <rha@open.ch>

From Roman Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename
the functions, and remove unneeded global variable.

branches: 1.21.2;
fixed remoteconf selection when no ID specified in configuration, and added some debug to remoteconf selection

fix by Sergio.Gelato (at) astro.su.se: duplicate some dynamic values in duprmconf()

added a specific script hook when a dead peer is detected

Change remote conf matching level to matching score. This way one can
override anonymous certificate block config with more exact "inhereted"
IP specific block.

fixed address check in rmconf_match_type(), just check address with wildcard port

Have an enum for rmconf_match_type() return values to make the code a bit
more readable.

Get rid of the evil CMPSADDR macro. Trac #295.

When casting to/from a pointer to an integral type (a bad practice,
if you ask me), you need to cast via intptr_t for portability.

Support multiple anonymous remotes and decide remoteconf based on identity,
received certificates and other information. General code clean up.

branches: 1.12.4; 1.12.6;
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.

branches: 1.10.12; 1.10.14;
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues

branches: 1.9.4;
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
libipsec interface for adding and updating security associations.

branches: 1.8.2;
From Matthew Grooms:
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)

Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.

Merge ipsec-tools 0.6.3 import

Update to ipsec-tools 0.6.1

Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.

When altering the lifetime, don't modify to configured proposal, duplicate
it instead.

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

branches: 1.1.1;
Initial revision

Migrate ipsec-tools CVS to cvs.netbsd.org

Import IPsec-tools 0.6.3. This fixes several bugs, including bugs that
caused DoS.

Update ipsec-tools to 0.6.1rc1
Most of the changes since 0.6b4 have already been committed to the NetBSD
tree. This upgrade fixes some IPcomp and NAT-T related problems that were
left unadressed in the NetBSD tree.

branches: 1.1.1.3.2;
Updated ipsec-tools:

2005-03-16 Emmanuel Dreyfus <manu@netbsd.org>

* src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5}
src/racoon/remoteconf.c: When running in privsep mode, check that
private key and script paths match those given in the path section.

2005-03-15 Emmanuel Dreyfus <manu@netbsd.org>

* src/racoon/{isakmp_cfg|isakmp_cfg.h|isakmp_xauth.c}: initialize
RADIUS accounting at startup
* src/racoon/privsep.c: fix minor bug in PAM cleanup
* src/racoon/isakmp_cfg.c: only call cleanup_pam if PAM is used

2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>

* configure.ac: handle correctly dynamic libradius
* src/racoon/cfparse.y: correctly initialize address pool

Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version
according to ipsec-tools' ChangeLog:

2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>

* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
support for patented algorithms: IDEA and RC5.
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
is not required in the configuration
* src/racoon/isakmp.c: do not reject addresses for which kernel
refused UDP encapsulation, they can still be used for non NAT-T
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)

2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>

* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
src/setkey/setkey.c: don't use fuzzy paths for package_version.h

2005-02-18 Yvan Vanhullebus <vanhu@free.fr>

* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
related DELETE_SA
* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire

2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>

From Fred Senault <fred.letter@lacave.net>
* src/racoon/remoteconf.c: Fix a bug in script init

2005-02-17 Yvan Vanhullebus <vanhu@free.fr>

* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks

2005-02-15 Michal Ludvig <michal@logix.cz>

* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN

Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS)
ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many
enhancements.

Apply patch (requested by manu in ticket #981):
Update ipsec-tools to version 0.6.3.

Apply patch (requested by tron in ticket #741):
Update ipsec-tools to version 0.6.1.

Pull up revision 1.3 (requested by manu in ticket #337):
When altering the lifetime, don't modify to configured proposal, duplicate
it instead.

Pull up revision 1.2 (requested by manu in ticket #277):
More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).

branches: 1.8.2.2.2;
Pull up following revision(s) (requested by manu in ticket #830):

Import ipsec-tools 0.7

branches: 1.8.2.1.2;
Upgrade ipsec-tools to 0.7-beta3 (Requested by manu in ticket #634).

Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).

Sync with netbsd-4.

Sync w/ NetBSD-4-RC_1

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.

use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues

use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues

file remoteconf.c was added on branch matt-mips64 on 2007-07-18 12:07:53 +0000

Sync w/ -current. 34 merge conflicts to follow.

Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html

Apply patch (requested by manu/spz in #378):
Downgrade ipsec-tools to 0.7.1nb1.

Sync with HEAD

Sync with HEAD

sync with head