changes

This a good VPN source

- add a list of interface pairs to --status output.

- replace signal(2) calls with sigaction(2) calls: glibc has further
  broken the semantics of signal(2).  We want slow system calls
  to be interruptable and not be restarted.

- improved error message for lack of preshared key by showing
  IDs that were used in lookup.  Collateral tidying.

- documented complex logic of routing and erouting in routing.txt

- When a connection is --routed, a route is installed to direct
  outbound packets destined for the peer's client to go to the ipsec
  interface implicit in the connection.  This is not allowed for Road
  Warrior connections -- they are strictly inbound.  For Opportunistic
  connections, a new default root is installed that points to the
  ipsec interface.  Note that the route does not take into account the
  source address.  In addition, a TRAP shunt eroute is installed to
  catch any traffic sent on the not-yet-initiated connection.

- When an outbound packet is trapped by the TRAP shunt eroute,
  Pluto attempts to initiate the corresponding connection.
  If the attempt fails because an Opportunistic connection was used
  and no gateway information was found, a PASS shunt eroute is
  installed (with no provision for automatic removal).

- if negotiation fails at a later point, a shunt eroute is installed.
  The kind of shunt is a policy decision.  It is specified as part of
  the connection.  (Untested; can not be specified in ipsec.conf.)

- When an inbound negotiation doesn't match a specific connection,
  and there is an Opportunistic connection, Pluto will try to respond
  using that connection.

- Every 2 minutes (SHUNT_SCAN_INTERVAL seconds), Pluto scans for

  + PASS eroutes that it installed that haven't been used recently.
    These will be deleted.

  + HOLD eroutes for which Pluto hasn't received a PFKEY_ACQUIRE message.
    For any it finds, it will attempt an opportunistic initiate.

- We no longer allow Phase 1 negotiations that we initiate to switch
  which connection is being used based on the Peer's Phase 1 ID.
  The fact that we used to do so was probably a bug.

- When Pluto as the Responder receives the Peer's Phase 1 ID, it is
  now willing to use a connection with a different ID and private
  RSA key for our end.  Nothing has committed us to the current guess.

- Changes in internal data structures to aid in better tracking of
  history of attempted and successful communication.  Needed for
  effective Opportunism.
  + struct host_pair represents information about pairs of hosts.
  + "Orientation" is done as soon as possible rather than as late
    as possible.
  + an arbitrary number of Quick Mode negotiations may now queue
    for the completion of a Main Mode negotiation.  Formerly,
    a negotiation could only use a previously completed Keying Channel.


Changes since 1.8 release by D. Hugh Redelmeier <hugh@mimosa.com>

- [Svenning Soerensen] correct check requiring OAKLEY_LIFE_TYPE
  attribute before OAKLEY_LIFE_DURATION.

- Improved whack diagnostics for various cases of failure to connect
  with Pluto.

- Added function state_with_serialno to allow a serial number to be
  used as a safe reference to a state object.  This avoids the risk
  of dangling pointers.

- Add crude support for PF_KEY SADB_ACQUIRE messages from the kernel.
  These cause the initiation of opportunistic negotiation.

- More processing of PF_KEY messages from the kernel.  We check that
  each message we send to the kernel elicits a response.  Other messages
  are queued to be processed at the head of the event loop.

- Fix bug in find_client_connection.  The manifestation is a Pluto
  segfault when a negotiation successfully gets to Phase 2, but there
  is no connection with the appropriate clients AND there is no
  wildcarded connection using our same host interface (not even an
  inappropriate one).

- Purely internal change: simplify EVENT_SO_DISCARD logic.

- Accept GROUP_DESCRIPTION in IPCA (IPcomp SA) proposal.  Although
  this SHOULD NOT appear according to
  draft-shacham-ippcp-rfc2393bis-05.txt 4.1, it should harmlessly help
  interoperation.

- Adjust to whether KLIPS supports IPCOMP.  If it does not, ignore
  --compress policy flag in Connections.  So Pluto would then neither
  propose nor accept IPCOMP transforms.


Changes since 1.7 release by D. Hugh Redelmeier <hugh@mimosa.com>

- Allow IPcomp transformations to use "well known CPIs".  This
  perversion allows better interoperation.

- Added rather experimental code to exploit IP_RECVERR.  This facility
  allows us to report who refuses our packets when they are refused.
  I don't understand the documentation of the mechanism, hence the
  experimental nature of our use of it.  Our code is pretty ugly too.

- [Svenning Soerensen] found a bug in the calculation of the verb for
  the updown script and proposed a fix.  The -host suffix was being
  used when the client subnet contained only one IP address, even if
  that address was not of the host.

- [Svenning Soerensen] Allow Phase 1 ID Payloads of type FQDN and
  user@FQDN to specify UDP/500 explicitly as per RFC2407 (IPSEC DOI)
  4.6.2.

- When responding in Quick mode, after switching to an appropriate
  connection based on the ID payloads, copy the connection's IPSEC
  policy flags into the state object.  Do this before consulting these
  flags.

- --status output now indicates when a connection is an instance
  of another.  "POLICY_" has been removed from the display of each
  policy flag, reducing clutter.  An extra space has been added to
  further indent lines in the --status report.

- Fixed a bug in displaying subnets in the error message
  "cannot respond to IPsec SA request..."

- In SA proposals, accept CPIs that are 4 bytes too, as long as
  the high order 2 bytes are 0.

- bug fix: no longer allocate tunnel SPIs below IPSEC_DOI_SPI_OUR_MIN.

- Added recognition (not support) for new Assigned Numbers for AES
  and friends.


Changes since 1.6 release by D. Hugh Redelmeier <hugh@mimosa.com>

- only accept a proposal with compression if the connection has the
  POLICY_COMPRESSION flag.  Normally, these flags don't affect what we
  propose.  In this case, we need this control since our IPCOMP
  implementation has a history of crashing.

- Fixed nasty bug in connections.c:fc_try().  For a Quick Mode
  exchange, if Pluto picked a connection as a starting point
  that had no peer client, it would not accept any proposed
  peer client.  On the other hand, if it picked a connection
  with a peer client, it would not accept any proposal without
  a peer client.


Changes since 1.5 release by D. Hugh Redelmeier <hugh@mimosa.com>

- added a global pluto option --uniqueids.  If this is enabled,
  whenever a new ISAKMP SA is established, any connections with
  the same Peer Id but different Peer IP address are unoriented,
  blowing away any of their SAs.  This should help eliminate
  dangling Road Warrior connections when the same Road Warrior
  reconnects.  It thus requires that IDs not be shared by hosts
  (a previously legal but probably useless capability).

- introduced clearer notation:
  + --host %any signifying any IP address, for Road Warrior,
    replacing 0.0.0.0 or 0::0
  + --nexthop %direct signifying "same IP as peer", replacing
    0.0.0.0 or 0::0
  + %any and %any6 as indices in ipsec.secrets to match IP addresses of
    Road Warriors (replacing 0.0.0.0 or 0::0)
  + --host %opportunistic signifying that the peer is actually
    to be discovered from the reverse DNS entry for the peer's client.
    This replaces --host 0.0.0.0 --client 0.0.0.0/32 (and IPv6 variants).

- be more strict about Phase 2 ID payloads (the ones that specify clients):
  reject if they specify protocol or port (which we do not support).

- Remove support for Diffie Hellman MODP 768 Group.  Increase
  support for MODP 1536 Group.

- Remove NO_RSA option -- patent expired!!

- Improve support for newer resolvers.

- [initially from Svenning Soerensen <svenning@post5.tele.dk>]
  support IPcomp (compression)

- [mostly Gerhard Gessler <gessler@iabg.de>] initial support for IPv6.

- As part of the IPv6 support, changes were made to the Pluto/updown
  interface.  See pluto(8) for the details.  One oft-requested feature
  is the new PLUTO_*_CLIENT environment variables.  The changes are
  "upward compatible", so the PLUTO_VERSION environment variable
  setting was changed from 1.0 to 1.1.  Unfortunately, this will break
  many customized updown scripts.

- Prototype support for initiating and responding to opportunistic
  negotiation.  A connection is considered for instantiation for
  opportunism if it has a peer of %opportunistic (the connection
  description must not specify a client for the peer).  Currently, the
  only way to provoke an opportunistic initiation is to use whack to
  simulate the interception of an outbound flow (do a "whack --help"
  and look at opportunistic initiation).  These features are not
  documented because they are experimental.  Limitations:  no actual
  interception of packets, DNS query synchronous.

- in ipsec.secrets, if multiple entries are the best match for the
  connection, they must all have the same secret.  In the past
  there was no code to compare RSA keys, so separate RSA entries
  were assumed to be different.  Now they are compared.

- Introduce now() to protect against clock being set backwards.  The
  risk is that events might be delayed a lot.  Still no protection
  against clock being moved forward.

- Don't "discover" interfaces that share IP addresses with others.
  This avoids an assertion failure.  Eventually, Pluto will have to
  ask KLIPS about interfaces.

- prevent infinite loop decoding certain malformed DNS records

- explain "Phase 1", "Phase 2", "Main Mode", and "Quick Mode"

- fiddled with "max number of retransmissions" diagnostic to add a bit
  of explanation.


Changes since 1.4 release by D. Hugh Redelmeier <hugh@mimosa.com>

- reorganized how messages are logged.  More of the serious messages
  are distinguished with the code RC_LOG_SERIOUS and hence should
  make it through ipsec auto's filter.

- Reserve Message IDs only within their ISAKMP SA.  This eliminates
  the unbounded memory requirement when reserving them per peer.

- Pluto's retransmission logic has been improved:
  + the initial retransmission occurs after 10 seconds of silence,
    down from 30 seconds.  The theory is that this will ungum a
    lost-packet situation more quickly
  + the delay after each retransmission is twice the delay before
    it -- exponential backoff
  + In the special case of the first message initiating Main Mode,
    when --keyingtries is 0 (meaning unlimited retries), Pluto
    will attempt more retransmissions at the same rate (no
    exponential backoff).  This cuts down on the pointless
    busywork while a peer isn't responding.

- Pluto will no longer generate SPIs in the range 0x100-0xFFF.
  This has the effect of reserving this range for manual keying.
  Of course Pluto will still allow its peer to use this range.

- Fixed another bug in Road Warrior support.  In responding to Phase 2
  / Quick Mode, once the client subnets (if any) are known, Pluto must
  reselect which connection to use.  If it didn't happen to be using
  the right one already, and no ID was explicitly specified for the
  peer, and the right one is a Road Warrior connection, the right one
  would not be found.


Changes since 1.3 release by D. Hugh Redelmeier <hugh@mimosa.com>

- Pluto can now acquire a public key from DNS.  It must be told
  to do so.  Hint: --pubkeyrsa is optional when specifying keyid.

- On the Responder, if a connection is to be routed, and the peer has
  a client that is a fixed subnet, and that subnet is already routed
  for other connections, and that route conflicts, Pluto will unorient
  the old connections (deleting the SAs that depend on the old route)
  on the theory that they have been superseded.  Too bad we can't
  otherwise tell when a connection is outdated.

- Support for netlink has been removed.  We always use PFKEYV2.
  Pluto no longer #includes any kernel headers!

- Added a TODO file

- Road Warrior support is unconditionally included.  No more need to
  define ROAD_WARRIOR_FUDGE.

- Fixed bug preventing Road Warrior connections being instantiated
  during the connection reselection prompted by receipt of Phase 1 ID
  Payload [Kai Martius <kai@secunet.de>].  Fixed bug that caused Phase
  1 ID to be ignored by connection reselection prompted by receipt of
  Phase 2 client IDs.


Changes since 1.2 release by D. Hugh Redelmeier <hugh@mimosa.com>

- fixed deficiencies in id handling

- changed to use updown script for routing (and firewalling)

- In quick Mode, when Responder, avoid selecting same SPIs as
  initiator.  This prevents KEYMAT being the same in both directions.
  See Ferguson and Schneier: "A Cryptographic Evaluation of IPsec",
  http://www.counterpane.com/ipsec.pdf, 5.6 #2.

- In Quick Mode, when Responder, install inbound IPsec SA one
  message earlier.  This eliminates the chance of a message being
  sent before the SA is established.

- slight complication to RSA private key lookup rules to allow
  match to an entry with multiple identities for the host.

- support per-connection debugging flags

- more use of PFKEY (RGB+DHR)

- inbound SAs are now spigrped and an inbound IPIP SA is created
  if tunneling is used.  This more symmetric with outbound processing
  and it allows KLIPS to check that the correct SAs are all applied.

- The way SA lifetime limits are proposed and accepted is better
  documented.  whack now complains when a specified value exceeds the