- introduced autotools

  - first working version
  - make dist should work
  - things to do:
    - UML testing!
    - more cleanups

1 files changed, 712 insertions, 0 deletions

diff --git a/NEWS b/NEWS
new file mode 100644
index 000000000..8595682d9
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,712 @@
+
+- new build environment featuring autotools. Features such
+  as HTTP, LDAP and smartcard support may be enabled using
+  the ./configure script. Changing install directories 
+  is possible, too. See ./configure --help for more details.
+
+strongswan-4.0.0
+----------------
+
+- initial support of the IKEv2 protocol. Connections in
+  ipsec.conf designated by keyexchange=ikev2 are negotiated 
+  by the new IKEv2 charon keying daemon whereas those marked
+  by keyexchange=ikev1 or the default keyexchange=ike are
+  handled thy the IKEv1 pluto keying daemon. Currently only
+  a limited subset of functions are available with IKEv2
+  (Default AES encryption, authentication based on locally
+  imported X.509 certificates, unencrypted private RSA keys
+  in PKCS#1 file format, limited functionality of the ipsec
+  status command).
+
+
+strongswan-2.7.0
+----------------
+
+- the dynamic iptables rules from the _updown_x509 template
+  for KLIPS and the _updown_policy template for NETKEY have
+  been merged into the default _updown script. The existing
+  left|rightfirewall keyword causes the automatic insertion
+  and deletion of ACCEPT rules for tunneled traffic upon
+  the successful setup and teardown of an IPsec SA, respectively.
+  left|rightfirwall can be used with KLIPS under any Linux 2.4
+  kernel or with NETKEY under a Linux kernel version >= 2.6.16
+  in conjuction with iptables >= 1.3.5. For NETKEY under a Linux
+  kernel version < 2.6.16 which does not support IPsec policy
+  matching yet, please continue to use a copy of the _updown_espmark
+  template loaded via the left|rightupdown keyword.
+
+- a new left|righthostaccess keyword has been introduced which
+  can be used in conjunction with left|rightfirewall and the
+  default _updown script. By default leftfirewall=yes inserts
+  a bi-directional iptables FORWARD rule for a local client network
+  with a netmask different from 255.255.255.255 (single host).
+  This does not allow to access the VPN gateway host via its
+  internal network interface which is part of the client subnet
+  because an iptables INPUT and OUTPUT rule would be required.
+  lefthostaccess=yes will cause this additional ACCEPT rules to
+  be inserted. 
+
+- mixed PSK|RSA roadwarriors are now supported. The ISAKMP proposal
+  payload is preparsed in order to find out whether the roadwarrior
+  requests PSK or RSA so that a matching connection candidate can
+  be found.
+
+
+strongswan-2.6.4
+----------------
+
+- the new _updown_policy template allows ipsec policy based
+  iptables firewall rules. Required are iptables version
+  >= 1.3.5 and linux kernel >= 2.6.16. This script obsoletes
+  the _updown_espmark template, so that no INPUT mangle rules 
+  are required any more.
+
+- added support of DPD restart mode
+
+- ipsec starter now allows the use of wildcards in include
+  statements as e.g. in "include /etc/my_ipsec/*.conf".
+  Patch courtesy of Matthias Haas.
+
+- the Netscape OID 'employeeNumber' is now recognized and can be
+  used as a Relative Distinguished Name in certificates.
+
+
+strongswan-2.6.3
+----------------
+
+- /etc/init.d/ipsec or /etc/rc.d/ipsec is now a copy of the ipsec 
+  command and not of ipsec setup any more.
+
+- ipsec starter now supports AH authentication in conjunction with
+  ESP encryption. AH authentication is configured in ipsec.conf
+  via the auth=ah parameter.
+  
+- The command ipsec scencrypt|scdecrypt <args> is now an alias for
+  ipsec whack --scencrypt|scdecrypt <args>.
+
+- get_sa_info() now determines for the native netkey IPsec stack
+  the exact time of the last use of an active eroute. This information
+  is used by the Dead Peer Detection algorithm and is also displayed by
+  the ipsec status command.
+  
+
+strongswan-2.6.2
+----------------
+
+- running under the native Linux 2.6 IPsec stack, the function
+  get_sa_info() is called by ipsec auto --status to display the current
+  number of transmitted bytes per IPsec SA.
+
+- get_sa_info() is also used  by the Dead Peer Detection process to detect
+  recent ESP activity. If ESP traffic was received from the peer within
+  the last dpd_delay interval then no R_Y_THERE notification must be sent.
+
+- strongSwan now supports the Relative Distinguished Name "unstructuredName"
+  in ID_DER_ASN1_DN identities. The following notations are possible:
+
+    rightid="unstructuredName=John Doe"
+    rightid="UN=John Doe"
+
+- fixed a long-standing bug which caused PSK-based roadwarrior connections
+  to segfault in the function id.c:same_id() called by keys.c:get_secret()
+  if an FQDN, USER_FQDN, or Key ID was defined, as in the following example.
+
+  conn rw
+       right=%any
+       rightid=@foo.bar
+       authby=secret
+
+- the ipsec command now supports most ipsec auto commands (e.g. ipsec listall).
+
+- ipsec starter didn't set host_addr and client.addr ports in whack msg.
+
+- in order to guarantee backwards-compatibility with the script-based
+  auto function (e.g. auto --replace), the ipsec starter scripts stores
+  the defaultroute information in the temporary file /var/run/ipsec.info.
+
+- The compile-time option USE_XAUTH_VID enables the sending of the XAUTH
+  Vendor ID which is expected by Cisco PIX 7 boxes that act as IKE Mode Config
+  servers.
+
+- the ipsec starter now also recognizes the parameters authby=never and
+  type=passthrough|pass|drop|reject.
+
+
+strongswan-2.6.1
+----------------
+
+- ipsec starter now supports the also parameter which allows
+  a modular structure of the connection definitions. Thus
+  "ipsec start" is now ready to replace "ipsec setup".
+
+
+strongswan-2.6.0
+----------------
+
+- Mathieu Lafon's popular ipsec starter tool has been added to the
+  strongSwan distribution. Many thanks go to Stephan Scholz from astaro
+  for his integration work. ipsec starter is a C program which is going
+  to replace the various shell and awk starter scripts (setup, _plutoload,
+  _plutostart, _realsetup, _startklips, _confread, and auto). Since
+  ipsec.conf is now parsed only once, the starting of multiple tunnels is
+  accelerated tremedously.
+
+- Added support of %defaultroute to the ipsec starter. If the IP address
+  changes, a HUP signal to the ipsec starter will automatically 
+  reload pluto's connections.
+
+- moved most compile time configurations from pluto/Makefile to
+  Makefile.inc by defining the options USE_LIBCURL, USE_LDAP,
+  USE_SMARTCARD, and USE_NAT_TRAVERSAL_TRANSPORT_MODE.
+
+- removed the ipsec verify and ipsec newhostkey commands
+
+- fixed some 64-bit issues in formatted print statements
+
+- The scepclient functionality implementing the Simple Certificate
+  Enrollment Protocol (SCEP) is nearly complete but hasn't been
+  documented yet.
+
+
+strongswan-2.5.7
+----------------
+
+- CA certicates are now automatically loaded from a smartcard
+  or USB crypto token and appear in the ipsec auto --listcacerts
+  listing.
+
+
+strongswan-2.5.6
+----------------
+
+- when using "ipsec whack --scencrypt <data>" with  a PKCS#11
+  library that does not support the C_Encrypt() Cryptoki
+  function (e.g. OpenSC), the RSA encryption is done in
+  software using the public key fetched from the smartcard.
+
+- The scepclient function now allows to define the 
+  validity of a self-signed certificate using the --days,
+  --startdate, and --enddate options. The default validity
+  has been changed from one year to five years.
+
+
+strongswan-2.5.5
+----------------
+
+- the config setup parameter pkcs11proxy=yes opens pluto's PKCS#11
+  interface to other applications for RSA encryption and decryption
+  via the whack interface. Notation:
+
+  ipsec whack --scencrypt <data>
+             [--inbase  16|hex|64|base64|256|text|ascii]
+             [--outbase 16|hex|64|base64|256|text|ascii]
+             [--keyid <keyid>]
+
+  ipsec whack --scdecrypt <data>
+             [--inbase  16|hex|64|base64|256|text|ascii]
+             [--outbase 16|hex|64|base64|256|text|ascii]
+             [--keyid <keyid>]
+
+  The default setting for inbase and outbase is hex. 
+
+  The new proxy interface can be used for securing symmetric
+  encryption keys required by the cryptoloop or dm-crypt
+  disk encryption schemes, especially in the case when
+  pkcs11keepstate=yes causes pluto to lock the pkcs11 slot
+  permanently.
+
+- if the file /etc/ipsec.secrets is lacking during the startup of
+  pluto then the root-readable file /etc/ipsec.d/private/myKey.der
+  containing a 2048 bit RSA private key and a matching self-signed
+  certificate stored in the file /etc/ipsec.d/certs/selfCert.der
+  is automatically generated by calling the function
+
+  ipsec scepclient --out pkcs1 --out cert-self
+
+  scepclient was written by Jan Hutter and Martin Willi, students
+  at the University of Applied Sciences in Rapperswil, Switzerland.
+
+
+strongswan-2.5.4
+----------------
+
+- the current extension of the PKCS#7 framework introduced
+  a parsing error in PKCS#7 wrapped X.509 certificates that are
+  e.g. transmitted by Windows XP when multi-level CAs are used.
+  the parsing syntax has been fixed.
+
+- added a patch by Gerald Richter which tolerates multiple occurrences
+  of the ipsec0 interface when using KLIPS.
+
+
+strongswan-2.5.3
+----------------
+
+- with gawk-3.1.4 the word "default2 has become a protected
+  keyword for use in switch statements and cannot be used any
+  more in the strongSwan scripts. This problem has been
+  solved by renaming "default" to "defaults" and "setdefault"
+  in the scripts _confread and auto, respectively.
+
+- introduced the parameter leftsendcert with the values
+
+  always|yes (the default, always send a cert)
+  ifasked    (send the cert only upon a cert request)
+  never|no   (never send a cert, used for raw RSA keys and
+              self-signed certs) 
+
+- fixed the initialization of the ESP key length to a default of
+  128 bits in the case that the peer does not send a key length
+   attribute for AES encryption.
+
+- applied Herbert Xu's uniqueIDs patch
+
+- applied Herbert Xu's CLOEXEC patches
+
+
+strongswan-2.5.2
+----------------
+
+- CRLs can now be cached also in the case when the issuer's
+  certificate does not contain a subjectKeyIdentifier field.
+  In that case the subjectKeyIdentifier is computed by pluto as the
+  160 bit SHA-1 hash of the issuer's public key in compliance
+  with section 4.2.1.2 of RFC 3280.
+
+- Fixed a bug introduced by strongswan-2.5.1 which eliminated
+  not only multiple Quick Modes of a given connection but also
+  multiple connections between two security gateways.
+
+
+strongswan-2.5.1
+----------------
+
+- Under the native IPsec of the Linux 2.6 kernel, a %trap eroute
+  installed either by setting auto=route in ipsec.conf or by
+  a connection put into hold, generates an XFRM_AQUIRE event
+  for each packet that wants to use the not-yet exisiting
+  tunnel. Up to now each XFRM_AQUIRE event led to an entry in
+  the Quick Mode queue, causing multiple IPsec SA to be
+  established in rapid succession. Starting with strongswan-2.5.1
+  only a single IPsec SA is established per host-pair connection.
+
+- Right after loading the PKCS#11 module, all smartcard slots are
+  searched for certificates. The result can be viewed using
+  the command
+
+    ipsec auto --listcards
+
+  The certificate objects found in the slots are numbered
+  starting with #1, #2, etc. This position number can be used to address
+  certificates (leftcert=%smartcard) and keys (: PIN %smartcard)
+  in ipsec.conf and ipsec.secrets, respectively:
+
+    %smartcard      (selects object #1)
+    %smartcard#1    (selects object #1)
+    %smartcard#3    (selects object #3)
+
+  As an alternative the existing retrieval scheme can be used:
+
+    %smartcard:45   (selects object with id=45)
+    %smartcard0     (selects first object in slot 0)
+    %smartcard4:45  (selects object in slot 4 with id=45)
+
+- Depending on the settings of CKA_SIGN and CKA_DECRYPT
+  private key flags either C_Sign() or C_Decrypt() is used
+  to generate a signature.
+
+- The output buffer length parameter siglen in C_Sign()
+  is now initialized to the actual size of the output
+  buffer prior to the function call. This fixes the
+  CKR_BUFFER_TOO_SMALL error that could occur when using
+  the OpenSC PKCS#11 module.
+
+- Changed the initialization of the PKCS#11 CK_MECHANISM in
+  C_SignInit() to mech  = { CKM_RSA_PKCS, NULL_PTR, 0 }.
+
+- Refactored the RSA public/private key code and transferred it
+  from keys.c to the new pkcs1.c file as a preparatory step
+  towards the release of the SCEP client.
+
+
+strongswan-2.5.0
+----------------
+
+- The loading of a PKCS#11 smartcard library module during
+  runtime does not require OpenSC library functions any more
+  because the corresponding code has been integrated into
+  smartcard.c. Also the RSAREF pkcs11 header files have been
+  included in a newly created pluto/rsaref directory so that
+  no external include path has to be defined any longer.
+
+- A long-awaited feature has been implemented at last:
+  The local caching of CRLs fetched via HTTP or LDAP, activated
+  by the parameter cachecrls=yes in the config setup section
+  of ipsec.conf. The dynamically fetched CRLs are stored under
+  a unique file name containing the issuer's subjectKeyID
+  in /etc/ipsec.d/crls.
+  
+- Applied a one-line patch courtesy of Michael Richardson
+  from the Openswan project which fixes the kernel-oops
+  in KLIPS when an snmp daemon is running on the same box.
+
+
+strongswan-2.4.4
+----------------
+
+- Eliminated null length CRL distribution point strings.
+
+- Fixed a trust path evaluation bug introduced with 2.4.3
+
+
+strongswan-2.4.3
+----------------
+
+- Improved the joint OCSP / CRL revocation policy.
+  OCSP responses have precedence over CRL entries.
+
+- Introduced support of CRLv2 reason codes.
+
+- Fixed a bug with key-pad equipped readers which caused
+  pluto to prompt for the pin via the console when the first
+  occasion to enter the pin via the key-pad was missed.
+
+- When pluto is built with LDAP_V3 enabled, the library
+  liblber required by newer versions of openldap is now
+  included.
+
+
+strongswan-2.4.2
+----------------
+
+- Added the _updown_espmark template which requires all
+  incoming ESP traffic to be marked with a default mark
+  value of 50.
+  
+- Introduced the pkcs11keepstate parameter in the config setup
+  section of ipsec.conf. With pkcs11keepstate=yes the PKCS#11
+  session and login states are kept as long as possible during 
+  the lifetime of pluto. This means that a PIN entry via a key
+  pad has to be done only once.
+
+- Introduced the pkcs11module parameter in the config setup
+  section of ipsec.conf which specifies the PKCS#11 module
+  to be used with smart cards. Example:
+  
+    pkcs11module=/usr/lib/pkcs11/opensc-pkcs11.lo
+  
+- Added support of smartcard readers equipped with a PIN pad.
+
+- Added patch by Jay Pfeifer which detects when netkey
+  modules have been statically built into the Linux 2.6 kernel.
+
+- Added two patches by Herbert Xu. The first uses ip xfrm
+  instead of setkey to flush the IPsec policy database. The
+  second sets the optional flag in inbound IPComp SAs only.
+    
+- Applied Ulrich Weber's patch which fixes an interoperability
+  problem between native IPsec and KLIPS systems caused by
+  setting the replay window to 32 instead of 0 for ipcomp.
+
+
+strongswan-2.4.1
+----------------
+
+- Fixed a bug which caused an unwanted Mode Config request
+  to be initiated in the case where "right" was used to denote
+  the local side in ipsec.conf and "left" the remote side,
+  contrary to the recommendation that "right" be remote and
+  "left" be"local".
+
+
+strongswan-2.4.0a
+-----------------
+
+- updated Vendor ID to strongSwan-2.4.0
+
+- updated copyright statement to include David Buechi and
+  Michael Meier
+  
+  
+strongswan-2.4.0
+----------------
+
+- strongSwan now communicates with attached smartcards and
+  USB crypto tokens via the standardized PKCS #11 interface.
+  By default the OpenSC library from www.opensc.org is used
+  but any other PKCS#11 library could be dynamically linked.
+  strongSwan's PKCS#11 API was implemented by David Buechi
+  and Michael Meier, both graduates of the Zurich University
+  of Applied Sciences in Winterthur, Switzerland.
+
+- When a %trap eroute is triggered by an outgoing IP packet
+  then the native IPsec stack of the Linux 2.6 kernel [often/
+  always?] returns an XFRM_ACQUIRE message with an undefined
+  protocol family field and the connection setup fails.
+  As a workaround IPv4 (AF_INET) is now assumed.
+  
+- the results of the UML test scenarios are now enhanced 
+  with block diagrams of the virtual network topology used
+  in a particular test. 
+
+
+strongswan-2.3.2
+----------------
+
+- fixed IV used to decrypt informational messages.
+  This bug was introduced with Mode Config functionality.
+ 
+- fixed NCP Vendor ID.
+
+- undid one of Ulrich Weber's maximum udp size patches
+  because it caused a segmentation fault with NAT-ed
+  Delete SA messages.
+  
+- added UML scenarios wildcards and attr-cert which
+  demonstrate the implementation of IPsec policies based
+  on wildcard parameters contained in Distinguished Names and
+  on X.509 attribute certificates, respectively.
+
+
+strongswan-2.3.1
+----------------
+
+- Added basic Mode Config functionality
+
+- Added Mathieu Lafon's patch which upgrades the status of
+  the NAT-Traversal implementation to RFC 3947.
+ 
+- The _startklips script now also loads the xfrm4_tunnel
+  module.
+  
+- Added Ulrich Weber's netlink replay window size and
+  maximum udp size patches.
+
+- UML testing now uses the Linux 2.6.10 UML kernel by default.
+   
+
+strongswan-2.3.0
+----------------
+
+- Eric Marchionni and Patrik Rayo, both recent graduates from
+  the Zuercher Hochschule Winterthur in Switzerland, created a
+  User-Mode-Linux test setup for strongSwan. For more details
+  please read the INSTALL and README documents in the testing
+  subdirectory.
+
+- Full support of group attributes based on X.509 attribute
+  certificates. Attribute certificates can be generated 
+  using the openac facility. For more details see
+   
+  man ipsec_openac.
+ 
+  The group attributes can be used in connection definitions
+  in order to give IPsec access to specific user groups.
+  This is done with the new parameter left|rightgroups as in
+  
+  rightgroups="Research, Sales"
+
+  giving access to users possessing the group attributes
+  Research or Sales, only.
+
+- In Quick Mode clients with subnet mask /32 are now
+  coded as IP_V4_ADDRESS or IP_V6_ADDRESS. This should 
+  fix rekeying problems with the SafeNet/SoftRemote and NCP
+  Secure Entry Clients.
+
+- Changed the defaults of the ikelifetime and keylife parameters
+  to 3h and 1h, respectively. The maximum allowable values are
+  now both set to 24 h.
+
+- Suppressed notification wars between two IPsec peers that
+  could e.g. be triggered by incorrect ISAKMP encryption.
+
+- Public RSA keys can now have identical IDs if either the
+  issuing CA or the serial number is different. The serial
+  number of a certificate is now shown by the command
+  
+  ipsec auto --listpubkeys
+
+
+strongswan-2.2.2
+----------------
+
+- Added Tuomo Soini's sourceip feature which allows a strongSwan
+  roadwarrior to use a fixed Virtual IP (see README section 2.6)
+  and reduces the well-known four tunnel case on VPN gateways to
+  a single tunnel definition (see README section 2.4).
+
+- Fixed a bug occuring with NAT-Traversal enabled when the responder
+  suddenly turns initiator and the initiator cannot find a matching
+  connection because of the floated IKE port 4500.
+  
+- Removed misleading ipsec verify command from barf.
+
+- Running under the native IP stack, ipsec --version now shows
+  the Linux kernel version (courtesy to the Openswan project).
+
+
+strongswan-2.2.1
+----------------
+
+- Introduced the ipsec auto --listalgs monitoring command which lists
+  all currently registered IKE and ESP algorithms.
+
+- Fixed a bug in the ESP algorithm selection occuring when the strict flag
+  is set and the first proposed transform does not match.
+  
+- Fixed another deadlock in the use of the lock_certs_and_keys() mutex,
+  occuring when a smartcard is present.
+
+- Prevented that a superseded Phase1 state can trigger a DPD_TIMEOUT event.
+  
+- Fixed the printing of the notification names (null)
+
+- Applied another of Herbert Xu's Netlink patches.
+
+
+strongswan-2.2.0
+----------------
+
+- Support of Dead Peer Detection. The connection parameter
+
+    dpdaction=clear|hold
+     
+  activates DPD for the given connection.
+
+- The default Opportunistic Encryption (OE) policy groups are not
+  automatically included anymore. Those wishing to activate OE can include
+  the policy group with the following statement in ipsec.conf:
+  
+    include /etc/ipsec.d/examples/oe.conf
+  
+  The default for [right|left]rsasigkey is now set to %cert.
+
+- strongSwan now has a Vendor ID of its own which can be activated
+  using the compile option VENDORID
+
+- Applied Herbert Xu's patch which sets the compression algorithm correctly.
+
+- Applied Herbert Xu's patch fixing an ESPINUDP problem
+
+- Applied Herbert Xu's patch setting source/destination port numbers.
+
+- Reapplied one of Herbert Xu's NAT-Traversal patches which got
+  lost during the migration from SuperFreeS/WAN.
+  
+- Fixed a deadlock in the use of the lock_certs_and_keys() mutex.
+
+- Fixed the unsharing of alg parameters when instantiating group
+  connection.
+  
+
+strongswan-2.1.5
+----------------
+
+- Thomas Walpuski made me aware of a potential DoS attack via
+  a PKCS#7-wrapped certificate bundle which could overwrite valid CA
+  certificates in Pluto's authority certificate store. This vulnerability
+  was fixed by establishing trust in CA candidate certificates up to a
+  trusted root CA prior to insertion into Pluto's chained list.
+
+- replaced the --assign option by the -v option in the auto awk script
+  in order to make it run with mawk under debian/woody.
+
+
+strongswan-2.1.4
+----------------
+
+- Split of the status information between ipsec auto  --status (concise)
+  and ipsec auto --statusall (verbose). Both commands can be used with
+  an optional connection selector:
+
+    ipsec auto --status[all] <connection_name>
+
+- Added the description of X.509 related features to the ipsec_auto(8)
+  man page.
+
+- Hardened the ASN.1 parser in debug mode, especially the printing
+  of malformed distinguished names.
+
+- The size of an RSA public key received in a certificate is now restricted to
+
+    512 bits <= modulus length <= 8192 bits.
+
+- Fixed the debug mode enumeration.
+
+
+strongswan-2.1.3
+----------------
+
+- Fixed another PKCS#7 vulnerability which could lead to an
+  endless loop while following the X.509 trust chain.
+  
+
+strongswan-2.1.2
+----------------
+
+- Fixed the PKCS#7 vulnerability discovered by Thomas Walpuski
+  that accepted end certificates having identical issuer and subject
+  distinguished names in a multi-tier X.509 trust chain.
+  
+
+strongswan-2.1.1
+----------------
+
+- Removed all remaining references to ipsec_netlink.h in KLIPS.
+
+
+strongswan-2.1.0
+----------------
+
+- The new "ca" section allows to define the following parameters:
+
+  ca kool
+     cacert=koolCA.pem                   # cacert of kool CA
+     ocspuri=http://ocsp.kool.net:8001   # ocsp server
+     ldapserver=ldap.kool.net            # default ldap server
+     crluri=http://www.kool.net/kool.crl # crl distribution point
+     crluri2="ldap:///O=Kool, C= .."     # crl distribution point #2
+     auto=add                            # add, ignore
+     
+  The ca definitions can be monitored via the command
+  
+     ipsec auto --listcainfos
+
+- Fixed cosmetic corruption of /proc filesystem by integrating
+  D. Hugh Redelmeier's freeswan-2.06 kernel fixes.
+
+
+strongswan-2.0.2
+----------------
+
+- Added support for the 818043 NAT-Traversal update of Microsoft's
+  Windows 2000/XP IPsec client which sends an ID_FQDN during Quick Mode.
+  
+- A symbolic link to libcrypto is now added in the kernel sources 
+  during kernel compilation
+  
+- Fixed a couple of 64 bit issues (mostly casts to int).
+  Thanks to Ken Bantoft who checked my sources on a 64 bit platform.
+
+- Replaced s[n]printf() statements in the kernel by ipsec_snprintf().
+  Credits go to D. Hugh Redelmeier, Michael Richardson, and Sam Sgro
+  of the FreeS/WAN team who solved this problem with the 2.4.25 kernel.
+
+
+strongswan-2.0.1
+----------------
+
+- an empty ASN.1 SEQUENCE OF or SET OF object (e.g. a subjectAltName
+  certificate extension which contains no generalName item)  can cause
+  a pluto crash. This bug has been fixed. Additionally the ASN.1 parser has
+  been hardened to make it more robust against malformed ASN.1 objects.
+
+- applied Herbert Xu's NAT-T patches which fixes NAT-T under the native
+  Linux 2.6 IPsec stack.
+  
+  
+strongswan-2.0.0
+----------------
+
+- based on freeswan-2.04, x509-1.5.3, nat-0.6c, alg-0.8.1rc12