ChangeLog

2026-05-04  Renaud Allard  <renaud@allard.it>

	* Release 0.13.1
	- Build: include libgen.h unconditionally for dirname()/basename().
	  0.13.0 left the include inside #ifdef __OpenBSD__, so the new
	  Capsicum pidfile-cleanup code failed to build on FreeBSD.
	- Build: require seccomp.h to be present before defining
	  HAVE_SECCOMP. Distros that split libseccomp into separate
	  header and library packages (notably SUSE BCI) no longer fail
	  the seccomp.c compile when only the library is installed.
	- Tests: add a logger_post_fork_child_disinherit stub to
	  resolver_response_fuzz so the resolver fuzz harness links
	  cleanly without pulling in logger.c.
	- CI: continuous-fuzzing only files an issue when actual
	  crash/leak/timeout artifacts exist; build or link failures no
	  longer create false-positive 'fuzzer crash' issues.

2026-05-03  Renaud Allard  <renaud@allard.it>

	* Release 0.13.0
	- Security: TLS parser now rejects renegotiation_info even when SNI
	  appears earlier in the extension list. Previously the parser
	  returned on the SNI extension and never inspected later
	  extensions, allowing a client-initiated renegotiation attempt
	  alongside a valid SNI to be routed instead of rejected.
	- Security: Reject empty or mis-sized SNI server_name list per
	  RFC 6066 section 3.
	- Security: PROXY protocol v2 rejects undefined command values.
	- Security: IPC channel closes orphan fds in SCM_RIGHTS ancillary
	  data, validates cmsg_len before extracting fd, checks MSG_CTRUNC
	  on the prefix recvmsg, and wipes partial ciphertext on seal
	  failure.
	- Reliability: Binder and resolver children no longer SIGKILL the
	  parent's logger child via inherited IPC state; the resolver
	  child's startup notice() previously triggered this on every
	  launch.
	- Reliability: disable_logger_process and logger_process_shutdown
	  no longer SIGKILL on waitpid ECHILD - the PID may have been
	  recycled.
	- Reliability: HTTP/2 returns -1 (incomplete) instead of -2 (no
	  host) when the buffer ends mid-request, so clients that split
	  preface, SETTINGS and HEADERS across TCP segments are not
	  aborted.
	- Reliability: Configuration tokenizer rejects embedded NUL bytes.
	- Configuration: dot://ADDRESS/SNI/tls1.2|tls1.3 syntax now
	  parses correctly (previously rejected before reaching the
	  resolver child).
	- FreeBSD: Connect to syslog at openlog() time with LOG_NDELAY so
	  the connection is open before cap_enter().
	- FreeBSD: Pre-open pidfile parent directory and remove on
	  shutdown via unlinkat. Register cleanup via atexit.
	- FreeBSD: Use unlinkat for connection-dump cleanup paths.
	- FreeBSD: Limit cap_rights on parent-side IPC sockets.
	- FreeBSD: Warn when logger child cannot open a new file sink in
	  capability mode.
	- OpenBSD: Keep cpath in the post-tightening pledge so the pidfile
	  can be removed at exit (otherwise daemon SIGABRTed on shutdown).
	- Packaging: Add libseccomp build dependency to debian/control,
	  redhat/sniproxy.spec, alpine/APKBUILD and the matching install
	  lines in release-packages.yml. Without this, every Linux package
	  release was being built without the seccomp sandbox.
	- Packaging: Detect libssl in configure instead of hardcoding
	  -lssl. Point package metadata at the renaudallard fork.
	- Build: Actually clear hardening flags when sanitizers are
	  enabled (the conflict-resolution branch had no effect).
	- Tests: Tighten resolv_test, ipc_crypto_debug_test and tls_test
	  assertions so silent regressions are caught. The lenient
	  tls_test assertion is what previously masked the
	  renegotiation_info bypass.
	- Tests: Wire ipc_crypto_debug_test, ipc_crypto_rekey_test and
	  ipc_crypto_time_rekey_test into the build.
	- Tests: Cover dtls and ipc_crypto tests in the valgrind workflow.
	- Tests: Fix functional_test connection-dump file lookup,
	  xmpp_test off-by-one length, config_test TMPDIR honoring.
	- Other: Rate limit buckets now track is_v4 to mirror
	  ConnCountBucket and avoid v4/v6 cross-match on hash collision.
	- Other: Skip destructive sink swap when REOPEN produced no new
	  file. Avoid double ev_timer_again in UDP validating fast-path.
	  Use _exit in manual daemonize fork-and-exit fallback.

2026-03-20  Renaud Allard  <renaud@allard.it>

	* Release 0.12.0
	- Add Capsicum capability mode sandboxing for FreeBSD
	- Add FreeBSD rc.d startup script (scripts/sniproxy.rc)
	- Fix build system: add AC_CANONICAL_HOST for seccomp/Capsicum
	  detection and link libm for isfinite() on FreeBSD
	- Add capsicum.c to test binaries that link logger.c
	- Add FreeBSD package build to release workflow

2026-03-17  Renaud Allard  <renaud@allard.it>

	* Release 0.11.1
	- Fix IPV6_V6ONLY not effective when binding privileged ports via
	  binder child process (setsockopt after bind rejected by Linux)

2026-03-16  Renaud Allard  <renaud@allard.it>

	* Release 0.11.0
	- Add DTLS (TLS over UDP) protocol support for proxying WebRTC,
	  OpenConnect VPN, CoAP, and other UDP/DTLS protocols by hostname
	- Shared SNI extension parsing between TLS and DTLS parsers
	- UDP session manager with per-session connected server sockets,
	  DNS resolution, idle timeouts, source address binding, and
	  transparent proxy support
	- Binder support for UDP (SOCK_DGRAM) privileged port binding
	- DTLS parser unit tests and fuzz harness
	- DTLS source validation to prevent UDP reflection/amplification
	- Per-IP rate and connection limiting for UDP sessions
	- Cap UDP pending datagram size to 4KB to limit memory under load
	- Add missing sendfd/recvfd pledge promises on OpenBSD, including
	  sendfd in parent pledge set for binder child inheritance
	- Tighten seccomp: restrict logger to syslog and IPC-only syscalls
	- Disable TLS session tickets for DNS-over-TLS connections
	- Detect explicit_bzero in configure for reliable secret wiping
	- Wipe IPC send buffer before free
	- Set SOCK_CLOEXEC on DoT sockets in resolver child
	- Add int16_t bounds check in Huffman tree builder
	- Add compiler hardening flags: -Wshadow, -Wimplicit-fallthrough,
	  -Wnull-dereference, -Wundef, -fno-delete-null-pointer-checks
	- Harden systemd service with additional restrictions
	- Use memcpy for IPv6 address hashing in UDP session lookup
	- Annotate intentional switch fallthroughs for clang compatibility
	- Fix conn_count_free_count underflow guard in connection rate limiter
	- Fix missing partial write check in resolver child send
	- Fix atomicity violation in resolver query resubmission after restart
	- Fix unsafe EV_DEFAULT fallback in resolver child after fork
	- Add early sock->failed check in DoT read/write callbacks
	- Warn when reuseport or ipv6_v6only changes on SIGHUP reload
	- Warn when resolver config changes on SIGHUP reload

2026-03-14  Renaud Allard  <renaud@allard.it>

	* Release 0.10.0
	- Add per_ip_max_connections directive to limit concurrent connections per IP
	- Add tcp_fastopen directive for TCP Fast Open on listeners and backends
	- Add backend_acl directive to restrict outbound connection subnets
	- Randomly select from multiple DNS results for load distribution
	- Add backend_affinity table directive for consistent backend selection
	- Auto-anchor literal hostname patterns in table entries
	- Accept incoming PROXY protocol v1/v2 headers on listeners
	- Add PROXY protocol v2 (binary) output support
	- Add Minecraft Java Edition protocol support
	- Add SIGCHLD handler to reap zombie child processes
	- Document HTTP/2 connection coalescing limitation
	- Fix broken binary search and missing host header detection in HPACK
	  decoder
	- Enforce RFC 7541 dynamic table size update limits in HPACK decoder
	- Fix ensure_logger_process return value after resend failure
	- Add missing recvfd pledge promise in logger child on OpenBSD
	- Restart logger child on health check failure instead of fatal exit
	- Use non-blocking poll in logger health check to avoid stalling event
	  loop
	- Close unexpected fd in logger child NEW_SINK handler
	- Handle ECHILD when killing logger child after daemonize
	- Fix stderr log messages silently lost via logger child
	- Resolve relative config path before daemonize and check pidfile write
	- Use logger for write_pidfile errors instead of stderr
	- Fix per-IP conn_count mismatch with PROXY protocol
	- Fix -T 1.3 rejecting all TLS connections
	- Fix fallback address losing port on SIGHUP reload
	- Reject stray closing brace at config top level
	- Fix EAGAIN on logger IPC permanently killing logger child
	- Fix use-after-free in resolve_server_address on sync DNS failure
	- Fix server buffer growing 4x instead of intended 2x on resize
	- Fix IPC crypto context leak in resolver init on socketpair/fork failure
	- Preserve errno across accept cleanup so EMFILE backoff triggers
	- Fix resolver IPC max payload length to include header
	- Use TOCTOU-safe directory validation for /var/run/sniproxy
	- Wipe all derived keys on channel init failure
	- Fix resource leak on strdup failure in DoT server registration
	- Add overflow check to iovec total length in DoT send path
	- Snapshot protocol at accept time to prevent mismatch during reload
	- Fail backend init when literal pattern anchoring malloc fails
	- Chown log files before dropping privileges for SIGHUP rotation
	- Emit PROXY TCP4 for IPv4-mapped IPv6 addresses
	- Unify fallback proxy_protocol naming with table backend syntax
	- Use reallocarray() for overflow-safe allocation
	- Replace assert() with proper runtime error handling
	- Check setsockopt/fcntl/inet_ntop return values throughout
	- Clean up unused functions, dead code, and redundant includes
	- Add closefrom to AC_CHECK_FUNCS to enable efficient fd cleanup
	- Add missing build dependencies for OpenSSL and libbsd
	- Fix use-after-free in resolve_server_address on synchronous DNS failure
	- Fix use-after-free when c-ares calls callback synchronously
	- Fix use-after-free in resolver callback on config reload
	- Fix PROXY protocol header sent after client data instead of before
	- Fix HTTP Host header smuggling with bare Host: line
	- Fix HTTP/2 empty HEADERS frame blocking CONTINUATION frames
	- Fix HTTP parser returning wrong error for incomplete header lines
	- Fix dead Huffman padding validation in HPACK decoder
	- Reject EOS symbol in HPACK Huffman decoder per RFC 7541
	- Fix double timestamp in syslog messages when logger process is enabled
	- Clean up logger child sinks on abnormal parent exit
	- Ignore SIGPIPE in logger child process
	- Fix blocking waitpid in logger that can stall the mainloop
	- Fix NULL dereference in err() during default logger initialization
	- Fix potential NULL dereference on logger->sink in vlog_msg
	- Fix potential NULL dereference in timestamp formatting
	- Fix fd leak in recv_logger_message on validation failure
	- Fix file descriptor leak in logger REOPEN handler
	- Fix double-close of file descriptor in obtain_file_sink
	- Fix recursive fork in logger child on pledge and crypto failure
	- Fix zombie and repeated forks in logger on crypto init failure
	- Fix obtain_file_sink fallback ignoring logger_parent_fs_locked
	- Fix connection leak when server buffer expansion fails
	- Fix assert and connection leak in reactivate_watchers for empty abort
	- Fix double close_server_socket regression in buffer overflow guard
	- Fix IPC crypto recv state corruption on AEAD verification failure
	- Fix IPC send channel state corruption on rekey derivation failure
	- Fix IPC recv channel corruption on rekey derivation failure
	- Fix undefined behavior in ipc_crypto_open for zero-length payloads
	- Fix reading uninitialized control buffer on recvmsg error
	- Fix resource leak in ipc_crypto_channel_init and check return values
	- Wipe base_key on derive_base_key failure in ipc_crypto_channel_init
	- Add defensive NULL check for CMSG_FIRSTHDR in ipc_crypto_send_msg
	- Fix zombie process in binder on crypto initialization failure
	- Use _exit in binder child on seccomp filter failure
	- Fix fatal() on config file permission change during SIGHUP reload
	- Use consistent -1 error returns instead of -errno in config parsing
	- Handle EOF without trailing newline in config tokenizer
	- Use exact match for bad_requests action and reject unknown values
	- Use exact match for protocol and reject unknown protocol names
	- Reject negative values in config parsers regardless of leading whitespace
	- Reject negative values in max_connections and resolver limit config
	- Reject negative values for -n file descriptor limit option
	- Check fcntl return values when setting sockets nonblocking
	- Check ipc_crypto_channel_set_role return in resolver child
	- Retry resolver child send on EINTR
	- Use strict < in TLS extension parsing loop conditions
	- Fix XMPP parser returning incomplete for malformed unclosed quotes
	- Fix integer overflow in Minecraft parser on 32-bit platforms
	- Fix heap over-read in buffer_coalesce on malloc failure
	- Tighten OpenBSD pledge promises after privilege drop

2026-03-08  Renaud Allard  <renaud@allard.it>

	* Release 0.9.26
	- Set logger IPC socket non-blocking to prevent mainloop stall
	- Combine logger header and payload into a single IPC message
	- Cache EVP_CIPHER_CTX in IpcCryptoState to avoid per-message allocation
	- Use cached send buffer in ipc_crypto_send_msg to avoid per-message malloc
	- Add missing limits.h include in resolv.c for INT_MAX
	- Fix autorelease glob expansion of release notes containing asterisks

2026-03-08  Renaud Allard  <renaud@allard.it>

	* Release 0.9.25
	- Fix infinite loop in shrink_idle_buffers under memory pressure
	- Fix DNS per-client tracking bypass for IPv4-mapped IPv6 addresses
	- Fix fd leak on short prefix read in IPC crypto receive
	- Fix HTTP/2 to HTTP/1.1 fallthrough on full preface match
	- Fix ACL policy validation for implicit default mode
	- Fix logger priority name accepting partial matches
	- Replace select() with poll() in logger health check
	- Handle SSL_ERROR_ZERO_RETURN in DNS-over-TLS read
	- Drain OpenSSL error queue after DoT TLS errors
	- Clamp SSL_read/SSL_write length to INT_MAX
	- Cap IPC payload length to INT_MAX for OpenSSL API
	- Add size validation to binder AF_UNIX sockaddr comparison
	- Add NULL guard to copy_address
	- Fix size_t to int narrowing in config tokenizer
	- Fix misleading logger stanza error messages
	- Remove incorrect const from table_lookup_server_address
	- Remove dead code in connection_cb buffer reserve path
	- Update mutex nesting documentation in resolver

2026-03-04  Renaud Allard  <renaud@allard.it>

	* Release 0.9.24
	- Feature: Add -t flag to test configuration and exit without
	  starting the proxy, similar to nginx -t.
	- Feature: Add -g flag to allow group-read (0640) config file
	  permissions, enabling SIGHUP config reload after privilege drop.
	  A security warning is logged at startup when this flag is used.
	- Improved permission error messages to show allowed modes and
	  hint about the -g flag.

2026-03-02  Renaud Allard  <renaud@allard.it>

	* Release 0.9.23
	- Security: Normalize IPv4-mapped IPv6 addresses in rate limiter
	  so the same client gets one bucket regardless of address family.
	- Security: Log warning when SNIPROXY_DISABLE_SECCOMP environment
	  variable bypasses the seccomp sandbox.
	- Security: Verify privilege drop succeeded in logger child with
	  getuid/geteuid/getgid/getegid checks after setuid.
	- Reliability: Register new listener addresses with binder allowlist
	  on config reload so privileged port binding works after SIGHUP.
	- Reliability: Warn when user or group directive changes on config
	  reload since privilege drop is irreversible.

2026-03-01  Renaud Allard  <renaud@allard.it>

	* Release 0.9.22
	- Resolver: Fix deadlock when resolver send fails during query emit
	  by deferring restart until after the mutex is released.
	- Resolver: Fix DNS timeout timer not being rescheduled when already
	  active by stopping the timer before reconfiguring it.
	- Resolver: Use _exit() instead of exit() for seccomp failure in
	  resolver child to avoid running parent atexit handlers.
	- Binder: Reject sockaddr with length shorter than sa_family_t and
	  fix fd leak in binder test.
	- Listener: Always set listener socket to nonblocking mode, not just
	  when HAVE_ACCEPT4 is undefined.
	- Logger: Fix fd leak on allocation failure in NEW_SINK handler.
	- Logger: Use _exit() instead of exit() for seccomp failure in
	  logger child to avoid running parent atexit handlers.
	- Logger: Fix dead retry loop in logger_send_privileges where
	  logger_process_failed was not reset before restart attempt.
	- Config: Fix connection_buffer_limit, client_buffer_limit,
	  server_buffer_limit, and http_max_headers config directives
	  returning wrong success value, making them silently reject any
	  config file that used them.
	- HTTP/2: Fix HPACK Huffman tree builder reading bits from the wrong
	  end of left-justified code values, causing all codes to collide.
	- HTTP/2: Fix Huffman tree internal nodes being treated as NUL byte
	  leaves because calloc zero-initialization was indistinguishable
	  from the NUL character value.
	- IPC: Fix dead round-trip test in ipc_crypto fuzz harness by using
	  separate parent/child states.

2026-02-28  Renaud Allard  <renaud@allard.it>

	* Release 0.9.21
	- IPC: Fix fd loss in encrypted IPC receive path where the 4-byte
	  frame length prefix was read with plain recv(), discarding any
	  SCM_RIGHTS ancillary data sent alongside it.
	- IPC: Retry sendmsg() on EINTR to match the receive side behavior.
	- Resolver: Fix return value check after resolver restart so pending
	  queries are resubmitted instead of failed.
	- Resolver: Fix use-after-free when realloc relocates the nameserver
	  list and the subsequent strdup fails.
	- Resolver: Replace fatal() with graceful error handling in
	  resolv_init() so a restart failure does not kill the process.
	- Listener: Re-apply SO_KEEPALIVE, SO_REUSEPORT, and IPV6_V6ONLY on
	  sockets obtained from the privileged binder.
	- Config: Reject NaN and Infinity in floating-point config values
	  (per_ip_connection_rate, io_collect_interval,
	  timeout_collect_interval).
	- Config: Reject configuration files with unclosed braces instead of
	  silently accepting truncated input.
	- Logger: Drain payload from socket on malloc failure to prevent IPC
	  protocol desync and logger child crash.
	- Logger: Prevent memory leak from recursive init_default_logger()
	  calls triggered by err() during sink registration.
	- HTTP/2: Return correct incomplete status when no frames have been
	  parsed yet instead of reporting no hostname found.
	- Shutdown: Remove pidfile on clean shutdown.

2026-02-25  Renaud Allard  <renaud@allard.it>

	* Release 0.9.20
	- Memory: Halve server buffer initial size from 64KB to 32KB, shrink
	  spliced connection buffers to 4KB instead of min_size, reduce buffer
	  pool max cached entries by half (worst-case pool 12MB to 6MB), lower
	  rate limit free list cap from 8192 to 2048 entries (2.3MB to 576KB),
	  and shrink table cache from 1024 to 256 slots (272KB to 68KB per
	  table).
	- SO_SPLICE: Reclaim user-space buffer memory when activating kernel
	  splice and stop the libev idle timer since the kernel splice timeout
	  handles idle detection.
	- Reliability: Suppress expected EPROTO warnings when unsplicing
	  connections that were already terminated by the peer.

2026-02-06  Renaud Allard  <renaud@allard.it>

	* Release 0.9.19
	- Performance: Add SO_SPLICE zero-copy forwarding on OpenBSD to eliminate
	  user-space copies after the initial handshake is parsed.
	- Performance: Enable PCRE2 JIT compilation for backend regex matching,
	  set TCP_NODELAY on client and server sockets, convert HPACK dynamic
	  table to a ring buffer for O(1) inserts, increase table hostname cache
	  from 256 to 1024 entries, skip redundant ev_io stop/start when event
	  mask is unchanged, remove redundant buffer zeroing on pool acquire,
	  merge TLS extension validation into a single pass, and remove the
	  per-backend single-entry match cache.
	- Security: Enforce extension count limit across all TLS parsing paths
	  including extensions_have_required_version, explicitly unsplice before
	  closing idle spliced connections, and log SO_SPLICE cleanup failures.
	- Bug fixes: Fix data corruption in buffer_coalesce optimization path,
	  double close of FDs in ipc_crypto_recv_msg and logger LOGGER_CMD_DROP,
	  errno clobbered before restart check in resolver_ipc_cb, reload_tables
	  skipping consecutive table removals, accept_listener_arg returning
	  success on invalid argument, listeners_reload ignoring init_listener
	  failure, ambiguous prefix matching in accept_resolver_mode and
	  lookup_syslog_facility, NULL pointer dereference in hpack_add_entry on
	  malloc failure, overlapping memcpy in new_address port stripping, and
	  blocking nanosleep retry loop in connect path.
	- API: Add getter/setter functions for connection header/idle timeouts,
	  TLS extension limits, HTTP/2 frame and header count limits, and XMPP
	  max header length.

2026-01-02  Renaud Allard  <renaud@allard.it>

	* Release 0.9.18
	- XMPP: Add protocol handler and listener support that extracts the stream 'to'
	  attribute so XMPP (including STARTTLS) can be proxied by hostname; includes
	  dedicated parser tests and a fuzz harness.
	- Fuzzing: Disable ASan ODR indicators in fuzz builds and mark stub HTTP/TLS
	  protocol pointers weak in the listener ACL harness to avoid
	  multiple-definition link errors.

2025-12-19  Renaud Allard  <renaud@allard.it>

	* Release 0.9.17
	- Security: Limit IPC generation gaps to 16 so forged UINT32_MAX generations
	  cannot force billions of rekeys and DoS ipc_crypto receivers.
	- Build/CI: release-packages workflow downloads autoconf 2.71 from GNU and
	  kernel mirrors before ftp.gnu.org to avoid bootstrap timeouts.

2025-12-16  Renaud Allard  <renaud@allard.it>

	* Release 0.9.16
	- IPC crypto: Protocol bumped to IPC2 with an authenticated generation
	  field so rekeys are deterministic, time-based rekeys succeed even with
	  sparse traffic, receivers catch up after missed generations, and
	  stale-generation frames are rejected to avoid replay-driven hangs after
	  long uptimes.

2025-12-15  Renaud Allard  <renaud@allard.it>

	* Release 0.9.15
	- Security: Binder helper restricts requests to validated AF_INET/AF_INET6/
	  AF_UNIX stream sockets under the configured allowlist and seccomp filters
	  are process-specific to narrow syscall exposure.
	- TLS/DNS: DoT upstreams accept a configurable minimum TLS version
	  (default tls1.2) and too-old ClientHello versions are rejected instead of
	  being routed to fallback backends.
	- Reliability: IPC replay protection enforces monotonic counters, logger
	  child health checks detect stalls, backend regex cache initialization
	  failures no longer crash lookup, global ACL policy resets after parsing,
	  EINTR connect retries were fixed, and rate-limit OOM paths reject with
	  exponential backoff.
	- Docs: README/man pages refreshed and the obsolete splice(2) reference was
	  removed.

2025-12-03  Renaud Allard  <renaud@allard.it>

	* Release 0.9.14
	- Breaking change: DNS-over-TLS nameserver entries using IP literals now
	  require either a TLS hostname (`dot://IP/hostname`) or `/insecure`; bare
	  IP-only entries are rejected to avoid silent verification bypass.
	- Reliability: Fatal exit paths log the failure reason before terminating,
	  covering daemonization, privilege drops, and child process handoffs.

2025-11-25  Renaud Allard  <renaud@allard.it>

	* Release 0.9.13
	- Build/CI: Release workflow discovers Rocky releases via mirrors and Docker
	  tags, builds both latest and previous Rocky majors with consistent jobs,
	  falls back to microdnf when dnf is missing, and openSUSE autoconf downloads
	  use a mirrored source when ftp.gnu.org is unavailable.
	- Testing: Buffer tests now create/destroy a dedicated libev loop and fix the
	  leak that broke Valgrind runs; the Valgrind workflow builds from tests/ and
	  surfaces failures.
	- Bug fix: Resolved a use-after-free when config files have incorrect
	  permissions.

2025-11-24  Renaud Allard  <renaud@allard.it>

	* Release 0.9.12
	- Build/Packaging: rpmbuild now preserves %{optflags} while appending the
	  libev include path, drops the unused perl BuildRequires, ships the missing
	  hostname_sanitize.h in release tarballs, and allows the release-packages
	  workflow to be triggered manually for RPM/DEB artifacts.
	- Installation: removed the sniproxy wrapper entirely so only the real
	  daemon installs under sbin, avoiding duplicate or stale binaries.
	- Tests/Fuzzing: added a resolver response fuzz harness with fuzz-only
	  resolver helpers, broadened the libev stub to cover timers/signals/loop
	  lifecycle, and fixed a leak in the resolver fuzz harness to keep fuzz runs
	  stable.

2025-11-23  Renaud Allard  <renaud@allard.it>

	* Release 0.9.11
	- Security: HTTP parsers enforce a configurable http_max_headers guard
	  (default 100), TLS ClientHello logic counts extensions before walking
	  them, and ipc_crypto rejection paths now run dummy decrypts with
	  dedicated zero_tag buffers so authentication failures do not leak timing
	  information.
	- Configuration: Path directives are canonicalized, keyword handlers
	  gained typed cleanup hooks so repeated resolver/logger/listener ACL
	  blocks release previous allocations, address/table helpers and resolver
	  restart queues were hardened with runtime checks, and the
	  long-deprecated sniproxy-cfg helper plus its man page were removed.
	- Tooling/Tests: Ship a hardened scripts/sniproxy.service unit, drop the
	  wrapper shim so only the real sniproxy binary installs under sbin on every
	  platform, extend GitHub releases to build RPM/DEB artifacts, and grow the
	  fuzzing suite with new address/table/listener ACL/ipc harnesses that
	  default to error-only logs.

2025-11-22  Renaud Allard  <renaud@allard.it>

	* Release 0.9.10
	- Security: Temporary directory creation now rejects symlinks for both /var/run
	  and /tmp fallbacks by switching to lstat() before the O_NOFOLLOW open,
	  so attackers cannot pre-create redirects.
	- Robustness: Unix-socket addresses always terminate sun_path after strncpy()
	  and the cfg_tokenizer guarantees buffers are null-terminated on every
	  failure path, preventing rare parser overreads.
	- DNS: Resolver concurrency defaults remain at 512/16 but configuration reloads
	  now propagate the per-client limit consistently alongside the global cap.

2025-11-21  Renaud Allard  <renaud@allard.it>

	* Release 0.9.9
	- Security: Harden PROXY header emission by checking buffer space, logging the
	  client when the header cannot be appended, and aborting routing instead of
	  silently continuing; address parsing now validates sockaddr lengths/sa_len,
	  casts bytes to unsigned char before tolower(), bounds the recursion depth,
	  and clamps copy_sockaddr_to_storage/back-end caches from overruns.
	- Networking: Per-client DNS concurrency limits complement the global cap so
	  abusive clients cannot starve other users, the defaults jump to 16 per client
	  and 512 overall with resolver max_concurrent_queries(_per_client) settings,
	  and the address parser handles trailing ports iteratively with centralized
	  apply_port_if_needed logic.
	- Crypto: ipc_crypto_seal validates header/tag overhead, refuses SIZE_MAX
	  overflows, and stops once the send counter reaches UINT64_MAX; derive_key
	  enforces a 1024-byte label limit before allocating HKDF info buffers.
	- Reliability: Buffer helpers now assert read/write offsets never exceed their
	  capacity and setup_write_iov aborts when a buffer claims more bytes than it
	  allocated, preventing silent corruption.

2025-11-20  Renaud Allard  <renaud@allard.it>

	* Release 0.9.8
	- Security: require libpcre2 everywhere (runtime, tests, fuzzers, packaging)
	  and drop the legacy PCRE1 fallback; HKDF buffers now zeroize and reject
	  oversized labels.
	- Hardening: configuration reloads re-check file permissions, all config
	  paths must be absolute, resolver search domains are treated as literal
	  suffixes, and temporary connection dumps use mkostemp() with CLOEXEC.
	- Networking: resolver blocks now support DNS-over-TLS `dot://` upstreams
	  with full certificate validation using the system trust store.
	- Reliability: resolver cancellation gains an atomic memory fence to prevent
	  race windows, and documentation/metadata reflect the updated behavior.

2025-11-19  Renaud Allard  <renaud@allard.it>

	* Release 0.9.7
	- DNS: enable relaxed DNSSEC validation by default so wildcard tables and
	fallback targets benefit from authenticated data without manual resolver
	blocks.
	- Security: enforce fatal configuration-permission checks in both sniproxy
	using fstat() on the open descriptor, covering startup and
	reload flows.
	- Documentation: refresh README, architecture references, and man pages to
	reflect the new DNSSEC default and strict configuration requirements.

2025-11-18  Renaud Allard  <renaud@allard.it>

	* Release 0.9.6
	- Security: per-IP rate limiting now uses FNV-1a hashes with collision
	rejection and short-chain cutoffs, plus hard caps on HTTP headers, TLS
	extensions, and IPC payload lengths to stop CPU/memory exhaustion attacks.
	- DNS: arc4random()-seeded query IDs, mutex-protected restart flags, and query
	handle state assertions prevent leaks, counter drift, and use-after-free bugs.
	- Reliability: shrink candidate queues cap at 4096 entries with active
	trimming, buffer growth failures explicitly close connections, and log duration
	math clamps negative values caused by time jumps.
	- Hardening: buffer pool magic numbers detect corruption, secure_memzero wipes
	sensitive memory, and PID file validation prevents stale sockets or symlink
	abuse before daemon startup.

2025-11-15  Renaud Allard  <renaud@allard.it>

	* Release 0.9.5
	- Performance: cache ev_now and add hysteresis to idle timers and buffer growth.
	- Reliability: resolver crash handler avoids spurious write/writev warnings.
	- CI: fuzz workflow auto-selects clang/libFuzzer toolchains and surfaces compiler output.

2025-11-14  Renaud Allard  <renaud@allard.it>

	* Release 0.9.4
	- Resource: configurable per-connection buffer caps prevent slow clients from pinning unbounded RAM.
	- Security: configuration files with group/world permissions now abort startup instead of warning.
	- IPC: binder/logger/resolver children close all inherited FDs except their control socket.

2025-11-12  Renaud Allard  <renaud@allard.it>

	* Release 0.9.3
	- Security: fail fast if dropping privileges leaves either real or effective UID at 0.
	- Security: warn sniproxy when configuration files are group or world accessible.
	- IPC: binder/logger/resolver channels encrypt control traffic and enforce stricter validation/error reporting.
	- Performance: idle connection buffers honor a soft memory limit and shrink immediately under load.
	- Resource: configurable per-connection buffer caps prevent slow clients from pinning unbounded RAM.

2025-11-10  Renaud Allard  <renaud@allard.it>

	* Release 0.9.2
	- Harden resolver restarts and keep pending DNS queries alive
	- Restart binder helper on IPC failures and fix partial read handling
	- Retry outbound connects on transient EADDRNOTAVAIL errors

Check https://github.com/renaudallard/sniproxy/commits/