diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-04-12 20:41:31 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-04-12 20:41:31 +0000 |
commit | 774a362e87feab25f1be16fbca08269ddc7121a4 (patch) | |
tree | cf71f4e7466468ac3edc2127125f333224a9acfb /ChangeLog | |
parent | c54a140a445bfe7aa66721f68bb0781f26add91c (diff) | |
download | vyos-strongswan-774a362e87feab25f1be16fbca08269ddc7121a4.tar.gz vyos-strongswan-774a362e87feab25f1be16fbca08269ddc7121a4.zip |
Major new upstream release, just ran svn-upgrade for now (and wrote some
debian/changelong entries).
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 1079 |
1 files changed, 1079 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 000000000..f52898a8e --- /dev/null +++ b/ChangeLog @@ -0,0 +1,1079 @@ + strongswan-4.1.0 / R:2552 +=========================== + +fixed nat detection bug +OCSP support +updated NEWS, TODO and man page +respecting "keyingtries" parameter on IKE_SA setup +cleanups +fixed reset() +not installing a route when policy gets updated +renamed keyingtries attribute +adjusted loglevels +delay OCSP response by 5 seconds +always update reqid on policy install, fixes dpdaction=hold issue +EAP-SIM cleanups +fixed CHILD_SA rekeying/delete bug on 64bit machines +removed obsolete methods in delete_payload +Shortened distribution string +Shortened distribution string +shortened distribution string +add daemon.log to web page +remove /etc/resolv.conf +version bump to 4.1.0 +added apache2/ocsp log directory to winnetou +removed killall openssl +removed killall openssl +deleted +deleted +create apach2/ocsp/ logging directory on winnetou +do not check for type of dpd action any more +create /var/log/apache2/ocsp on winnetou +added +added +added +delete virtual IP addresses after use +deleted +added +fixed case of missing subjectKeyID +corrected typo +version bump to 4.1.0 +added +use CURLOPT_NOSIGNAL +added --with-sim-reader option to configure script +some cleanups in eap_sim +removed dublicated code in eap_authenticator +log reception of trusted signer certificate +version bump to 4.1.0 +deleted +added +changed OCSPSigner to OCSPSigning +fixed carry bug in FIPS prf +user standard cert +deleted +deleted +added +added +modified description.txt and evaltest.dat +version number selection fix +some cleanups +cleaned up and fixed DPD handling code +removed cfg-payload dns test code +added +added +version bump to strongswan-4.1.0 and linux-2.6.20.3 +cosmetics +increased control debugging output +added EAP-SIM authentication + client side only + uses an external SIM reader library specified with SIM_READER_LIB + untested +not detaching from bus when IKE_SA_INIT is retried +added AES-192/256 proposals to IKE +added generic EAP_IDENTITY client implementation using peers IKEv2 ID +fixed compilation warnings and errors when not using curl +results from the single responses is stored in the corresponding certinfo_t structs +moved credential_store.h from charon/config/credentials to libstrongswan +last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA +fixed memory leak by calling curl_slist_free_all(headers) +fixed memory leak by calling curl_slist_free_all(headers) +whitelisting static Curl_getaddrinfo() memory leak +fixed a certinfo_t memory leak in verify() +fixed a memory leak in response_t +ocsp signer certificate and ocsp response signature can be verified +fixed memleaks when using EAP authentication +fixed configuration payloads when using EAP +fixed payload order (again) +including peers certificate when his certreq is empty +implemented cookies as initiator +proper logging of notifies in IKE_SA setup +disabling routing for IPv6, does not work correctly +fixed call of add_auth_certificate() +generalized get_ca_certificate() to get_auth_certificate(auth_flags) +added fetcher_finalize() to clean up libcurl +some cleanups +not installing %any DNS servers +support of setting and getting authority flags +support if ocsp signing certificates +support if ocsp signing certificates +fixed payload order in IKE_AUTH +removed SHA2 kernel proposals from default, the kernel doesn't support them yet +allocation fixes, not complete +handling "No policy found" properly +added more debugging output for policy lookup +returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE +fixed CHILD_SA creation within existing IKE_SA +added ocsp_parse_single_response +ported changes from EAP branch, renabling EAP framework +added (not yet supported) sha2 algorithms to kernel +only adding a route if using tunnel mode +added SHA2 MAC and PRF to default proposal +added more debug output +experimental SHA2 HMAC and PRF implementations +parsing basic ocsp response +forgot to assign public.is_ocsp_signer() method +added parsing level to x509_create_from_chunk() +added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method +http post fetching using libcurl implemented +added fetcher.h and fetcher.c +added +corrected @ingroup to utils +corrected comment +start ocsp checking only if there are any ocspuris present +conntrack -F is used to flush the NAT states +the hostaccess=yes parameters are not needed anymore +use conntrack -F to flush NAT states +replaced actual virtual IP addresses by symbolic ones +removed unnecessary double quotes +nonce in ocsp_t was not properly initialized +ocsp request is now fully built but without requestor signature +starting to build ocsp request +prevent from initiating multiple exchanges the same time +updated apidoc documentation +fixed notify handling in IKE_AUTH +moved nonce payload before TS in CHILD_SA setup +moved REKEY_SA notify to the beginning of the message +fixed traffic selector redundancy removal code (not completely tested) +add crl and ocsp uris to linked list after partial verification +added print hook for certinfo_t printing +fixed typo +sending an SPI of 0 as responder when IKE_SA_INIT fails +iterate certinfos linked list for matching serialNumber +some cleanups +not assigning %any virtual IPs to peer anymore +fixed double free bug +added +fixed ID selection bug when peer doesn't include IDr payload +allowing vendor ID in any messag +moved listing of crls to local_credential_store and ca +refactored ca_info_t +refactored ca_info_t +fixed netlink socket receiver code +implemented interface enumeration code with netlink: no getifaddrs reqired anymore +refactored kernel interface, works reliable again +implemented get_iface() using RTM_GETADDR +added support for multi-header netlink messages +really ugly now, need a lot of refactoring +added debuggin for interface lookup +fixed address lookup when !using getifaddrs() +added firewalling support when using virtual IPs +added support for 0.0.0.0/0 traffic selectors +fixed routing to make correct 0.0.0.0/0 routes +config-payload scenario fixes +preparations for PLUTO_MY_SOURCEIP +corrected typo +added cert with OCSP access info +dpd now takes 180 s and 5 retransmits +changed grep to creating aquire job for CHILD SA +replaced actual virtual IPs by place holders +virtual-ip scenario has been replaces by config-payload scenario +added +added +added ocsp.h and ocsp.c +added +r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines +virtual ip uml test +fixed reauthentication when connections other is %any +merged tasking branch into trunk +fixed big endian bug in md5 hasher +cosmetics +added once flag to certinfo_t +cosmetics +added certinfos linked list +changed ca info to ca +support of ca info sections +added support of OCSP accessLocations +correct interface definition +added support of OCSP accessLocations +full support of ca info records +added the create_crluri_iterator method +replace ca is realized as del_ca followed by add_ca +last CA keyword is KW_OCSPURI2 +full support of ca info records +full support of ca info records +alphabetically sorting print commands +listing ca_info items +replace printf.h by stdio.h +addin get_keyid() method +support of ca info records +support of ca info records +version bump to 4.0.8 +support of ca info records +support of ca info records +typo +SHA512-HMAC bug fix and hash function self-test support +SHA512-HMAC bug fix and hash function self-test support +handle strong SHA-2 signatures in X.509 certificates +SHA-2 fixes and add-ons +version bumps +remove strong certs and keys after test +added +using "left" as my host per default, swapping to "right" when needed +respecting source address when sending packets +added PRINT_CAINFO hook +stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp +enable IP forwarding +prepared support of ca information records and ocsp functionality +added support of ca information records and ocsp keywords +enabled adding and deleting ca information records +fixed starter crash due to freeing default IPSEC_EAPDIR string +add --eapdir option only if defined in ipsec.conf +removed eap aka module due nda +merged EAP framework from branch into trunk +includes a lot of other modifications +%T requires time_t ptr +removed my time_t printf handler patch, applied the one of andreas (64bit save) +fixed printf() hooks for time +added support for NULL encryption in ESP +be more liberal in accepting notifies with a protocol id +include NO_EXT_SEQUENCE_NUMBER in default proposal +output peer id if RSA public key is not found +fixed typo +version bump to 4.0.8 +added address listing without getifaddrs for uclibc (only IPv4 yet) +added threads to support multiple simultaneous stroke requests +renamed all static clone() functions to avoid naming conflicts with uclibc +sending proper signal to the bus when detecting a dead peer +added configuration of XAUTH and ModeConfig push mode +version bump +version bump +Cisco XAUTH interoperability +XAUTH interoperability with Cisco +removed IPSECPOLICY compile option +unload xauth_module only if XAUTH_DEFAULT_LIB is defined +loading the XAUTH module requires libdl +added some more attributes, inst XAUTH_TYPE in reply +Mode Config refactoring +XAUTH fixes and Cisco Unity support +log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings +added Cisco Unity ModeCfg attributes +version bump to 4.0.7 +fixed 64 bit issue with print time +fixed XAUTHResp bug +included xauth.h +use uml_mconsole to check end of booting process +name the created CHILD_SA +doubled PAYLIMIT to 40 payloads +version bump +show rekeying|reauthentication time +show name of created CHILD_SA +combined use_in and use_fwd +corrected typo +cosmetics +cosmetics +fixed an enumeration error, added CISCO_IOS VID +fixed mismatch in interface definition of get_secret() +forward declaration of struct state not needed +cosmetics +added firewall support to scenario +updated changelog for 4.0.6 +fixed crash when CA for certrequest not found +fixed build when !using smartcard +removed unused debugging code +updated NEWS for 4.0.6 + + + strongswan-4.0.6 / R:2131 +=========================== + +updated NEWS for 4.0.6 +readded tranport mode test using new status output +removed dublicated host2host-transport test +fixed reauthentication when using %any hosts +support for transport in create_child_sa +include TRANSPORT/TUNNEL information in statusall +load xauth module via dlopen() +define path to xauth module +added host2host-transport scenario +removed trailing lines +added XAUTH support +fixed typo +added XAUTH server and client support +load and unload XAUTH module +added xauth.h and xauth.c +added enable-cisco-quirks configure option +added xauth scenarios +added config option for BEET mode +fixed reuathentication when connections other host is %any +fixed host conversion length check +negated POLICY_REAUTH to POLICY_DONT_REAUTH +negated POLICY_REAUTH to POLICY_DONT_REAUTH +enable XAUTH_VID by default +added support for transport mode and (experimental!) BEET mode +support for the type=transport/tunnel parameter in charon +fixed charset & cleanups +added XAUTH server and client support +additional parentheses for same_chunk() macro +renamed to appear in doxygen build +added a roadmap of the strongSwan project (TODO) +added some NEWS +first try to update ipsec.conf manual +implemented reauthentication using the new reauth=yes|no parameter +fixed more uClibc issues +should compile against a uClibc > 0.9.28 (untested) +added XAUTH client states +version bump to 4.0.6 +fixed stddef.h include +fixed encoding rules string +updated todo +fixed some byte-order issues +fixed HAVE_BACKTRACE checks +starter Makefile now uses proper $(COMPILE) to build pluto objects +made backtrace() calls optional to support uClibc +XAUTH support +XAUTH support +fixed bug in ifdef CISCO_QUIRKS +added XAUTH support +support of Cisco Unity VID +added new VIDs +version bump to 4.0.6 +fixed case with wildcard peer ID and static peer address +added simple script to port trunk changes into branches +start kdevelop with project file from actual branch +updated changelog +fixed typos + + + strongswan-4.0.5 / R:1447 +=========================== + +fixed typos +improved selection of ipsec status|statusall <name> +fixed NEWS (runtime debug level options) +fixed credits +fixed very old bug in linked_list's remove_first and remove_last +proper "ipsec up" signal handling when initiating to %any +removed iterator hook for replace +fixed output of proto/port selectors +cosmetics +due to console logging, no need for final sleep anymore +adapted checks to changed ipsec status output +due to narrowing no need for rightsubnetwithin +no need to send certreq +fixed ipsec status|statusall <name> +log IKE SPIs on a separate line +redesigned formatting of ipsec status|statusall +cosmetics +version bumps of strongSwan, Linux kernel and Gentoo root file system +corrected description +added dpd-hold scenario +added new features +fixed 64 bit issue +solved 64 bit issue by changing long to int +solved 64 bit issue in push/pop stroke interface +fixed 64 bit issue +some fixes for doxygen +better split up of library files "types.h" & "definitions.h" +centralized all printf specifier character definitions +reuse of arginfo handlers +more cleanups +fixed more AMD64 issues +added DEBUG_LEVEL compile flag to exclude DBGn() statements +added nodebug configure script without any debug messages and without -g +preparations to include certreqs in policy decisions +do not sent certreq payloads when the peer is known to use PSK +position of (myself) moved in log output +do not sent certreq payloads when using self-signed certs +moved (myself) in log output +moved typedefs to beginning of files to solve some include problems +splitted authenticator to have a separate implementation for each auth_method_t +using va_copy to clone va_lists, should fix proplems on AMD64 +some other cleanups +do not sanitize '*' character +fixed SIGSEGV when setup of an additional CHILD_SA fails +added IKEv2 clarifications RFC +changed debug level of certreq log output +cosmetics in debug output +support of certreq payload in IKE_AUTH messages +chunk_to_hex() function declaration deleted +added function certreq_payload_create_from_x509() +send a certreq as initiator if other_ca is set +added method get_ca_certificate() +added methods get_my_ca() and get_other_ca() +added methods get_my_ca() and get_other_ca() +added some missing 'AUD' entries +cosmetics +cosmetics +change due to change debug output +spaces should not be sanitized +fixed due to new logging concept +some improvements in signaling code +include only source NATD payloads really needed +updated for NAT team +improved signal handling and emitting +support of ModeCfg Push mode +support of mixed RSA/PSK static connections +support of ipsec statusall in state output +output of 'DPD active' in ISAKMP SAs +support of ipsec statusall in state output +added natip support +added has_natip flag +added ModeCfg push policy and states +added ModeCfg push policy and states +fixed typo in debug statement +redesigned list output format +added 'modeconfig=pull|push' and 'left|rightnatip' keywords +added has_natip flag +added has_natip flag +added 'exit' statement in listcerts,.. case +fixed two bugs in the time_t and chunk_ct print functions +redesigned format of print function +replaced 'times' by 'dates' +added private flag to asn1_init +added private flag to asn1_ctx_t +removed DES-EDE3-CBC only comment +removed deprecated iterator methods (has_next & current) +added iterator hook to manipulate iterator the clean way +linked list cleanups +added list methods invoke(), destroy_offset(), destroy_function() +simplified list destruction when destroying its items +added verbosity level to stroke +upgrade to new Gentoo root file system and tcpdump command +added +deleted +renamed ikev1 scenario and added ikev2 scenario +added new scenarios +Version bumps of UML kernel, Gentoo root file system and strongSwan release +code cleanups in printf handlers +added eap authentication draft for ikev2 +updated stroke to allow run-time manipulation of debug levels +added charondebug config parameter to set debug level at startup +introduced new logging subsystem using bus: + passive listeners can register on the bus + active listeners wait for signals actively + multiplexing allows multiple listeners to receive debug signals + a lot more... +updated file filter for kdev project +include CREDITS file in distribution +moved various scripts in scripts/ dir +add configure script wrappers +removed txt files from doxygen +removed module tests, outdated. We need something more system-test like +added missing -DDEBUG compile option +fixed auxillary message data parsing for IPV6 socket +using SOL_* constants for socket level +fixed IPV6_PKTINFO setsockopt() to work with most kernel headers +replaced strerror(errno) with %m printf specifier +added stronger certs for moon, carol, and dave +added IPv6 hw and multicast addresses +adapted to new tcpdump ipv6 output +multi-level-ca scenarios use unencrypted private key +added scenario +fixed timing +new gentoo root file system +fixed bug with openldap 2.3 +removed ipsec.conf version information +carolKey.pem is now protected by 3DES passphrase +updated net runlevel scripts +updated net init scripts +new net configuration format +HW addresses must be predefined +cosmetics +added USE_LIBCURL +cosmetics +found libraries are not appended to LIBS anymore +version bump to 4.0.5 +fixed DPD to survive IKE_SA rekeying +introduced printf() specifiers for: + host_t (%H) + identification_t (%D) + chunk pointers (%B) + memory pointer/length (%b) +added a signaling bus: + receives event and debug messages, sends them to its listeners + stream_logger, sys_logger, file_logger added, listen to bus +some other tweaks here and there +added often used RFCs and drafts +DES for private key encryption is not supported +updated NEWS and ChangeLog for 4.0.4 release +fixed retransmission policy for responder +fixed dpd for responder +added ID_ANY check to matches_binary() +replaced 'missing value' warning by zero length chunk_t value +defined maximum hash size +support of AES-192-CBC private key encryption +added hostaccess support +added hostaccess support +moved auth_method to policy +added hostaccess support +added hostaccess support +more consistent authentication logging +added hostaccess support +moved auth_method to policy +moved auth_method to policy +added hostaccess support; moved auth_method to policy +added hostaccess support +added hostaccess support +added new test scenarios +fixed some compiler warnings + + + strongswan-4.0.4 / R:1289 +=========================== + +fixed some compiler warnings +extended statusall output + added job/event-queue statistics + added allocation statistics when using LEAK_DETECTIVE +fixed include typo +public declaration of all HASH_SIZEs in hasher.h +support of encrypted private key files +added copyright notice to sha2_hasher +included SHA2 in build process +implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512 +added support for 3DES encryption algorithm in IKE +fixed the ids parsing bug +fixed the ids parsing bug +updated TODOs +fixed memleak +fixed proper handling of id parsing errors +proper return value when no PSK found +added HOST_ACCESS for firewall script as default +more debugging output for PSK authentication +some cleanups here and there +added auth_method field +added auth_method field +cosmetics +verify_emsa_pkcs1_signature returns status_t +cosmetics +added PSK support +enabled firewall support +proper error handling for socket creation +handle certificate parsing error more generous +fixed certificate verification bug! +fixed memleak when receiving invalid certificate +version bump to 4.0.4 +version bump to 4.0.4 +two new test scenarios +fixed path to images directory +implemented updown script to handle firewalling +add priority management for kernel policy +let ROUTED policies installed, until manuall removed +introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs +ike_sa_manager cleanups +implemented handling of dpdaction and dpddelay ipsec.conf parameters +reuse reqid when a ROUTED child_sa gets INSTALLED +fixed a bug in retransmission code +added support for the "keyingtries" ipsec.conf parameter +added support for the "dpddelay" ipsec.conf parameter +done some work for "dpdaction" behavior +some other cleanups and fixes +fixed a at-least-one-year-old bug which caused crashed in the scheduler +added raw socket filter for IPv6 +implemented NAT detection for IPv6 +removed unneeded constructor +initial support for IPv6 (more testing needed) + socket works (without v6 filter) + traffic selector handle IPv4/v4 cleanly + improvements in traffic selector code + kernel interface accepts v6 traffic selectors and hosts + host_t class has full IPv6 support +added stddef.h include for compilers which do not support the offsetof() directive +moved interface enumeration code to socket, where it belongs +query interfaces every time we need it to respect changes in network config +added address listing on startup and "ipsec statusall" +version bump of UML kernel to 2.6.17.11 +fixed crash bug when doing "ipsec down" with an unknown connection +added name property in CHILD_SA, allows proper status output +fixed bug which prevented port float when nat is detected +version bumps +'sha' and 'sha1' are now treated as synonyms +updated Changelog and other docs + + + strongswan-4.0.3 / R:1235 +=========================== + +fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD) +implement proper handling of most simultaneous IKE_SA rekeying cases +version bump to 4.0.3 +implemented proper refcounting using atomic operations +implemented IKE_SA rekeying + uses ikelifetime, rekeymargin and rekeyfuzz config settings + no handling of simultaneus exchanges yet! +added possibility to route CHILD_SAs, without to set them up + support for auto=route parameter + support for ipsec route and ipsec unroute + initiating of CHILD and/or IKE_SAs based on kernel acquires +reuse an existing IKE_SA to set up additional CHILD_SAs +introduced refcounting on policy and connections + aren't stored in the IKE_SA anymore, they are queried on the fly + are immutable now, allows it to share them +policy selection based on traffic selectors, leads to valid lookup results + rekeying queries the policy based on its traffic selectors +cleanups in kernel interface code +added proper traffic selector to string conversion +some cleanups here & there +X.509 certificate trust path verification +added +fixed UDP decapsulation by adding inbound bypass policy for send socket +updated mixed tests to new charon output +corrected DPD entry +reenabled module tests for charon +fixed bug which erroneously detected KE payload when rekeying +added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT +improved logging on verify errors for some payloads +enforcing IKE_SA shutdown, even when transactions are outstanding +proper reject of CREATE_CHILD_SA message with KE payload +added test cases from NAT team +updated all IKEv2 tests to work with new status output +added tcpdumpcount function from NATT guys +added possibility to mount the strongswan tree into all UMLs +added script for installing from shared tree in all UMLs +added script to shut down all UMLs properly +removed in favour of tests from NAT team +fixed CREATE_CHILD_SA transaction dispatching +added CHILD_SA states, which allows us to detect further simultaneous transactions +reimplemented the buggy message id handling +updated some inline docs +fixed crypter/signer in/out to conform with standard +fixed payload order +added message id logging +added all currently known notify payload types +added policy cache to kernel interface + allows refcounting of multiple installed policies + finally brings us stable simultaneous rekeying +leak detective blanks memory on free & alloc, allows further membug detection +code cleanups +identification_t.matches() supports multiple wildcard counts +identification_t.matches() supports multiple wildcard counts +further work done for simultaneous rekeying/delete + still some cases which cause trouble +fixed compiler warnings in parser when using -O2 +reenabled check_expiry +updated copyright information +reimplemented CHILD_SA rekeying & delete + no simultanous transaction with CHILD_SAs yet! +removed NAT_TRAVERSAL and VIRTUAL_IP compile options +removed NAT_TRAVERSAL compile option +removed NAT_TRAVERSAL and VIRTUAL_IP compile options +added +updated NEWS +added support for leftprotoport and rightprotoport +improved CHILD_SA output for "ipsec statusall" +updated whitelist (getprotobynumber) +redesigned IKE_SA using a transaction mechanism: + removed old state machine + reimplemented IKE_SA setup and delete + implemented dead peer detection + implemented keep-alives + a lot of fixes + no rekeying yet +fixed compiler warnings +made thread ids unsigned again, to avoid negative thread ids on some systems +fixed memleak when initiating a connection already up +updated leak detective whitelist +applied latest NATT patch with some fixes and cleanups +test currently without firewall +added +added +added +removed +removed version information from ipsec.conf +log entries start with lowcercase character +restored lost IKEv2 packet suppression +added USE_LEAK_DETECTIVE option +fixed natd_hash memory leak +tests with subdirectory structure +removed tests +introduced subdirectory structure +support of cert payloads +lowercase log entries +distributed by ITA +added support of updown parameter +generation of default key +cosmetics +added support of updown parameter +version bump to 4.0.2 +added X.509 trust chain verification +version bump to 4.0.2 +ESP packet size changed +fixed bad_proposal_syntax bug +updated ingorelist for stroke_keywords.c +applied new changes from NATT team + DPD only done when no IPsec and IKE traffic processed + minor changes here and there +some message code cleanups +fixed identification_t clone to apply function pointers +cleaner error handling on UDP encapsultion sockopt failure +added mysterious UDP encapsulation socket option to get encapsulation working +fixed BAD_PROPOSAL_SYNTAX vulnerability +first merge of NATT code +fixed testing build +updated for 4.0.1 release +updated news for 4.0.1 release +fixed whitelist detection + + + strongswan-4.0.1 / R:1144 +=========================== + +fixed whitelist detection +reworked function ignore mechanism to not-report whitelist + rather than overriding functions +fixed execv call args to work when using strictcrl and syslog +fixed bug: usage of already freed mem +readded local_credential_store +added sendcert policy to connection +some other cleanups +implemented rereadcrls rereadcacerts +implemented rereadcrls rereadcacerts +implemented rereadcrls rereadcacerts +removed local_credential_store +fixed SPI when acting as initiator of rekeying +fixed SPI when rekeying and deleting CHILD_SAs +change key derivation order to fullfill RFC +added crl support +added listcrls +added chunk_equals_or_null() +added crl support +changed tabs from 8 to 4 spaces +added crl support +cosmetics +cosmetics (space) +fixed compilation error +updated for release +fixed aes code, we support now aes128, aes192, aes256 in IKE +added support for "ike" and "esp" keywords +fixed bugs in proposal code +algorithm selection for charon works now with ipsec.conf +a lot of other fixes +implemented clean spi allocation behavior when using multiple proposals +fixed logleve(l) keyword typo +handling of "rekey=no" parameter added +changed default algorithms to: + ike: aes128-sha-modp2048 + esp: aes128-sha1, 3des-md5 +added default CRL directory path +added strictcrlpolicy command line argument +added option parsing +added local CRLs +added rekeying parameters +corrected some descriptions +moved RSA key size constraints to definitions.h +fixed down keyword +debug and logging improvements +support for stroke listcerts|listcacerts|listcrls|listall +support for stroke listcerts|listcacerts|listall and left|rightca= +gperf creates optimum hash table for stroke keywords +using same reqid if a child sa rekeys an existing one +NULL string argument is treated as %any +add_certificate() now returns pointer to added cert +cosmetics +single tests now start up faster +workaround for peers rekeying at the same time +loading lifetime policies from ipsec.conf +old child_sa gets deleted after rekeying +rekeying almost complete, but: + IKE_SA get in an invalid state when both initiate rekeying at the same time, +corrected type +improved kernel interface logging +fixed clone/destroy behavior when not using CAs +specifying keysize in bits, as it is required in IKEv2 +added generic kernel SA algorithm handling, which brings us: + aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs +added support for leftsendcert= and left|rightca= parameters +discard cert if CA basic constraints flag is not set and warn if cert is not valide +added public methods is_ca() and is_valid() +changed ASN.1 CONTROL log output to LEVEL2 +cosmetics +removed unused Makefile +stroke.h requires libstrongswan/types.h +fixed compile warnings when using -Wall +further CHILD_SA rekeying work done: + creation of a new CHILD_SA on a expire from a kernel works + delete of old CHILD_SA still missing + some issues when both initiate rekeing +updated INSTALL to conform with autotools +added a short HACKING introduction +further work for rekeying: + get liftimes from policy + added new state + initiation of rekeying done +proposal redone: + removed support for AH+ESP proposals +proper leak detective hook for realloc +excluded pthread_setspecific from leak detective +fixed a memleak +cosmetics +ipv6-host2host scenario added +created IPv6 environment +job management: + moved job code from thread_pool to job, jobs have an "execute" method now + added two new jobs: delete_child_sa & rekey_child_sa +kernel interface: + listens now for ACQUIRE & EXPIRE + supports hard and soft lifetimes + fires jobs for delete and rekey child sa +ike sa manager: + can checkout IKE SAs by requid of owned CHILD SAs +we have now the infrastructure to do the rekeying... :-) +fixed some memleaks/freebugs +leak detective works almost usable now (?!) +added host2host test for ikev2 +fixed host-host tunnel traffic selection, host-host works now +bug fixed circumventing an assertion in delete_connection when ikev1 is not set +minimized prefixed on stroke logger output +charon outputs strongSwan version +tests with subjectAltNames now +fixed event queue for events >36min +included charons module tests to build & dist +full support of ikev1 and ikev2 connection flags +cosmetics in log_status output +use of streq +added testing files to dist + required the use of the "ustar" format to support + filenames longer than 99 chars +lookup of private key based on keyid of public key +new functions to add certificates and retrieve private and public keys +changed log level +list ca certificates +computation of SHA-1 hash over publicKeyInfo object +moved abbreviated thread_id in front of brackets +added has_key parameter to log_certificates() +log_certificates() now shows keyid and availability of matching private key +indented loaded file log entry +moved TIMETOA_BUF definition to types.h +moved TIMETOA_BUF definition from asn1.h +define default CA_CERTIFICATE_DIR +load all ca certificates +fixed daemon destruction order to prevent + crashes on termination +fixed memleak when deleting a connection +updated todo list +policies contain a connections name now + used for initiate and delete +connections won't get initiated twice anymore +deleting of connections is now possible, which allows us to use + ipsec update and ipsec reload +changed iterator->remove behavior +ipsec up|down|route|delete require a connection name +stroke now uses constant size string buffer +changed to standard connection log output +reworked parsing and matching of subjectAltNames +added memeq() macro +moved timetoa() from asn1.c to types.c +corrected type +some logging improvements and cosmetics +handle IKE_SA setup without a piggy-packed CHILD_SA + more IKEv2 conform +initiate IKE_SA deletion befor manager destruction +improved code of chunk_equals +added streq() macro and defined default BUF_LEN +typo +build gets perl and gperf from configure now +moved built sources to maintainer-clean +show connection templates in status & statusall +don't complain on termination of IKEv1 connections +updated ipsec.conf manual to reflect actual state of + keyexchange-parameter +using hubs instead of switches, which allows us + to sniff the traffic from the host system. +changed config load strategy: + starter loads both connections in charon & pluto, + charon ignores anything with keyexchange!=ikev2. + pluto needs the same behavior. + changed build order to fix build error after distclean +load_end_certificate() now loads certificates +cosmetics +moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber +moved definition of generalNames_t to identification.h +corrrected description +reimplemented proper IKE SA deletion using a seperate state, + should conform now to IKEv2 +fixed build when using --enable-leak-detective +added removed files to svn:ignore +fixed bug in pluto/Makefile.am +removed perl-generated oid.c/h from svn, + added them to "dist" and "distclean" +removed lex, yacc and gperf output from svn, + added them to "dist" and "distclean" +storing release revision in svn property "release-revision", because I forget it all the times +fixed ignorelist, should work now +added ingorelist for builded files +re-added doxygen apidoc, buildable with "make apidoc" +added missing ipsec.conf.5 to distribution :-/ +fixed another typo +added missing ipsec.conf ipsec.conf.5 +existing ipsec.conf won't get overwritten anymore +fixed typo in Makefile which corrupted the build +applied patch from the NAT-T team fixing several typos +applied patch from andreas, which allows certificate listing via stroke +added ipsec.conf template and man page back +removed old Makefiles +added new strongswan KDevelop project & startup hack +fixed Revision in changelog fo 4.0.0 +started ChangeLog +simple script for ChangeLog update via "svn log" +fixed compliation error using --enable-smartcard +added test for ikev1-ikev2 mixed mode +added test ikev2 roadwarrior scenario +applied andreas's patch + logger output improvements + testin gupdates + and a lot more +updated testsuite to autotools +added random source ./configure options +fixed default-pkcs11 option +testcommit +fixed errors when --enable-pkcs11 +added autogen script +introduced autotools + first working version + make dist should work + things to do: + UML testing! + more cleanups +fixed build +started to rebuild source layout +fixed stroke error output to starter +using random SPIs now, but without collision checks +applied some -W's from strongswan +fixed that warnings +removed IKEV2 ifdefs +applied patch from andreas + added charonstart option to config + new ikev2 tests for UML + + strongSwan-4.0.0 / R:967 +========================== + +removed IKEV2 ifdefs +applied patch from andreas + added charonstart option to config + new ikev2 tests for UML +applied patch from andreas + pem loading + secrets file parsing + ikev2 testcase + some other additions here and there +connection termination is handled cleanly by name now +fixed bad bug, certs load now cleanly again +fixed make install (subdir order) +fixed include path +added missing script +finished initial import of strongswan file tree +removed a lot of old and unused stuff +moved RFCs from ikev2 into doc dir +added missing files for starter +applied patch for charon (this time really) +import of strongswan-2.7.0 +applied patch for charon +renamed get_block_size of hasher +reworked usage of IDs in various states +using ID_ANY for any, not NULL as before +initiator sends IDr payload in IKE_AUTH when ID unique +fixed charon checks +using status & statusall +patch for 2.7.0 +add connection names to connections +stroke status / ipsec status shows them +added statusall for stroke +added status by connection name +some tests repaired, more to come +fixed spi conversion +improved "stroke status" output +setup PID file after daemon initilization, to correctly inform + starter about daemon startup +added separate implementation for connection_store, credential_store, policy_store +added folder structure to config +credentials are fetched solely on IDs now +identification_t supports now almost all id types +x509 certificates work with identification_t now +fixes here, fixes there +fixed doxygen build +seperates now in lib and charon +library initialization done at a central point (library.c) +some leak_detective fixes +updated Todos +fixed log-to-syslog behavior +added patch against strongswan-2.6.4 +x509 certificate loading with pluto asn1 code +x509 needs a lot more attention! +renamed some files +using asn1 pluto stuff now +removed, since we use pluto asn1 stuff +leak detective is usable, but does not show static function names + a script which gets address via ldd and resolves address via addr2line would be nice +fixed a leak in child_sa with new detective ;-) +some improvements to new asn1 stuff +to be continued +fixed bad bugs in kernel interface +added some logging info +works now much more stable +startet importing pluto ASN1 stuff +der PKCS#1 key loading works (as it did with der_decoder) +split up in libstrong, charon, stroke, testing done +new leak detective with malloc hook in library + useable, but needs improvements +logger_manager has now a single instance per library + allows use of loggers from any linking prog +a LOT of other things +../svn-commit.tmp +added misssing stroke.h +improved strokeing + down connection + status +some other tweaks +rewrote a lot of RSA stuff +done major work for ASN1/decoder +allow loading of ASN1 der encoded private keys, public keys and certificates +extracting public key from certificates +passing certificates from stroke to charon +=> basic authentication with RSA certificates works! +starter work on asn1 with der de/encoder +RSA private and public key can load read key from ASN1 DER +some other fixes here and there +rewrite of logger_manager, uses now one instance per context +cleanups for logger here and there +removed critical flag check in payload verification (conformance to IKEv2) +so thats and theres everywere... ;-) +patch for strongswan-2.6.3 +added charon support for strongswan build process +ipsec starter supports charon startup and control +removed old diploma thesis scripts +some cleanups +compatibility to strongswan, Makefile can be called by "make programs" + and "make install" (ikev2 patch must be applied to strongswan) +first version of stroke control utility +moved output to doc/api, since doc is used for other docs now +some first documentation in english +removed old eclipse project files +works quite well now with ipsec.conf & ipsec starter +belongs to previous commit ;-) +reworked configuration framework completly +configuration is now split up in: connections, policies, credentials and daemon config +further alloc/free fixes needed! +first attempt for connection loading and starting via "stroke" +some improvements here and there +configuration_manager replaced by configuration_t interface +current configuration_manager is now static_configuration (testing) +first draft of starter_configuration, which should once interact with ipsec starter (via whack?) +some cleanups +socket_t uses RAW socket, which allows parallel service of pluto/charon +comments and cleanups +working policy installation and removal +fixed policy setup bug +proposal setup implementation begun +fixed socket code, so we know on which address we receive traffic +AH/ESP setup in kernel is working now!!! :-))) +installing of child sa works +need correct IP adresses to actually use IPsec +new RFCs of IKEv2, IKEv2 algs and IPSec arch added +update of IKEv2 clarification document +refactored ike proposal +uses now proposal_t, wich is also used by child proposals +ike key derivation refactored +crypter_t api has get_key_size now +some other improvements here and there +config uses uml hosts alice and bob +key derivation for child_sa works +some fixes here and there +fixed memleaks +works with new proposal code +still some(!) memleaks +fixed alot of bugs in child_proposal +near to working state ;-) +dead end implementation + +... there is a lot more of it, but nothing of interest |