summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2008-12-05 16:15:54 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2008-12-05 16:15:54 +0000
commitc7f1b0530b85bc7654e68992f25ed8ced5d0a80d (patch)
tree861798cd7da646014ed6919766b053099646710d /ChangeLog
parent8b80ab5a6950ce6515f477624794defd7531642a (diff)
downloadvyos-strongswan-c7f1b0530b85bc7654e68992f25ed8ced5d0a80d.tar.gz
vyos-strongswan-c7f1b0530b85bc7654e68992f25ed8ced5d0a80d.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.2.9)
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog1082
1 files changed, 3 insertions, 1079 deletions
diff --git a/ChangeLog b/ChangeLog
index f52898a8e..41f530506 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,1079 +1,3 @@
- strongswan-4.1.0 / R:2552
-===========================
-
-fixed nat detection bug
-OCSP support
-updated NEWS, TODO and man page
-respecting "keyingtries" parameter on IKE_SA setup
-cleanups
-fixed reset()
-not installing a route when policy gets updated
-renamed keyingtries attribute
-adjusted loglevels
-delay OCSP response by 5 seconds
-always update reqid on policy install, fixes dpdaction=hold issue
-EAP-SIM cleanups
-fixed CHILD_SA rekeying/delete bug on 64bit machines
-removed obsolete methods in delete_payload
-Shortened distribution string
-Shortened distribution string
-shortened distribution string
-add daemon.log to web page
-remove /etc/resolv.conf
-version bump to 4.1.0
-added apache2/ocsp log directory to winnetou
-removed killall openssl
-removed killall openssl
-deleted
-deleted
-create apach2/ocsp/ logging directory on winnetou
-do not check for type of dpd action any more
-create /var/log/apache2/ocsp on winnetou
-added
-added
-added
-delete virtual IP addresses after use
-deleted
-added
-fixed case of missing subjectKeyID
-corrected typo
-version bump to 4.1.0
-added
-use CURLOPT_NOSIGNAL
-added --with-sim-reader option to configure script
-some cleanups in eap_sim
-removed dublicated code in eap_authenticator
-log reception of trusted signer certificate
-version bump to 4.1.0
-deleted
-added
-changed OCSPSigner to OCSPSigning
-fixed carry bug in FIPS prf
-user standard cert
-deleted
-deleted
-added
-added
-modified description.txt and evaltest.dat
-version number selection fix
-some cleanups
-cleaned up and fixed DPD handling code
-removed cfg-payload dns test code
-added
-added
-version bump to strongswan-4.1.0 and linux-2.6.20.3
-cosmetics
-increased control debugging output
-added EAP-SIM authentication
- client side only
- uses an external SIM reader library specified with SIM_READER_LIB
- untested
-not detaching from bus when IKE_SA_INIT is retried
-added AES-192/256 proposals to IKE
-added generic EAP_IDENTITY client implementation using peers IKEv2 ID
-fixed compilation warnings and errors when not using curl
-results from the single responses is stored in the corresponding certinfo_t structs
-moved credential_store.h from charon/config/credentials to libstrongswan
-last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA
-fixed memory leak by calling curl_slist_free_all(headers)
-fixed memory leak by calling curl_slist_free_all(headers)
-whitelisting static Curl_getaddrinfo() memory leak
-fixed a certinfo_t memory leak in verify()
-fixed a memory leak in response_t
-ocsp signer certificate and ocsp response signature can be verified
-fixed memleaks when using EAP authentication
-fixed configuration payloads when using EAP
-fixed payload order (again)
-including peers certificate when his certreq is empty
-implemented cookies as initiator
-proper logging of notifies in IKE_SA setup
-disabling routing for IPv6, does not work correctly
-fixed call of add_auth_certificate()
-generalized get_ca_certificate() to get_auth_certificate(auth_flags)
-added fetcher_finalize() to clean up libcurl
-some cleanups
-not installing %any DNS servers
-support of setting and getting authority flags
-support if ocsp signing certificates
-support if ocsp signing certificates
-fixed payload order in IKE_AUTH
-removed SHA2 kernel proposals from default, the kernel doesn't support them yet
-allocation fixes, not complete
-handling "No policy found" properly
-added more debugging output for policy lookup
-returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE
-fixed CHILD_SA creation within existing IKE_SA
-added ocsp_parse_single_response
-ported changes from EAP branch, renabling EAP framework
-added (not yet supported) sha2 algorithms to kernel
-only adding a route if using tunnel mode
-added SHA2 MAC and PRF to default proposal
-added more debug output
-experimental SHA2 HMAC and PRF implementations
-parsing basic ocsp response
-forgot to assign public.is_ocsp_signer() method
-added parsing level to x509_create_from_chunk()
-added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method
-http post fetching using libcurl implemented
-added fetcher.h and fetcher.c
-added
-corrected @ingroup to utils
-corrected comment
-start ocsp checking only if there are any ocspuris present
-conntrack -F is used to flush the NAT states
-the hostaccess=yes parameters are not needed anymore
-use conntrack -F to flush NAT states
-replaced actual virtual IP addresses by symbolic ones
-removed unnecessary double quotes
-nonce in ocsp_t was not properly initialized
-ocsp request is now fully built but without requestor signature
-starting to build ocsp request
-prevent from initiating multiple exchanges the same time
-updated apidoc documentation
-fixed notify handling in IKE_AUTH
-moved nonce payload before TS in CHILD_SA setup
-moved REKEY_SA notify to the beginning of the message
-fixed traffic selector redundancy removal code (not completely tested)
-add crl and ocsp uris to linked list after partial verification
-added print hook for certinfo_t printing
-fixed typo
-sending an SPI of 0 as responder when IKE_SA_INIT fails
-iterate certinfos linked list for matching serialNumber
-some cleanups
-not assigning %any virtual IPs to peer anymore
-fixed double free bug
-added
-fixed ID selection bug when peer doesn't include IDr payload
-allowing vendor ID in any messag
-moved listing of crls to local_credential_store and ca
-refactored ca_info_t
-refactored ca_info_t
-fixed netlink socket receiver code
-implemented interface enumeration code with netlink: no getifaddrs reqired anymore
-refactored kernel interface, works reliable again
-implemented get_iface() using RTM_GETADDR
-added support for multi-header netlink messages
-really ugly now, need a lot of refactoring
-added debuggin for interface lookup
-fixed address lookup when !using getifaddrs()
-added firewalling support when using virtual IPs
-added support for 0.0.0.0/0 traffic selectors
-fixed routing to make correct 0.0.0.0/0 routes
-config-payload scenario fixes
-preparations for PLUTO_MY_SOURCEIP
-corrected typo
-added cert with OCSP access info
-dpd now takes 180 s and 5 retransmits
-changed grep to creating aquire job for CHILD SA
-replaced actual virtual IPs by place holders
-virtual-ip scenario has been replaces by config-payload scenario
-added
-added
-added ocsp.h and ocsp.c
-added
-r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines
-virtual ip uml test
-fixed reauthentication when connections other is %any
-merged tasking branch into trunk
-fixed big endian bug in md5 hasher
-cosmetics
-added once flag to certinfo_t
-cosmetics
-added certinfos linked list
-changed ca info to ca
-support of ca info sections
-added support of OCSP accessLocations
-correct interface definition
-added support of OCSP accessLocations
-full support of ca info records
-added the create_crluri_iterator method
-replace ca is realized as del_ca followed by add_ca
-last CA keyword is KW_OCSPURI2
-full support of ca info records
-full support of ca info records
-alphabetically sorting print commands
-listing ca_info items
-replace printf.h by stdio.h
-addin get_keyid() method
-support of ca info records
-support of ca info records
-version bump to 4.0.8
-support of ca info records
-support of ca info records
-typo
-SHA512-HMAC bug fix and hash function self-test support
-SHA512-HMAC bug fix and hash function self-test support
-handle strong SHA-2 signatures in X.509 certificates
-SHA-2 fixes and add-ons
-version bumps
-remove strong certs and keys after test
-added
-using "left" as my host per default, swapping to "right" when needed
-respecting source address when sending packets
-added PRINT_CAINFO hook
-stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp
-enable IP forwarding
-prepared support of ca information records and ocsp functionality
-added support of ca information records and ocsp keywords
-enabled adding and deleting ca information records
-fixed starter crash due to freeing default IPSEC_EAPDIR string
-add --eapdir option only if defined in ipsec.conf
-removed eap aka module due nda
-merged EAP framework from branch into trunk
-includes a lot of other modifications
-%T requires time_t ptr
-removed my time_t printf handler patch, applied the one of andreas (64bit save)
-fixed printf() hooks for time
-added support for NULL encryption in ESP
-be more liberal in accepting notifies with a protocol id
-include NO_EXT_SEQUENCE_NUMBER in default proposal
-output peer id if RSA public key is not found
-fixed typo
-version bump to 4.0.8
-added address listing without getifaddrs for uclibc (only IPv4 yet)
-added threads to support multiple simultaneous stroke requests
-renamed all static clone() functions to avoid naming conflicts with uclibc
-sending proper signal to the bus when detecting a dead peer
-added configuration of XAUTH and ModeConfig push mode
-version bump
-version bump
-Cisco XAUTH interoperability
-XAUTH interoperability with Cisco
-removed IPSECPOLICY compile option
-unload xauth_module only if XAUTH_DEFAULT_LIB is defined
-loading the XAUTH module requires libdl
-added some more attributes, inst XAUTH_TYPE in reply
-Mode Config refactoring
-XAUTH fixes and Cisco Unity support
-log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings
-added Cisco Unity ModeCfg attributes
-version bump to 4.0.7
-fixed 64 bit issue with print time
-fixed XAUTHResp bug
-included xauth.h
-use uml_mconsole to check end of booting process
-name the created CHILD_SA
-doubled PAYLIMIT to 40 payloads
-version bump
-show rekeying|reauthentication time
-show name of created CHILD_SA
-combined use_in and use_fwd
-corrected typo
-cosmetics
-cosmetics
-fixed an enumeration error, added CISCO_IOS VID
-fixed mismatch in interface definition of get_secret()
-forward declaration of struct state not needed
-cosmetics
-added firewall support to scenario
-updated changelog for 4.0.6
-fixed crash when CA for certrequest not found
-fixed build when !using smartcard
-removed unused debugging code
-updated NEWS for 4.0.6
-
-
- strongswan-4.0.6 / R:2131
-===========================
-
-updated NEWS for 4.0.6
-readded tranport mode test using new status output
-removed dublicated host2host-transport test
-fixed reauthentication when using %any hosts
-support for transport in create_child_sa
-include TRANSPORT/TUNNEL information in statusall
-load xauth module via dlopen()
-define path to xauth module
-added host2host-transport scenario
-removed trailing lines
-added XAUTH support
-fixed typo
-added XAUTH server and client support
-load and unload XAUTH module
-added xauth.h and xauth.c
-added enable-cisco-quirks configure option
-added xauth scenarios
-added config option for BEET mode
-fixed reuathentication when connections other host is %any
-fixed host conversion length check
-negated POLICY_REAUTH to POLICY_DONT_REAUTH
-negated POLICY_REAUTH to POLICY_DONT_REAUTH
-enable XAUTH_VID by default
-added support for transport mode and (experimental!) BEET mode
-support for the type=transport/tunnel parameter in charon
-fixed charset & cleanups
-added XAUTH server and client support
-additional parentheses for same_chunk() macro
-renamed to appear in doxygen build
-added a roadmap of the strongSwan project (TODO)
-added some NEWS
-first try to update ipsec.conf manual
-implemented reauthentication using the new reauth=yes|no parameter
-fixed more uClibc issues
-should compile against a uClibc > 0.9.28 (untested)
-added XAUTH client states
-version bump to 4.0.6
-fixed stddef.h include
-fixed encoding rules string
-updated todo
-fixed some byte-order issues
-fixed HAVE_BACKTRACE checks
-starter Makefile now uses proper $(COMPILE) to build pluto objects
-made backtrace() calls optional to support uClibc
-XAUTH support
-XAUTH support
-fixed bug in ifdef CISCO_QUIRKS
-added XAUTH support
-support of Cisco Unity VID
-added new VIDs
-version bump to 4.0.6
-fixed case with wildcard peer ID and static peer address
-added simple script to port trunk changes into branches
-start kdevelop with project file from actual branch
-updated changelog
-fixed typos
-
-
- strongswan-4.0.5 / R:1447
-===========================
-
-fixed typos
-improved selection of ipsec status|statusall <name>
-fixed NEWS (runtime debug level options)
-fixed credits
-fixed very old bug in linked_list's remove_first and remove_last
-proper "ipsec up" signal handling when initiating to %any
-removed iterator hook for replace
-fixed output of proto/port selectors
-cosmetics
-due to console logging, no need for final sleep anymore
-adapted checks to changed ipsec status output
-due to narrowing no need for rightsubnetwithin
-no need to send certreq
-fixed ipsec status|statusall <name>
-log IKE SPIs on a separate line
-redesigned formatting of ipsec status|statusall
-cosmetics
-version bumps of strongSwan, Linux kernel and Gentoo root file system
-corrected description
-added dpd-hold scenario
-added new features
-fixed 64 bit issue
-solved 64 bit issue by changing long to int
-solved 64 bit issue in push/pop stroke interface
-fixed 64 bit issue
-some fixes for doxygen
-better split up of library files "types.h" & "definitions.h"
-centralized all printf specifier character definitions
-reuse of arginfo handlers
-more cleanups
-fixed more AMD64 issues
-added DEBUG_LEVEL compile flag to exclude DBGn() statements
-added nodebug configure script without any debug messages and without -g
-preparations to include certreqs in policy decisions
-do not sent certreq payloads when the peer is known to use PSK
-position of (myself) moved in log output
-do not sent certreq payloads when using self-signed certs
-moved (myself) in log output
-moved typedefs to beginning of files to solve some include problems
-splitted authenticator to have a separate implementation for each auth_method_t
-using va_copy to clone va_lists, should fix proplems on AMD64
-some other cleanups
-do not sanitize '*' character
-fixed SIGSEGV when setup of an additional CHILD_SA fails
-added IKEv2 clarifications RFC
-changed debug level of certreq log output
-cosmetics in debug output
-support of certreq payload in IKE_AUTH messages
-chunk_to_hex() function declaration deleted
-added function certreq_payload_create_from_x509()
-send a certreq as initiator if other_ca is set
-added method get_ca_certificate()
-added methods get_my_ca() and get_other_ca()
-added methods get_my_ca() and get_other_ca()
-added some missing 'AUD' entries
-cosmetics
-cosmetics
-change due to change debug output
-spaces should not be sanitized
-fixed due to new logging concept
-some improvements in signaling code
-include only source NATD payloads really needed
-updated for NAT team
-improved signal handling and emitting
-support of ModeCfg Push mode
-support of mixed RSA/PSK static connections
-support of ipsec statusall in state output
-output of 'DPD active' in ISAKMP SAs
-support of ipsec statusall in state output
-added natip support
-added has_natip flag
-added ModeCfg push policy and states
-added ModeCfg push policy and states
-fixed typo in debug statement
-redesigned list output format
-added 'modeconfig=pull|push' and 'left|rightnatip' keywords
-added has_natip flag
-added has_natip flag
-added 'exit' statement in listcerts,.. case
-fixed two bugs in the time_t and chunk_ct print functions
-redesigned format of print function
-replaced 'times' by 'dates'
-added private flag to asn1_init
-added private flag to asn1_ctx_t
-removed DES-EDE3-CBC only comment
-removed deprecated iterator methods (has_next & current)
-added iterator hook to manipulate iterator the clean way
-linked list cleanups
-added list methods invoke(), destroy_offset(), destroy_function()
-simplified list destruction when destroying its items
-added verbosity level to stroke
-upgrade to new Gentoo root file system and tcpdump command
-added
-deleted
-renamed ikev1 scenario and added ikev2 scenario
-added new scenarios
-Version bumps of UML kernel, Gentoo root file system and strongSwan release
-code cleanups in printf handlers
-added eap authentication draft for ikev2
-updated stroke to allow run-time manipulation of debug levels
-added charondebug config parameter to set debug level at startup
-introduced new logging subsystem using bus:
- passive listeners can register on the bus
- active listeners wait for signals actively
- multiplexing allows multiple listeners to receive debug signals
- a lot more...
-updated file filter for kdev project
-include CREDITS file in distribution
-moved various scripts in scripts/ dir
-add configure script wrappers
-removed txt files from doxygen
-removed module tests, outdated. We need something more system-test like
-added missing -DDEBUG compile option
-fixed auxillary message data parsing for IPV6 socket
-using SOL_* constants for socket level
-fixed IPV6_PKTINFO setsockopt() to work with most kernel headers
-replaced strerror(errno) with %m printf specifier
-added stronger certs for moon, carol, and dave
-added IPv6 hw and multicast addresses
-adapted to new tcpdump ipv6 output
-multi-level-ca scenarios use unencrypted private key
-added scenario
-fixed timing
-new gentoo root file system
-fixed bug with openldap 2.3
-removed ipsec.conf version information
-carolKey.pem is now protected by 3DES passphrase
-updated net runlevel scripts
-updated net init scripts
-new net configuration format
-HW addresses must be predefined
-cosmetics
-added USE_LIBCURL
-cosmetics
-found libraries are not appended to LIBS anymore
-version bump to 4.0.5
-fixed DPD to survive IKE_SA rekeying
-introduced printf() specifiers for:
- host_t (%H)
- identification_t (%D)
- chunk pointers (%B)
- memory pointer/length (%b)
-added a signaling bus:
- receives event and debug messages, sends them to its listeners
- stream_logger, sys_logger, file_logger added, listen to bus
-some other tweaks here and there
-added often used RFCs and drafts
-DES for private key encryption is not supported
-updated NEWS and ChangeLog for 4.0.4 release
-fixed retransmission policy for responder
-fixed dpd for responder
-added ID_ANY check to matches_binary()
-replaced 'missing value' warning by zero length chunk_t value
-defined maximum hash size
-support of AES-192-CBC private key encryption
-added hostaccess support
-added hostaccess support
-moved auth_method to policy
-added hostaccess support
-added hostaccess support
-more consistent authentication logging
-added hostaccess support
-moved auth_method to policy
-moved auth_method to policy
-added hostaccess support; moved auth_method to policy
-added hostaccess support
-added hostaccess support
-added new test scenarios
-fixed some compiler warnings
-
-
- strongswan-4.0.4 / R:1289
-===========================
-
-fixed some compiler warnings
-extended statusall output
- added job/event-queue statistics
- added allocation statistics when using LEAK_DETECTIVE
-fixed include typo
-public declaration of all HASH_SIZEs in hasher.h
-support of encrypted private key files
-added copyright notice to sha2_hasher
-included SHA2 in build process
-implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512
-added support for 3DES encryption algorithm in IKE
-fixed the ids parsing bug
-fixed the ids parsing bug
-updated TODOs
-fixed memleak
-fixed proper handling of id parsing errors
-proper return value when no PSK found
-added HOST_ACCESS for firewall script as default
-more debugging output for PSK authentication
-some cleanups here and there
-added auth_method field
-added auth_method field
-cosmetics
-verify_emsa_pkcs1_signature returns status_t
-cosmetics
-added PSK support
-enabled firewall support
-proper error handling for socket creation
-handle certificate parsing error more generous
-fixed certificate verification bug!
-fixed memleak when receiving invalid certificate
-version bump to 4.0.4
-version bump to 4.0.4
-two new test scenarios
-fixed path to images directory
-implemented updown script to handle firewalling
-add priority management for kernel policy
-let ROUTED policies installed, until manuall removed
-introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
-ike_sa_manager cleanups
-implemented handling of dpdaction and dpddelay ipsec.conf parameters
-reuse reqid when a ROUTED child_sa gets INSTALLED
-fixed a bug in retransmission code
-added support for the "keyingtries" ipsec.conf parameter
-added support for the "dpddelay" ipsec.conf parameter
-done some work for "dpdaction" behavior
-some other cleanups and fixes
-fixed a at-least-one-year-old bug which caused crashed in the scheduler
-added raw socket filter for IPv6
-implemented NAT detection for IPv6
-removed unneeded constructor
-initial support for IPv6 (more testing needed)
- socket works (without v6 filter)
- traffic selector handle IPv4/v4 cleanly
- improvements in traffic selector code
- kernel interface accepts v6 traffic selectors and hosts
- host_t class has full IPv6 support
-added stddef.h include for compilers which do not support the offsetof() directive
-moved interface enumeration code to socket, where it belongs
-query interfaces every time we need it to respect changes in network config
-added address listing on startup and "ipsec statusall"
-version bump of UML kernel to 2.6.17.11
-fixed crash bug when doing "ipsec down" with an unknown connection
-added name property in CHILD_SA, allows proper status output
-fixed bug which prevented port float when nat is detected
-version bumps
-'sha' and 'sha1' are now treated as synonyms
-updated Changelog and other docs
-
-
- strongswan-4.0.3 / R:1235
-===========================
-
-fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
-implement proper handling of most simultaneous IKE_SA rekeying cases
-version bump to 4.0.3
-implemented proper refcounting using atomic operations
-implemented IKE_SA rekeying
- uses ikelifetime, rekeymargin and rekeyfuzz config settings
- no handling of simultaneus exchanges yet!
-added possibility to route CHILD_SAs, without to set them up
- support for auto=route parameter
- support for ipsec route and ipsec unroute
- initiating of CHILD and/or IKE_SAs based on kernel acquires
-reuse an existing IKE_SA to set up additional CHILD_SAs
-introduced refcounting on policy and connections
- aren't stored in the IKE_SA anymore, they are queried on the fly
- are immutable now, allows it to share them
-policy selection based on traffic selectors, leads to valid lookup results
- rekeying queries the policy based on its traffic selectors
-cleanups in kernel interface code
-added proper traffic selector to string conversion
-some cleanups here & there
-X.509 certificate trust path verification
-added
-fixed UDP decapsulation by adding inbound bypass policy for send socket
-updated mixed tests to new charon output
-corrected DPD entry
-reenabled module tests for charon
-fixed bug which erroneously detected KE payload when rekeying
-added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
-improved logging on verify errors for some payloads
-enforcing IKE_SA shutdown, even when transactions are outstanding
-proper reject of CREATE_CHILD_SA message with KE payload
-added test cases from NAT team
-updated all IKEv2 tests to work with new status output
-added tcpdumpcount function from NATT guys
-added possibility to mount the strongswan tree into all UMLs
-added script for installing from shared tree in all UMLs
-added script to shut down all UMLs properly
-removed in favour of tests from NAT team
-fixed CREATE_CHILD_SA transaction dispatching
-added CHILD_SA states, which allows us to detect further simultaneous transactions
-reimplemented the buggy message id handling
-updated some inline docs
-fixed crypter/signer in/out to conform with standard
-fixed payload order
-added message id logging
-added all currently known notify payload types
-added policy cache to kernel interface
- allows refcounting of multiple installed policies
- finally brings us stable simultaneous rekeying
-leak detective blanks memory on free & alloc, allows further membug detection
-code cleanups
-identification_t.matches() supports multiple wildcard counts
-identification_t.matches() supports multiple wildcard counts
-further work done for simultaneous rekeying/delete
- still some cases which cause trouble
-fixed compiler warnings in parser when using -O2
-reenabled check_expiry
-updated copyright information
-reimplemented CHILD_SA rekeying & delete
- no simultanous transaction with CHILD_SAs yet!
-removed NAT_TRAVERSAL and VIRTUAL_IP compile options
-removed NAT_TRAVERSAL compile option
-removed NAT_TRAVERSAL and VIRTUAL_IP compile options
-added
-updated NEWS
-added support for leftprotoport and rightprotoport
-improved CHILD_SA output for "ipsec statusall"
-updated whitelist (getprotobynumber)
-redesigned IKE_SA using a transaction mechanism:
- removed old state machine
- reimplemented IKE_SA setup and delete
- implemented dead peer detection
- implemented keep-alives
- a lot of fixes
- no rekeying yet
-fixed compiler warnings
-made thread ids unsigned again, to avoid negative thread ids on some systems
-fixed memleak when initiating a connection already up
-updated leak detective whitelist
-applied latest NATT patch with some fixes and cleanups
-test currently without firewall
-added
-added
-added
-removed
-removed version information from ipsec.conf
-log entries start with lowcercase character
-restored lost IKEv2 packet suppression
-added USE_LEAK_DETECTIVE option
-fixed natd_hash memory leak
-tests with subdirectory structure
-removed tests
-introduced subdirectory structure
-support of cert payloads
-lowercase log entries
-distributed by ITA
-added support of updown parameter
-generation of default key
-cosmetics
-added support of updown parameter
-version bump to 4.0.2
-added X.509 trust chain verification
-version bump to 4.0.2
-ESP packet size changed
-fixed bad_proposal_syntax bug
-updated ingorelist for stroke_keywords.c
-applied new changes from NATT team
- DPD only done when no IPsec and IKE traffic processed
- minor changes here and there
-some message code cleanups
-fixed identification_t clone to apply function pointers
-cleaner error handling on UDP encapsultion sockopt failure
-added mysterious UDP encapsulation socket option to get encapsulation working
-fixed BAD_PROPOSAL_SYNTAX vulnerability
-first merge of NATT code
-fixed testing build
-updated for 4.0.1 release
-updated news for 4.0.1 release
-fixed whitelist detection
-
-
- strongswan-4.0.1 / R:1144
-===========================
-
-fixed whitelist detection
-reworked function ignore mechanism to not-report whitelist
- rather than overriding functions
-fixed execv call args to work when using strictcrl and syslog
-fixed bug: usage of already freed mem
-readded local_credential_store
-added sendcert policy to connection
-some other cleanups
-implemented rereadcrls rereadcacerts
-implemented rereadcrls rereadcacerts
-implemented rereadcrls rereadcacerts
-removed local_credential_store
-fixed SPI when acting as initiator of rekeying
-fixed SPI when rekeying and deleting CHILD_SAs
-change key derivation order to fullfill RFC
-added crl support
-added listcrls
-added chunk_equals_or_null()
-added crl support
-changed tabs from 8 to 4 spaces
-added crl support
-cosmetics
-cosmetics (space)
-fixed compilation error
-updated for release
-fixed aes code, we support now aes128, aes192, aes256 in IKE
-added support for "ike" and "esp" keywords
-fixed bugs in proposal code
-algorithm selection for charon works now with ipsec.conf
-a lot of other fixes
-implemented clean spi allocation behavior when using multiple proposals
-fixed logleve(l) keyword typo
-handling of "rekey=no" parameter added
-changed default algorithms to:
- ike: aes128-sha-modp2048
- esp: aes128-sha1, 3des-md5
-added default CRL directory path
-added strictcrlpolicy command line argument
-added option parsing
-added local CRLs
-added rekeying parameters
-corrected some descriptions
-moved RSA key size constraints to definitions.h
-fixed down keyword
-debug and logging improvements
-support for stroke listcerts|listcacerts|listcrls|listall
-support for stroke listcerts|listcacerts|listall and left|rightca=
-gperf creates optimum hash table for stroke keywords
-using same reqid if a child sa rekeys an existing one
-NULL string argument is treated as %any
-add_certificate() now returns pointer to added cert
-cosmetics
-single tests now start up faster
-workaround for peers rekeying at the same time
-loading lifetime policies from ipsec.conf
-old child_sa gets deleted after rekeying
-rekeying almost complete, but:
- IKE_SA get in an invalid state when both initiate rekeying at the same time,
-corrected type
-improved kernel interface logging
-fixed clone/destroy behavior when not using CAs
-specifying keysize in bits, as it is required in IKEv2
-added generic kernel SA algorithm handling, which brings us:
- aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
-added support for leftsendcert= and left|rightca= parameters
-discard cert if CA basic constraints flag is not set and warn if cert is not valide
-added public methods is_ca() and is_valid()
-changed ASN.1 CONTROL log output to LEVEL2
-cosmetics
-removed unused Makefile
-stroke.h requires libstrongswan/types.h
-fixed compile warnings when using -Wall
-further CHILD_SA rekeying work done:
- creation of a new CHILD_SA on a expire from a kernel works
- delete of old CHILD_SA still missing
- some issues when both initiate rekeing
-updated INSTALL to conform with autotools
-added a short HACKING introduction
-further work for rekeying:
- get liftimes from policy
- added new state
- initiation of rekeying done
-proposal redone:
- removed support for AH+ESP proposals
-proper leak detective hook for realloc
-excluded pthread_setspecific from leak detective
-fixed a memleak
-cosmetics
-ipv6-host2host scenario added
-created IPv6 environment
-job management:
- moved job code from thread_pool to job, jobs have an "execute" method now
- added two new jobs: delete_child_sa & rekey_child_sa
-kernel interface:
- listens now for ACQUIRE & EXPIRE
- supports hard and soft lifetimes
- fires jobs for delete and rekey child sa
-ike sa manager:
- can checkout IKE SAs by requid of owned CHILD SAs
-we have now the infrastructure to do the rekeying... :-)
-fixed some memleaks/freebugs
-leak detective works almost usable now (?!)
-added host2host test for ikev2
-fixed host-host tunnel traffic selection, host-host works now
-bug fixed circumventing an assertion in delete_connection when ikev1 is not set
-minimized prefixed on stroke logger output
-charon outputs strongSwan version
-tests with subjectAltNames now
-fixed event queue for events >36min
-included charons module tests to build & dist
-full support of ikev1 and ikev2 connection flags
-cosmetics in log_status output
-use of streq
-added testing files to dist
- required the use of the "ustar" format to support
- filenames longer than 99 chars
-lookup of private key based on keyid of public key
-new functions to add certificates and retrieve private and public keys
-changed log level
-list ca certificates
-computation of SHA-1 hash over publicKeyInfo object
-moved abbreviated thread_id in front of brackets
-added has_key parameter to log_certificates()
-log_certificates() now shows keyid and availability of matching private key
-indented loaded file log entry
-moved TIMETOA_BUF definition to types.h
-moved TIMETOA_BUF definition from asn1.h
-define default CA_CERTIFICATE_DIR
-load all ca certificates
-fixed daemon destruction order to prevent
- crashes on termination
-fixed memleak when deleting a connection
-updated todo list
-policies contain a connections name now
- used for initiate and delete
-connections won't get initiated twice anymore
-deleting of connections is now possible, which allows us to use
- ipsec update and ipsec reload
-changed iterator->remove behavior
-ipsec up|down|route|delete require a connection name
-stroke now uses constant size string buffer
-changed to standard connection log output
-reworked parsing and matching of subjectAltNames
-added memeq() macro
-moved timetoa() from asn1.c to types.c
-corrected type
-some logging improvements and cosmetics
-handle IKE_SA setup without a piggy-packed CHILD_SA
- more IKEv2 conform
-initiate IKE_SA deletion befor manager destruction
-improved code of chunk_equals
-added streq() macro and defined default BUF_LEN
-typo
-build gets perl and gperf from configure now
-moved built sources to maintainer-clean
-show connection templates in status & statusall
-don't complain on termination of IKEv1 connections
-updated ipsec.conf manual to reflect actual state of
- keyexchange-parameter
-using hubs instead of switches, which allows us
- to sniff the traffic from the host system.
-changed config load strategy:
- starter loads both connections in charon & pluto,
- charon ignores anything with keyexchange!=ikev2.
- pluto needs the same behavior.
- changed build order to fix build error after distclean
-load_end_certificate() now loads certificates
-cosmetics
-moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber
-moved definition of generalNames_t to identification.h
-corrrected description
-reimplemented proper IKE SA deletion using a seperate state,
- should conform now to IKEv2
-fixed build when using --enable-leak-detective
-added removed files to svn:ignore
-fixed bug in pluto/Makefile.am
-removed perl-generated oid.c/h from svn,
- added them to "dist" and "distclean"
-removed lex, yacc and gperf output from svn,
- added them to "dist" and "distclean"
-storing release revision in svn property "release-revision", because I forget it all the times
-fixed ignorelist, should work now
-added ingorelist for builded files
-re-added doxygen apidoc, buildable with "make apidoc"
-added missing ipsec.conf.5 to distribution :-/
-fixed another typo
-added missing ipsec.conf ipsec.conf.5
-existing ipsec.conf won't get overwritten anymore
-fixed typo in Makefile which corrupted the build
-applied patch from the NAT-T team fixing several typos
-applied patch from andreas, which allows certificate listing via stroke
-added ipsec.conf template and man page back
-removed old Makefiles
-added new strongswan KDevelop project & startup hack
-fixed Revision in changelog fo 4.0.0
-started ChangeLog
-simple script for ChangeLog update via "svn log"
-fixed compliation error using --enable-smartcard
-added test for ikev1-ikev2 mixed mode
-added test ikev2 roadwarrior scenario
-applied andreas's patch
- logger output improvements
- testin gupdates
- and a lot more
-updated testsuite to autotools
-added random source ./configure options
-fixed default-pkcs11 option
-testcommit
-fixed errors when --enable-pkcs11
-added autogen script
-introduced autotools
- first working version
- make dist should work
- things to do:
- UML testing!
- more cleanups
-fixed build
-started to rebuild source layout
-fixed stroke error output to starter
-using random SPIs now, but without collision checks
-applied some -W's from strongswan
-fixed that warnings
-removed IKEV2 ifdefs
-applied patch from andreas
- added charonstart option to config
- new ikev2 tests for UML
-
- strongSwan-4.0.0 / R:967
-==========================
-
-removed IKEV2 ifdefs
-applied patch from andreas
- added charonstart option to config
- new ikev2 tests for UML
-applied patch from andreas
- pem loading
- secrets file parsing
- ikev2 testcase
- some other additions here and there
-connection termination is handled cleanly by name now
-fixed bad bug, certs load now cleanly again
-fixed make install (subdir order)
-fixed include path
-added missing script
-finished initial import of strongswan file tree
-removed a lot of old and unused stuff
-moved RFCs from ikev2 into doc dir
-added missing files for starter
-applied patch for charon (this time really)
-import of strongswan-2.7.0
-applied patch for charon
-renamed get_block_size of hasher
-reworked usage of IDs in various states
-using ID_ANY for any, not NULL as before
-initiator sends IDr payload in IKE_AUTH when ID unique
-fixed charon checks
-using status & statusall
-patch for 2.7.0
-add connection names to connections
-stroke status / ipsec status shows them
-added statusall for stroke
-added status by connection name
-some tests repaired, more to come
-fixed spi conversion
-improved "stroke status" output
-setup PID file after daemon initilization, to correctly inform
- starter about daemon startup
-added separate implementation for connection_store, credential_store, policy_store
-added folder structure to config
-credentials are fetched solely on IDs now
-identification_t supports now almost all id types
-x509 certificates work with identification_t now
-fixes here, fixes there
-fixed doxygen build
-seperates now in lib and charon
-library initialization done at a central point (library.c)
-some leak_detective fixes
-updated Todos
-fixed log-to-syslog behavior
-added patch against strongswan-2.6.4
-x509 certificate loading with pluto asn1 code
-x509 needs a lot more attention!
-renamed some files
-using asn1 pluto stuff now
-removed, since we use pluto asn1 stuff
-leak detective is usable, but does not show static function names
- a script which gets address via ldd and resolves address via addr2line would be nice
-fixed a leak in child_sa with new detective ;-)
-some improvements to new asn1 stuff
-to be continued
-fixed bad bugs in kernel interface
-added some logging info
-works now much more stable
-startet importing pluto ASN1 stuff
-der PKCS#1 key loading works (as it did with der_decoder)
-split up in libstrong, charon, stroke, testing done
-new leak detective with malloc hook in library
- useable, but needs improvements
-logger_manager has now a single instance per library
- allows use of loggers from any linking prog
-a LOT of other things
-../svn-commit.tmp
-added misssing stroke.h
-improved strokeing
- down connection
- status
-some other tweaks
-rewrote a lot of RSA stuff
-done major work for ASN1/decoder
-allow loading of ASN1 der encoded private keys, public keys and certificates
-extracting public key from certificates
-passing certificates from stroke to charon
-=> basic authentication with RSA certificates works!
-starter work on asn1 with der de/encoder
-RSA private and public key can load read key from ASN1 DER
-some other fixes here and there
-rewrite of logger_manager, uses now one instance per context
-cleanups for logger here and there
-removed critical flag check in payload verification (conformance to IKEv2)
-so thats and theres everywere... ;-)
-patch for strongswan-2.6.3
-added charon support for strongswan build process
-ipsec starter supports charon startup and control
-removed old diploma thesis scripts
-some cleanups
-compatibility to strongswan, Makefile can be called by "make programs"
- and "make install" (ikev2 patch must be applied to strongswan)
-first version of stroke control utility
-moved output to doc/api, since doc is used for other docs now
-some first documentation in english
-removed old eclipse project files
-works quite well now with ipsec.conf & ipsec starter
-belongs to previous commit ;-)
-reworked configuration framework completly
-configuration is now split up in: connections, policies, credentials and daemon config
-further alloc/free fixes needed!
-first attempt for connection loading and starting via "stroke"
-some improvements here and there
-configuration_manager replaced by configuration_t interface
-current configuration_manager is now static_configuration (testing)
-first draft of starter_configuration, which should once interact with ipsec starter (via whack?)
-some cleanups
-socket_t uses RAW socket, which allows parallel service of pluto/charon
-comments and cleanups
-working policy installation and removal
-fixed policy setup bug
-proposal setup implementation begun
-fixed socket code, so we know on which address we receive traffic
-AH/ESP setup in kernel is working now!!! :-)))
-installing of child sa works
-need correct IP adresses to actually use IPsec
-new RFCs of IKEv2, IKEv2 algs and IPSec arch added
-update of IKEv2 clarification document
-refactored ike proposal
-uses now proposal_t, wich is also used by child proposals
-ike key derivation refactored
-crypter_t api has get_key_size now
-some other improvements here and there
-config uses uml hosts alice and bob
-key derivation for child_sa works
-some fixes here and there
-fixed memleaks
-works with new proposal code
-still some(!) memleaks
-fixed alot of bugs in child_proposal
-near to working state ;-)
-dead end implementation
-
-... there is a lot more of it, but nothing of interest
+A summary of changes is available in the NEWS file. For a more
+detailed Changelog, use the repository (see HACKING) or the
+online interface available at http://trac.strongswan.org.