diff options
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 1082 |
1 files changed, 3 insertions, 1079 deletions
@@ -1,1079 +1,3 @@ - strongswan-4.1.0 / R:2552 -=========================== - -fixed nat detection bug -OCSP support -updated NEWS, TODO and man page -respecting "keyingtries" parameter on IKE_SA setup -cleanups -fixed reset() -not installing a route when policy gets updated -renamed keyingtries attribute -adjusted loglevels -delay OCSP response by 5 seconds -always update reqid on policy install, fixes dpdaction=hold issue -EAP-SIM cleanups -fixed CHILD_SA rekeying/delete bug on 64bit machines -removed obsolete methods in delete_payload -Shortened distribution string -Shortened distribution string -shortened distribution string -add daemon.log to web page -remove /etc/resolv.conf -version bump to 4.1.0 -added apache2/ocsp log directory to winnetou -removed killall openssl -removed killall openssl -deleted -deleted -create apach2/ocsp/ logging directory on winnetou -do not check for type of dpd action any more -create /var/log/apache2/ocsp on winnetou -added -added -added -delete virtual IP addresses after use -deleted -added -fixed case of missing subjectKeyID -corrected typo -version bump to 4.1.0 -added -use CURLOPT_NOSIGNAL -added --with-sim-reader option to configure script -some cleanups in eap_sim -removed dublicated code in eap_authenticator -log reception of trusted signer certificate -version bump to 4.1.0 -deleted -added -changed OCSPSigner to OCSPSigning -fixed carry bug in FIPS prf -user standard cert -deleted -deleted -added -added -modified description.txt and evaltest.dat -version number selection fix -some cleanups -cleaned up and fixed DPD handling code -removed cfg-payload dns test code -added -added -version bump to strongswan-4.1.0 and linux-2.6.20.3 -cosmetics -increased control debugging output -added EAP-SIM authentication - client side only - uses an external SIM reader library specified with SIM_READER_LIB - untested -not detaching from bus when IKE_SA_INIT is retried -added AES-192/256 proposals to IKE -added generic EAP_IDENTITY client implementation using peers IKEv2 ID -fixed compilation warnings and errors when not using curl -results from the single responses is stored in the corresponding certinfo_t structs -moved credential_store.h from charon/config/credentials to libstrongswan -last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA -fixed memory leak by calling curl_slist_free_all(headers) -fixed memory leak by calling curl_slist_free_all(headers) -whitelisting static Curl_getaddrinfo() memory leak -fixed a certinfo_t memory leak in verify() -fixed a memory leak in response_t -ocsp signer certificate and ocsp response signature can be verified -fixed memleaks when using EAP authentication -fixed configuration payloads when using EAP -fixed payload order (again) -including peers certificate when his certreq is empty -implemented cookies as initiator -proper logging of notifies in IKE_SA setup -disabling routing for IPv6, does not work correctly -fixed call of add_auth_certificate() -generalized get_ca_certificate() to get_auth_certificate(auth_flags) -added fetcher_finalize() to clean up libcurl -some cleanups -not installing %any DNS servers -support of setting and getting authority flags -support if ocsp signing certificates -support if ocsp signing certificates -fixed payload order in IKE_AUTH -removed SHA2 kernel proposals from default, the kernel doesn't support them yet -allocation fixes, not complete -handling "No policy found" properly -added more debugging output for policy lookup -returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE -fixed CHILD_SA creation within existing IKE_SA -added ocsp_parse_single_response -ported changes from EAP branch, renabling EAP framework -added (not yet supported) sha2 algorithms to kernel -only adding a route if using tunnel mode -added SHA2 MAC and PRF to default proposal -added more debug output -experimental SHA2 HMAC and PRF implementations -parsing basic ocsp response -forgot to assign public.is_ocsp_signer() method -added parsing level to x509_create_from_chunk() -added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method -http post fetching using libcurl implemented -added fetcher.h and fetcher.c -added -corrected @ingroup to utils -corrected comment -start ocsp checking only if there are any ocspuris present -conntrack -F is used to flush the NAT states -the hostaccess=yes parameters are not needed anymore -use conntrack -F to flush NAT states -replaced actual virtual IP addresses by symbolic ones -removed unnecessary double quotes -nonce in ocsp_t was not properly initialized -ocsp request is now fully built but without requestor signature -starting to build ocsp request -prevent from initiating multiple exchanges the same time -updated apidoc documentation -fixed notify handling in IKE_AUTH -moved nonce payload before TS in CHILD_SA setup -moved REKEY_SA notify to the beginning of the message -fixed traffic selector redundancy removal code (not completely tested) -add crl and ocsp uris to linked list after partial verification -added print hook for certinfo_t printing -fixed typo -sending an SPI of 0 as responder when IKE_SA_INIT fails -iterate certinfos linked list for matching serialNumber -some cleanups -not assigning %any virtual IPs to peer anymore -fixed double free bug -added -fixed ID selection bug when peer doesn't include IDr payload -allowing vendor ID in any messag -moved listing of crls to local_credential_store and ca -refactored ca_info_t -refactored ca_info_t -fixed netlink socket receiver code -implemented interface enumeration code with netlink: no getifaddrs reqired anymore -refactored kernel interface, works reliable again -implemented get_iface() using RTM_GETADDR -added support for multi-header netlink messages -really ugly now, need a lot of refactoring -added debuggin for interface lookup -fixed address lookup when !using getifaddrs() -added firewalling support when using virtual IPs -added support for 0.0.0.0/0 traffic selectors -fixed routing to make correct 0.0.0.0/0 routes -config-payload scenario fixes -preparations for PLUTO_MY_SOURCEIP -corrected typo -added cert with OCSP access info -dpd now takes 180 s and 5 retransmits -changed grep to creating aquire job for CHILD SA -replaced actual virtual IPs by place holders -virtual-ip scenario has been replaces by config-payload scenario -added -added -added ocsp.h and ocsp.c -added -r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines -virtual ip uml test -fixed reauthentication when connections other is %any -merged tasking branch into trunk -fixed big endian bug in md5 hasher -cosmetics -added once flag to certinfo_t -cosmetics -added certinfos linked list -changed ca info to ca -support of ca info sections -added support of OCSP accessLocations -correct interface definition -added support of OCSP accessLocations -full support of ca info records -added the create_crluri_iterator method -replace ca is realized as del_ca followed by add_ca -last CA keyword is KW_OCSPURI2 -full support of ca info records -full support of ca info records -alphabetically sorting print commands -listing ca_info items -replace printf.h by stdio.h -addin get_keyid() method -support of ca info records -support of ca info records -version bump to 4.0.8 -support of ca info records -support of ca info records -typo -SHA512-HMAC bug fix and hash function self-test support -SHA512-HMAC bug fix and hash function self-test support -handle strong SHA-2 signatures in X.509 certificates -SHA-2 fixes and add-ons -version bumps -remove strong certs and keys after test -added -using "left" as my host per default, swapping to "right" when needed -respecting source address when sending packets -added PRINT_CAINFO hook -stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp -enable IP forwarding -prepared support of ca information records and ocsp functionality -added support of ca information records and ocsp keywords -enabled adding and deleting ca information records -fixed starter crash due to freeing default IPSEC_EAPDIR string -add --eapdir option only if defined in ipsec.conf -removed eap aka module due nda -merged EAP framework from branch into trunk -includes a lot of other modifications -%T requires time_t ptr -removed my time_t printf handler patch, applied the one of andreas (64bit save) -fixed printf() hooks for time -added support for NULL encryption in ESP -be more liberal in accepting notifies with a protocol id -include NO_EXT_SEQUENCE_NUMBER in default proposal -output peer id if RSA public key is not found -fixed typo -version bump to 4.0.8 -added address listing without getifaddrs for uclibc (only IPv4 yet) -added threads to support multiple simultaneous stroke requests -renamed all static clone() functions to avoid naming conflicts with uclibc -sending proper signal to the bus when detecting a dead peer -added configuration of XAUTH and ModeConfig push mode -version bump -version bump -Cisco XAUTH interoperability -XAUTH interoperability with Cisco -removed IPSECPOLICY compile option -unload xauth_module only if XAUTH_DEFAULT_LIB is defined -loading the XAUTH module requires libdl -added some more attributes, inst XAUTH_TYPE in reply -Mode Config refactoring -XAUTH fixes and Cisco Unity support -log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings -added Cisco Unity ModeCfg attributes -version bump to 4.0.7 -fixed 64 bit issue with print time -fixed XAUTHResp bug -included xauth.h -use uml_mconsole to check end of booting process -name the created CHILD_SA -doubled PAYLIMIT to 40 payloads -version bump -show rekeying|reauthentication time -show name of created CHILD_SA -combined use_in and use_fwd -corrected typo -cosmetics -cosmetics -fixed an enumeration error, added CISCO_IOS VID -fixed mismatch in interface definition of get_secret() -forward declaration of struct state not needed -cosmetics -added firewall support to scenario -updated changelog for 4.0.6 -fixed crash when CA for certrequest not found -fixed build when !using smartcard -removed unused debugging code -updated NEWS for 4.0.6 - - - strongswan-4.0.6 / R:2131 -=========================== - -updated NEWS for 4.0.6 -readded tranport mode test using new status output -removed dublicated host2host-transport test -fixed reauthentication when using %any hosts -support for transport in create_child_sa -include TRANSPORT/TUNNEL information in statusall -load xauth module via dlopen() -define path to xauth module -added host2host-transport scenario -removed trailing lines -added XAUTH support -fixed typo -added XAUTH server and client support -load and unload XAUTH module -added xauth.h and xauth.c -added enable-cisco-quirks configure option -added xauth scenarios -added config option for BEET mode -fixed reuathentication when connections other host is %any -fixed host conversion length check -negated POLICY_REAUTH to POLICY_DONT_REAUTH -negated POLICY_REAUTH to POLICY_DONT_REAUTH -enable XAUTH_VID by default -added support for transport mode and (experimental!) BEET mode -support for the type=transport/tunnel parameter in charon -fixed charset & cleanups -added XAUTH server and client support -additional parentheses for same_chunk() macro -renamed to appear in doxygen build -added a roadmap of the strongSwan project (TODO) -added some NEWS -first try to update ipsec.conf manual -implemented reauthentication using the new reauth=yes|no parameter -fixed more uClibc issues -should compile against a uClibc > 0.9.28 (untested) -added XAUTH client states -version bump to 4.0.6 -fixed stddef.h include -fixed encoding rules string -updated todo -fixed some byte-order issues -fixed HAVE_BACKTRACE checks -starter Makefile now uses proper $(COMPILE) to build pluto objects -made backtrace() calls optional to support uClibc -XAUTH support -XAUTH support -fixed bug in ifdef CISCO_QUIRKS -added XAUTH support -support of Cisco Unity VID -added new VIDs -version bump to 4.0.6 -fixed case with wildcard peer ID and static peer address -added simple script to port trunk changes into branches -start kdevelop with project file from actual branch -updated changelog -fixed typos - - - strongswan-4.0.5 / R:1447 -=========================== - -fixed typos -improved selection of ipsec status|statusall <name> -fixed NEWS (runtime debug level options) -fixed credits -fixed very old bug in linked_list's remove_first and remove_last -proper "ipsec up" signal handling when initiating to %any -removed iterator hook for replace -fixed output of proto/port selectors -cosmetics -due to console logging, no need for final sleep anymore -adapted checks to changed ipsec status output -due to narrowing no need for rightsubnetwithin -no need to send certreq -fixed ipsec status|statusall <name> -log IKE SPIs on a separate line -redesigned formatting of ipsec status|statusall -cosmetics -version bumps of strongSwan, Linux kernel and Gentoo root file system -corrected description -added dpd-hold scenario -added new features -fixed 64 bit issue -solved 64 bit issue by changing long to int -solved 64 bit issue in push/pop stroke interface -fixed 64 bit issue -some fixes for doxygen -better split up of library files "types.h" & "definitions.h" -centralized all printf specifier character definitions -reuse of arginfo handlers -more cleanups -fixed more AMD64 issues -added DEBUG_LEVEL compile flag to exclude DBGn() statements -added nodebug configure script without any debug messages and without -g -preparations to include certreqs in policy decisions -do not sent certreq payloads when the peer is known to use PSK -position of (myself) moved in log output -do not sent certreq payloads when using self-signed certs -moved (myself) in log output -moved typedefs to beginning of files to solve some include problems -splitted authenticator to have a separate implementation for each auth_method_t -using va_copy to clone va_lists, should fix proplems on AMD64 -some other cleanups -do not sanitize '*' character -fixed SIGSEGV when setup of an additional CHILD_SA fails -added IKEv2 clarifications RFC -changed debug level of certreq log output -cosmetics in debug output -support of certreq payload in IKE_AUTH messages -chunk_to_hex() function declaration deleted -added function certreq_payload_create_from_x509() -send a certreq as initiator if other_ca is set -added method get_ca_certificate() -added methods get_my_ca() and get_other_ca() -added methods get_my_ca() and get_other_ca() -added some missing 'AUD' entries -cosmetics -cosmetics -change due to change debug output -spaces should not be sanitized -fixed due to new logging concept -some improvements in signaling code -include only source NATD payloads really needed -updated for NAT team -improved signal handling and emitting -support of ModeCfg Push mode -support of mixed RSA/PSK static connections -support of ipsec statusall in state output -output of 'DPD active' in ISAKMP SAs -support of ipsec statusall in state output -added natip support -added has_natip flag -added ModeCfg push policy and states -added ModeCfg push policy and states -fixed typo in debug statement -redesigned list output format -added 'modeconfig=pull|push' and 'left|rightnatip' keywords -added has_natip flag -added has_natip flag -added 'exit' statement in listcerts,.. case -fixed two bugs in the time_t and chunk_ct print functions -redesigned format of print function -replaced 'times' by 'dates' -added private flag to asn1_init -added private flag to asn1_ctx_t -removed DES-EDE3-CBC only comment -removed deprecated iterator methods (has_next & current) -added iterator hook to manipulate iterator the clean way -linked list cleanups -added list methods invoke(), destroy_offset(), destroy_function() -simplified list destruction when destroying its items -added verbosity level to stroke -upgrade to new Gentoo root file system and tcpdump command -added -deleted -renamed ikev1 scenario and added ikev2 scenario -added new scenarios -Version bumps of UML kernel, Gentoo root file system and strongSwan release -code cleanups in printf handlers -added eap authentication draft for ikev2 -updated stroke to allow run-time manipulation of debug levels -added charondebug config parameter to set debug level at startup -introduced new logging subsystem using bus: - passive listeners can register on the bus - active listeners wait for signals actively - multiplexing allows multiple listeners to receive debug signals - a lot more... -updated file filter for kdev project -include CREDITS file in distribution -moved various scripts in scripts/ dir -add configure script wrappers -removed txt files from doxygen -removed module tests, outdated. We need something more system-test like -added missing -DDEBUG compile option -fixed auxillary message data parsing for IPV6 socket -using SOL_* constants for socket level -fixed IPV6_PKTINFO setsockopt() to work with most kernel headers -replaced strerror(errno) with %m printf specifier -added stronger certs for moon, carol, and dave -added IPv6 hw and multicast addresses -adapted to new tcpdump ipv6 output -multi-level-ca scenarios use unencrypted private key -added scenario -fixed timing -new gentoo root file system -fixed bug with openldap 2.3 -removed ipsec.conf version information -carolKey.pem is now protected by 3DES passphrase -updated net runlevel scripts -updated net init scripts -new net configuration format -HW addresses must be predefined -cosmetics -added USE_LIBCURL -cosmetics -found libraries are not appended to LIBS anymore -version bump to 4.0.5 -fixed DPD to survive IKE_SA rekeying -introduced printf() specifiers for: - host_t (%H) - identification_t (%D) - chunk pointers (%B) - memory pointer/length (%b) -added a signaling bus: - receives event and debug messages, sends them to its listeners - stream_logger, sys_logger, file_logger added, listen to bus -some other tweaks here and there -added often used RFCs and drafts -DES for private key encryption is not supported -updated NEWS and ChangeLog for 4.0.4 release -fixed retransmission policy for responder -fixed dpd for responder -added ID_ANY check to matches_binary() -replaced 'missing value' warning by zero length chunk_t value -defined maximum hash size -support of AES-192-CBC private key encryption -added hostaccess support -added hostaccess support -moved auth_method to policy -added hostaccess support -added hostaccess support -more consistent authentication logging -added hostaccess support -moved auth_method to policy -moved auth_method to policy -added hostaccess support; moved auth_method to policy -added hostaccess support -added hostaccess support -added new test scenarios -fixed some compiler warnings - - - strongswan-4.0.4 / R:1289 -=========================== - -fixed some compiler warnings -extended statusall output - added job/event-queue statistics - added allocation statistics when using LEAK_DETECTIVE -fixed include typo -public declaration of all HASH_SIZEs in hasher.h -support of encrypted private key files -added copyright notice to sha2_hasher -included SHA2 in build process -implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512 -added support for 3DES encryption algorithm in IKE -fixed the ids parsing bug -fixed the ids parsing bug -updated TODOs -fixed memleak -fixed proper handling of id parsing errors -proper return value when no PSK found -added HOST_ACCESS for firewall script as default -more debugging output for PSK authentication -some cleanups here and there -added auth_method field -added auth_method field -cosmetics -verify_emsa_pkcs1_signature returns status_t -cosmetics -added PSK support -enabled firewall support -proper error handling for socket creation -handle certificate parsing error more generous -fixed certificate verification bug! -fixed memleak when receiving invalid certificate -version bump to 4.0.4 -version bump to 4.0.4 -two new test scenarios -fixed path to images directory -implemented updown script to handle firewalling -add priority management for kernel policy -let ROUTED policies installed, until manuall removed -introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs -ike_sa_manager cleanups -implemented handling of dpdaction and dpddelay ipsec.conf parameters -reuse reqid when a ROUTED child_sa gets INSTALLED -fixed a bug in retransmission code -added support for the "keyingtries" ipsec.conf parameter -added support for the "dpddelay" ipsec.conf parameter -done some work for "dpdaction" behavior -some other cleanups and fixes -fixed a at-least-one-year-old bug which caused crashed in the scheduler -added raw socket filter for IPv6 -implemented NAT detection for IPv6 -removed unneeded constructor -initial support for IPv6 (more testing needed) - socket works (without v6 filter) - traffic selector handle IPv4/v4 cleanly - improvements in traffic selector code - kernel interface accepts v6 traffic selectors and hosts - host_t class has full IPv6 support -added stddef.h include for compilers which do not support the offsetof() directive -moved interface enumeration code to socket, where it belongs -query interfaces every time we need it to respect changes in network config -added address listing on startup and "ipsec statusall" -version bump of UML kernel to 2.6.17.11 -fixed crash bug when doing "ipsec down" with an unknown connection -added name property in CHILD_SA, allows proper status output -fixed bug which prevented port float when nat is detected -version bumps -'sha' and 'sha1' are now treated as synonyms -updated Changelog and other docs - - - strongswan-4.0.3 / R:1235 -=========================== - -fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD) -implement proper handling of most simultaneous IKE_SA rekeying cases -version bump to 4.0.3 -implemented proper refcounting using atomic operations -implemented IKE_SA rekeying - uses ikelifetime, rekeymargin and rekeyfuzz config settings - no handling of simultaneus exchanges yet! -added possibility to route CHILD_SAs, without to set them up - support for auto=route parameter - support for ipsec route and ipsec unroute - initiating of CHILD and/or IKE_SAs based on kernel acquires -reuse an existing IKE_SA to set up additional CHILD_SAs -introduced refcounting on policy and connections - aren't stored in the IKE_SA anymore, they are queried on the fly - are immutable now, allows it to share them -policy selection based on traffic selectors, leads to valid lookup results - rekeying queries the policy based on its traffic selectors -cleanups in kernel interface code -added proper traffic selector to string conversion -some cleanups here & there -X.509 certificate trust path verification -added -fixed UDP decapsulation by adding inbound bypass policy for send socket -updated mixed tests to new charon output -corrected DPD entry -reenabled module tests for charon -fixed bug which erroneously detected KE payload when rekeying -added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT -improved logging on verify errors for some payloads -enforcing IKE_SA shutdown, even when transactions are outstanding -proper reject of CREATE_CHILD_SA message with KE payload -added test cases from NAT team -updated all IKEv2 tests to work with new status output -added tcpdumpcount function from NATT guys -added possibility to mount the strongswan tree into all UMLs -added script for installing from shared tree in all UMLs -added script to shut down all UMLs properly -removed in favour of tests from NAT team -fixed CREATE_CHILD_SA transaction dispatching -added CHILD_SA states, which allows us to detect further simultaneous transactions -reimplemented the buggy message id handling -updated some inline docs -fixed crypter/signer in/out to conform with standard -fixed payload order -added message id logging -added all currently known notify payload types -added policy cache to kernel interface - allows refcounting of multiple installed policies - finally brings us stable simultaneous rekeying -leak detective blanks memory on free & alloc, allows further membug detection -code cleanups -identification_t.matches() supports multiple wildcard counts -identification_t.matches() supports multiple wildcard counts -further work done for simultaneous rekeying/delete - still some cases which cause trouble -fixed compiler warnings in parser when using -O2 -reenabled check_expiry -updated copyright information -reimplemented CHILD_SA rekeying & delete - no simultanous transaction with CHILD_SAs yet! -removed NAT_TRAVERSAL and VIRTUAL_IP compile options -removed NAT_TRAVERSAL compile option -removed NAT_TRAVERSAL and VIRTUAL_IP compile options -added -updated NEWS -added support for leftprotoport and rightprotoport -improved CHILD_SA output for "ipsec statusall" -updated whitelist (getprotobynumber) -redesigned IKE_SA using a transaction mechanism: - removed old state machine - reimplemented IKE_SA setup and delete - implemented dead peer detection - implemented keep-alives - a lot of fixes - no rekeying yet -fixed compiler warnings -made thread ids unsigned again, to avoid negative thread ids on some systems -fixed memleak when initiating a connection already up -updated leak detective whitelist -applied latest NATT patch with some fixes and cleanups -test currently without firewall -added -added -added -removed -removed version information from ipsec.conf -log entries start with lowcercase character -restored lost IKEv2 packet suppression -added USE_LEAK_DETECTIVE option -fixed natd_hash memory leak -tests with subdirectory structure -removed tests -introduced subdirectory structure -support of cert payloads -lowercase log entries -distributed by ITA -added support of updown parameter -generation of default key -cosmetics -added support of updown parameter -version bump to 4.0.2 -added X.509 trust chain verification -version bump to 4.0.2 -ESP packet size changed -fixed bad_proposal_syntax bug -updated ingorelist for stroke_keywords.c -applied new changes from NATT team - DPD only done when no IPsec and IKE traffic processed - minor changes here and there -some message code cleanups -fixed identification_t clone to apply function pointers -cleaner error handling on UDP encapsultion sockopt failure -added mysterious UDP encapsulation socket option to get encapsulation working -fixed BAD_PROPOSAL_SYNTAX vulnerability -first merge of NATT code -fixed testing build -updated for 4.0.1 release -updated news for 4.0.1 release -fixed whitelist detection - - - strongswan-4.0.1 / R:1144 -=========================== - -fixed whitelist detection -reworked function ignore mechanism to not-report whitelist - rather than overriding functions -fixed execv call args to work when using strictcrl and syslog -fixed bug: usage of already freed mem -readded local_credential_store -added sendcert policy to connection -some other cleanups -implemented rereadcrls rereadcacerts -implemented rereadcrls rereadcacerts -implemented rereadcrls rereadcacerts -removed local_credential_store -fixed SPI when acting as initiator of rekeying -fixed SPI when rekeying and deleting CHILD_SAs -change key derivation order to fullfill RFC -added crl support -added listcrls -added chunk_equals_or_null() -added crl support -changed tabs from 8 to 4 spaces -added crl support -cosmetics -cosmetics (space) -fixed compilation error -updated for release -fixed aes code, we support now aes128, aes192, aes256 in IKE -added support for "ike" and "esp" keywords -fixed bugs in proposal code -algorithm selection for charon works now with ipsec.conf -a lot of other fixes -implemented clean spi allocation behavior when using multiple proposals -fixed logleve(l) keyword typo -handling of "rekey=no" parameter added -changed default algorithms to: - ike: aes128-sha-modp2048 - esp: aes128-sha1, 3des-md5 -added default CRL directory path -added strictcrlpolicy command line argument -added option parsing -added local CRLs -added rekeying parameters -corrected some descriptions -moved RSA key size constraints to definitions.h -fixed down keyword -debug and logging improvements -support for stroke listcerts|listcacerts|listcrls|listall -support for stroke listcerts|listcacerts|listall and left|rightca= -gperf creates optimum hash table for stroke keywords -using same reqid if a child sa rekeys an existing one -NULL string argument is treated as %any -add_certificate() now returns pointer to added cert -cosmetics -single tests now start up faster -workaround for peers rekeying at the same time -loading lifetime policies from ipsec.conf -old child_sa gets deleted after rekeying -rekeying almost complete, but: - IKE_SA get in an invalid state when both initiate rekeying at the same time, -corrected type -improved kernel interface logging -fixed clone/destroy behavior when not using CAs -specifying keysize in bits, as it is required in IKEv2 -added generic kernel SA algorithm handling, which brings us: - aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs -added support for leftsendcert= and left|rightca= parameters -discard cert if CA basic constraints flag is not set and warn if cert is not valide -added public methods is_ca() and is_valid() -changed ASN.1 CONTROL log output to LEVEL2 -cosmetics -removed unused Makefile -stroke.h requires libstrongswan/types.h -fixed compile warnings when using -Wall -further CHILD_SA rekeying work done: - creation of a new CHILD_SA on a expire from a kernel works - delete of old CHILD_SA still missing - some issues when both initiate rekeing -updated INSTALL to conform with autotools -added a short HACKING introduction -further work for rekeying: - get liftimes from policy - added new state - initiation of rekeying done -proposal redone: - removed support for AH+ESP proposals -proper leak detective hook for realloc -excluded pthread_setspecific from leak detective -fixed a memleak -cosmetics -ipv6-host2host scenario added -created IPv6 environment -job management: - moved job code from thread_pool to job, jobs have an "execute" method now - added two new jobs: delete_child_sa & rekey_child_sa -kernel interface: - listens now for ACQUIRE & EXPIRE - supports hard and soft lifetimes - fires jobs for delete and rekey child sa -ike sa manager: - can checkout IKE SAs by requid of owned CHILD SAs -we have now the infrastructure to do the rekeying... :-) -fixed some memleaks/freebugs -leak detective works almost usable now (?!) -added host2host test for ikev2 -fixed host-host tunnel traffic selection, host-host works now -bug fixed circumventing an assertion in delete_connection when ikev1 is not set -minimized prefixed on stroke logger output -charon outputs strongSwan version -tests with subjectAltNames now -fixed event queue for events >36min -included charons module tests to build & dist -full support of ikev1 and ikev2 connection flags -cosmetics in log_status output -use of streq -added testing files to dist - required the use of the "ustar" format to support - filenames longer than 99 chars -lookup of private key based on keyid of public key -new functions to add certificates and retrieve private and public keys -changed log level -list ca certificates -computation of SHA-1 hash over publicKeyInfo object -moved abbreviated thread_id in front of brackets -added has_key parameter to log_certificates() -log_certificates() now shows keyid and availability of matching private key -indented loaded file log entry -moved TIMETOA_BUF definition to types.h -moved TIMETOA_BUF definition from asn1.h -define default CA_CERTIFICATE_DIR -load all ca certificates -fixed daemon destruction order to prevent - crashes on termination -fixed memleak when deleting a connection -updated todo list -policies contain a connections name now - used for initiate and delete -connections won't get initiated twice anymore -deleting of connections is now possible, which allows us to use - ipsec update and ipsec reload -changed iterator->remove behavior -ipsec up|down|route|delete require a connection name -stroke now uses constant size string buffer -changed to standard connection log output -reworked parsing and matching of subjectAltNames -added memeq() macro -moved timetoa() from asn1.c to types.c -corrected type -some logging improvements and cosmetics -handle IKE_SA setup without a piggy-packed CHILD_SA - more IKEv2 conform -initiate IKE_SA deletion befor manager destruction -improved code of chunk_equals -added streq() macro and defined default BUF_LEN -typo -build gets perl and gperf from configure now -moved built sources to maintainer-clean -show connection templates in status & statusall -don't complain on termination of IKEv1 connections -updated ipsec.conf manual to reflect actual state of - keyexchange-parameter -using hubs instead of switches, which allows us - to sniff the traffic from the host system. -changed config load strategy: - starter loads both connections in charon & pluto, - charon ignores anything with keyexchange!=ikev2. - pluto needs the same behavior. - changed build order to fix build error after distclean -load_end_certificate() now loads certificates -cosmetics -moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber -moved definition of generalNames_t to identification.h -corrrected description -reimplemented proper IKE SA deletion using a seperate state, - should conform now to IKEv2 -fixed build when using --enable-leak-detective -added removed files to svn:ignore -fixed bug in pluto/Makefile.am -removed perl-generated oid.c/h from svn, - added them to "dist" and "distclean" -removed lex, yacc and gperf output from svn, - added them to "dist" and "distclean" -storing release revision in svn property "release-revision", because I forget it all the times -fixed ignorelist, should work now -added ingorelist for builded files -re-added doxygen apidoc, buildable with "make apidoc" -added missing ipsec.conf.5 to distribution :-/ -fixed another typo -added missing ipsec.conf ipsec.conf.5 -existing ipsec.conf won't get overwritten anymore -fixed typo in Makefile which corrupted the build -applied patch from the NAT-T team fixing several typos -applied patch from andreas, which allows certificate listing via stroke -added ipsec.conf template and man page back -removed old Makefiles -added new strongswan KDevelop project & startup hack -fixed Revision in changelog fo 4.0.0 -started ChangeLog -simple script for ChangeLog update via "svn log" -fixed compliation error using --enable-smartcard -added test for ikev1-ikev2 mixed mode -added test ikev2 roadwarrior scenario -applied andreas's patch - logger output improvements - testin gupdates - and a lot more -updated testsuite to autotools -added random source ./configure options -fixed default-pkcs11 option -testcommit -fixed errors when --enable-pkcs11 -added autogen script -introduced autotools - first working version - make dist should work - things to do: - UML testing! - more cleanups -fixed build -started to rebuild source layout -fixed stroke error output to starter -using random SPIs now, but without collision checks -applied some -W's from strongswan -fixed that warnings -removed IKEV2 ifdefs -applied patch from andreas - added charonstart option to config - new ikev2 tests for UML - - strongSwan-4.0.0 / R:967 -========================== - -removed IKEV2 ifdefs -applied patch from andreas - added charonstart option to config - new ikev2 tests for UML -applied patch from andreas - pem loading - secrets file parsing - ikev2 testcase - some other additions here and there -connection termination is handled cleanly by name now -fixed bad bug, certs load now cleanly again -fixed make install (subdir order) -fixed include path -added missing script -finished initial import of strongswan file tree -removed a lot of old and unused stuff -moved RFCs from ikev2 into doc dir -added missing files for starter -applied patch for charon (this time really) -import of strongswan-2.7.0 -applied patch for charon -renamed get_block_size of hasher -reworked usage of IDs in various states -using ID_ANY for any, not NULL as before -initiator sends IDr payload in IKE_AUTH when ID unique -fixed charon checks -using status & statusall -patch for 2.7.0 -add connection names to connections -stroke status / ipsec status shows them -added statusall for stroke -added status by connection name -some tests repaired, more to come -fixed spi conversion -improved "stroke status" output -setup PID file after daemon initilization, to correctly inform - starter about daemon startup -added separate implementation for connection_store, credential_store, policy_store -added folder structure to config -credentials are fetched solely on IDs now -identification_t supports now almost all id types -x509 certificates work with identification_t now -fixes here, fixes there -fixed doxygen build -seperates now in lib and charon -library initialization done at a central point (library.c) -some leak_detective fixes -updated Todos -fixed log-to-syslog behavior -added patch against strongswan-2.6.4 -x509 certificate loading with pluto asn1 code -x509 needs a lot more attention! -renamed some files -using asn1 pluto stuff now -removed, since we use pluto asn1 stuff -leak detective is usable, but does not show static function names - a script which gets address via ldd and resolves address via addr2line would be nice -fixed a leak in child_sa with new detective ;-) -some improvements to new asn1 stuff -to be continued -fixed bad bugs in kernel interface -added some logging info -works now much more stable -startet importing pluto ASN1 stuff -der PKCS#1 key loading works (as it did with der_decoder) -split up in libstrong, charon, stroke, testing done -new leak detective with malloc hook in library - useable, but needs improvements -logger_manager has now a single instance per library - allows use of loggers from any linking prog -a LOT of other things -../svn-commit.tmp -added misssing stroke.h -improved strokeing - down connection - status -some other tweaks -rewrote a lot of RSA stuff -done major work for ASN1/decoder -allow loading of ASN1 der encoded private keys, public keys and certificates -extracting public key from certificates -passing certificates from stroke to charon -=> basic authentication with RSA certificates works! -starter work on asn1 with der de/encoder -RSA private and public key can load read key from ASN1 DER -some other fixes here and there -rewrite of logger_manager, uses now one instance per context -cleanups for logger here and there -removed critical flag check in payload verification (conformance to IKEv2) -so thats and theres everywere... ;-) -patch for strongswan-2.6.3 -added charon support for strongswan build process -ipsec starter supports charon startup and control -removed old diploma thesis scripts -some cleanups -compatibility to strongswan, Makefile can be called by "make programs" - and "make install" (ikev2 patch must be applied to strongswan) -first version of stroke control utility -moved output to doc/api, since doc is used for other docs now -some first documentation in english -removed old eclipse project files -works quite well now with ipsec.conf & ipsec starter -belongs to previous commit ;-) -reworked configuration framework completly -configuration is now split up in: connections, policies, credentials and daemon config -further alloc/free fixes needed! -first attempt for connection loading and starting via "stroke" -some improvements here and there -configuration_manager replaced by configuration_t interface -current configuration_manager is now static_configuration (testing) -first draft of starter_configuration, which should once interact with ipsec starter (via whack?) -some cleanups -socket_t uses RAW socket, which allows parallel service of pluto/charon -comments and cleanups -working policy installation and removal -fixed policy setup bug -proposal setup implementation begun -fixed socket code, so we know on which address we receive traffic -AH/ESP setup in kernel is working now!!! :-))) -installing of child sa works -need correct IP adresses to actually use IPsec -new RFCs of IKEv2, IKEv2 algs and IPSec arch added -update of IKEv2 clarification document -refactored ike proposal -uses now proposal_t, wich is also used by child proposals -ike key derivation refactored -crypter_t api has get_key_size now -some other improvements here and there -config uses uml hosts alice and bob -key derivation for child_sa works -some fixes here and there -fixed memleaks -works with new proposal code -still some(!) memleaks -fixed alot of bugs in child_proposal -near to working state ;-) -dead end implementation - -... there is a lot more of it, but nothing of interest +A summary of changes is available in the NEWS file. For a more +detailed Changelog, use the repository (see HACKING) or the +online interface available at http://trac.strongswan.org. |