strongswan-4.1.0 / R:2552 =========================== fixed nat detection bug OCSP support updated NEWS, TODO and man page respecting "keyingtries" parameter on IKE_SA setup cleanups fixed reset() not installing a route when policy gets updated renamed keyingtries attribute adjusted loglevels delay OCSP response by 5 seconds always update reqid on policy install, fixes dpdaction=hold issue EAP-SIM cleanups fixed CHILD_SA rekeying/delete bug on 64bit machines removed obsolete methods in delete_payload Shortened distribution string Shortened distribution string shortened distribution string add daemon.log to web page remove /etc/resolv.conf version bump to 4.1.0 added apache2/ocsp log directory to winnetou removed killall openssl removed killall openssl deleted deleted create apach2/ocsp/ logging directory on winnetou do not check for type of dpd action any more create /var/log/apache2/ocsp on winnetou added added added delete virtual IP addresses after use deleted added fixed case of missing subjectKeyID corrected typo version bump to 4.1.0 added use CURLOPT_NOSIGNAL added --with-sim-reader option to configure script some cleanups in eap_sim removed dublicated code in eap_authenticator log reception of trusted signer certificate version bump to 4.1.0 deleted added changed OCSPSigner to OCSPSigning fixed carry bug in FIPS prf user standard cert deleted deleted added added modified description.txt and evaltest.dat version number selection fix some cleanups cleaned up and fixed DPD handling code removed cfg-payload dns test code added added version bump to strongswan-4.1.0 and linux-2.6.20.3 cosmetics increased control debugging output added EAP-SIM authentication client side only uses an external SIM reader library specified with SIM_READER_LIB untested not detaching from bus when IKE_SA_INIT is retried added AES-192/256 proposals to IKE added generic EAP_IDENTITY client implementation using peers IKEv2 ID fixed compilation warnings and errors when not using curl results from the single responses is stored in the corresponding certinfo_t structs moved credential_store.h from charon/config/credentials to libstrongswan last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA fixed memory leak by calling curl_slist_free_all(headers) fixed memory leak by calling curl_slist_free_all(headers) whitelisting static Curl_getaddrinfo() memory leak fixed a certinfo_t memory leak in verify() fixed a memory leak in response_t ocsp signer certificate and ocsp response signature can be verified fixed memleaks when using EAP authentication fixed configuration payloads when using EAP fixed payload order (again) including peers certificate when his certreq is empty implemented cookies as initiator proper logging of notifies in IKE_SA setup disabling routing for IPv6, does not work correctly fixed call of add_auth_certificate() generalized get_ca_certificate() to get_auth_certificate(auth_flags) added fetcher_finalize() to clean up libcurl some cleanups not installing %any DNS servers support of setting and getting authority flags support if ocsp signing certificates support if ocsp signing certificates fixed payload order in IKE_AUTH removed SHA2 kernel proposals from default, the kernel doesn't support them yet allocation fixes, not complete handling "No policy found" properly added more debugging output for policy lookup returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE fixed CHILD_SA creation within existing IKE_SA added ocsp_parse_single_response ported changes from EAP branch, renabling EAP framework added (not yet supported) sha2 algorithms to kernel only adding a route if using tunnel mode added SHA2 MAC and PRF to default proposal added more debug output experimental SHA2 HMAC and PRF implementations parsing basic ocsp response forgot to assign public.is_ocsp_signer() method added parsing level to x509_create_from_chunk() added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method http post fetching using libcurl implemented added fetcher.h and fetcher.c added corrected @ingroup to utils corrected comment start ocsp checking only if there are any ocspuris present conntrack -F is used to flush the NAT states the hostaccess=yes parameters are not needed anymore use conntrack -F to flush NAT states replaced actual virtual IP addresses by symbolic ones removed unnecessary double quotes nonce in ocsp_t was not properly initialized ocsp request is now fully built but without requestor signature starting to build ocsp request prevent from initiating multiple exchanges the same time updated apidoc documentation fixed notify handling in IKE_AUTH moved nonce payload before TS in CHILD_SA setup moved REKEY_SA notify to the beginning of the message fixed traffic selector redundancy removal code (not completely tested) add crl and ocsp uris to linked list after partial verification added print hook for certinfo_t printing fixed typo sending an SPI of 0 as responder when IKE_SA_INIT fails iterate certinfos linked list for matching serialNumber some cleanups not assigning %any virtual IPs to peer anymore fixed double free bug added fixed ID selection bug when peer doesn't include IDr payload allowing vendor ID in any messag moved listing of crls to local_credential_store and ca refactored ca_info_t refactored ca_info_t fixed netlink socket receiver code implemented interface enumeration code with netlink: no getifaddrs reqired anymore refactored kernel interface, works reliable again implemented get_iface() using RTM_GETADDR added support for multi-header netlink messages really ugly now, need a lot of refactoring added debuggin for interface lookup fixed address lookup when !using getifaddrs() added firewalling support when using virtual IPs added support for 0.0.0.0/0 traffic selectors fixed routing to make correct 0.0.0.0/0 routes config-payload scenario fixes preparations for PLUTO_MY_SOURCEIP corrected typo added cert with OCSP access info dpd now takes 180 s and 5 retransmits changed grep to creating aquire job for CHILD SA replaced actual virtual IPs by place holders virtual-ip scenario has been replaces by config-payload scenario added added added ocsp.h and ocsp.c added r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines virtual ip uml test fixed reauthentication when connections other is %any merged tasking branch into trunk fixed big endian bug in md5 hasher cosmetics added once flag to certinfo_t cosmetics added certinfos linked list changed ca info to ca support of ca info sections added support of OCSP accessLocations correct interface definition added support of OCSP accessLocations full support of ca info records added the create_crluri_iterator method replace ca is realized as del_ca followed by add_ca last CA keyword is KW_OCSPURI2 full support of ca info records full support of ca info records alphabetically sorting print commands listing ca_info items replace printf.h by stdio.h addin get_keyid() method support of ca info records support of ca info records version bump to 4.0.8 support of ca info records support of ca info records typo SHA512-HMAC bug fix and hash function self-test support SHA512-HMAC bug fix and hash function self-test support handle strong SHA-2 signatures in X.509 certificates SHA-2 fixes and add-ons version bumps remove strong certs and keys after test added using "left" as my host per default, swapping to "right" when needed respecting source address when sending packets added PRINT_CAINFO hook stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp enable IP forwarding prepared support of ca information records and ocsp functionality added support of ca information records and ocsp keywords enabled adding and deleting ca information records fixed starter crash due to freeing default IPSEC_EAPDIR string add --eapdir option only if defined in ipsec.conf removed eap aka module due nda merged EAP framework from branch into trunk includes a lot of other modifications %T requires time_t ptr removed my time_t printf handler patch, applied the one of andreas (64bit save) fixed printf() hooks for time added support for NULL encryption in ESP be more liberal in accepting notifies with a protocol id include NO_EXT_SEQUENCE_NUMBER in default proposal output peer id if RSA public key is not found fixed typo version bump to 4.0.8 added address listing without getifaddrs for uclibc (only IPv4 yet) added threads to support multiple simultaneous stroke requests renamed all static clone() functions to avoid naming conflicts with uclibc sending proper signal to the bus when detecting a dead peer added configuration of XAUTH and ModeConfig push mode version bump version bump Cisco XAUTH interoperability XAUTH interoperability with Cisco removed IPSECPOLICY compile option unload xauth_module only if XAUTH_DEFAULT_LIB is defined loading the XAUTH module requires libdl added some more attributes, inst XAUTH_TYPE in reply Mode Config refactoring XAUTH fixes and Cisco Unity support log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings added Cisco Unity ModeCfg attributes version bump to 4.0.7 fixed 64 bit issue with print time fixed XAUTHResp bug included xauth.h use uml_mconsole to check end of booting process name the created CHILD_SA doubled PAYLIMIT to 40 payloads version bump show rekeying|reauthentication time show name of created CHILD_SA combined use_in and use_fwd corrected typo cosmetics cosmetics fixed an enumeration error, added CISCO_IOS VID fixed mismatch in interface definition of get_secret() forward declaration of struct state not needed cosmetics added firewall support to scenario updated changelog for 4.0.6 fixed crash when CA for certrequest not found fixed build when !using smartcard removed unused debugging code updated NEWS for 4.0.6 strongswan-4.0.6 / R:2131 =========================== updated NEWS for 4.0.6 readded tranport mode test using new status output removed dublicated host2host-transport test fixed reauthentication when using %any hosts support for transport in create_child_sa include TRANSPORT/TUNNEL information in statusall load xauth module via dlopen() define path to xauth module added host2host-transport scenario removed trailing lines added XAUTH support fixed typo added XAUTH server and client support load and unload XAUTH module added xauth.h and xauth.c added enable-cisco-quirks configure option added xauth scenarios added config option for BEET mode fixed reuathentication when connections other host is %any fixed host conversion length check negated POLICY_REAUTH to POLICY_DONT_REAUTH negated POLICY_REAUTH to POLICY_DONT_REAUTH enable XAUTH_VID by default added support for transport mode and (experimental!) BEET mode support for the type=transport/tunnel parameter in charon fixed charset & cleanups added XAUTH server and client support additional parentheses for same_chunk() macro renamed to appear in doxygen build added a roadmap of the strongSwan project (TODO) added some NEWS first try to update ipsec.conf manual implemented reauthentication using the new reauth=yes|no parameter fixed more uClibc issues should compile against a uClibc > 0.9.28 (untested) added XAUTH client states version bump to 4.0.6 fixed stddef.h include fixed encoding rules string updated todo fixed some byte-order issues fixed HAVE_BACKTRACE checks starter Makefile now uses proper $(COMPILE) to build pluto objects made backtrace() calls optional to support uClibc XAUTH support XAUTH support fixed bug in ifdef CISCO_QUIRKS added XAUTH support support of Cisco Unity VID added new VIDs version bump to 4.0.6 fixed case with wildcard peer ID and static peer address added simple script to port trunk changes into branches start kdevelop with project file from actual branch updated changelog fixed typos strongswan-4.0.5 / R:1447 =========================== fixed typos improved selection of ipsec status|statusall fixed NEWS (runtime debug level options) fixed credits fixed very old bug in linked_list's remove_first and remove_last proper "ipsec up" signal handling when initiating to %any removed iterator hook for replace fixed output of proto/port selectors cosmetics due to console logging, no need for final sleep anymore adapted checks to changed ipsec status output due to narrowing no need for rightsubnetwithin no need to send certreq fixed ipsec status|statusall log IKE SPIs on a separate line redesigned formatting of ipsec status|statusall cosmetics version bumps of strongSwan, Linux kernel and Gentoo root file system corrected description added dpd-hold scenario added new features fixed 64 bit issue solved 64 bit issue by changing long to int solved 64 bit issue in push/pop stroke interface fixed 64 bit issue some fixes for doxygen better split up of library files "types.h" & "definitions.h" centralized all printf specifier character definitions reuse of arginfo handlers more cleanups fixed more AMD64 issues added DEBUG_LEVEL compile flag to exclude DBGn() statements added nodebug configure script without any debug messages and without -g preparations to include certreqs in policy decisions do not sent certreq payloads when the peer is known to use PSK position of (myself) moved in log output do not sent certreq payloads when using self-signed certs moved (myself) in log output moved typedefs to beginning of files to solve some include problems splitted authenticator to have a separate implementation for each auth_method_t using va_copy to clone va_lists, should fix proplems on AMD64 some other cleanups do not sanitize '*' character fixed SIGSEGV when setup of an additional CHILD_SA fails added IKEv2 clarifications RFC changed debug level of certreq log output cosmetics in debug output support of certreq payload in IKE_AUTH messages chunk_to_hex() function declaration deleted added function certreq_payload_create_from_x509() send a certreq as initiator if other_ca is set added method get_ca_certificate() added methods get_my_ca() and get_other_ca() added methods get_my_ca() and get_other_ca() added some missing 'AUD' entries cosmetics cosmetics change due to change debug output spaces should not be sanitized fixed due to new logging concept some improvements in signaling code include only source NATD payloads really needed updated for NAT team improved signal handling and emitting support of ModeCfg Push mode support of mixed RSA/PSK static connections support of ipsec statusall in state output output of 'DPD active' in ISAKMP SAs support of ipsec statusall in state output added natip support added has_natip flag added ModeCfg push policy and states added ModeCfg push policy and states fixed typo in debug statement redesigned list output format added 'modeconfig=pull|push' and 'left|rightnatip' keywords added has_natip flag added has_natip flag added 'exit' statement in listcerts,.. case fixed two bugs in the time_t and chunk_ct print functions redesigned format of print function replaced 'times' by 'dates' added private flag to asn1_init added private flag to asn1_ctx_t removed DES-EDE3-CBC only comment removed deprecated iterator methods (has_next & current) added iterator hook to manipulate iterator the clean way linked list cleanups added list methods invoke(), destroy_offset(), destroy_function() simplified list destruction when destroying its items added verbosity level to stroke upgrade to new Gentoo root file system and tcpdump command added deleted renamed ikev1 scenario and added ikev2 scenario added new scenarios Version bumps of UML kernel, Gentoo root file system and strongSwan release code cleanups in printf handlers added eap authentication draft for ikev2 updated stroke to allow run-time manipulation of debug levels added charondebug config parameter to set debug level at startup introduced new logging subsystem using bus: passive listeners can register on the bus active listeners wait for signals actively multiplexing allows multiple listeners to receive debug signals a lot more... updated file filter for kdev project include CREDITS file in distribution moved various scripts in scripts/ dir add configure script wrappers removed txt files from doxygen removed module tests, outdated. We need something more system-test like added missing -DDEBUG compile option fixed auxillary message data parsing for IPV6 socket using SOL_* constants for socket level fixed IPV6_PKTINFO setsockopt() to work with most kernel headers replaced strerror(errno) with %m printf specifier added stronger certs for moon, carol, and dave added IPv6 hw and multicast addresses adapted to new tcpdump ipv6 output multi-level-ca scenarios use unencrypted private key added scenario fixed timing new gentoo root file system fixed bug with openldap 2.3 removed ipsec.conf version information carolKey.pem is now protected by 3DES passphrase updated net runlevel scripts updated net init scripts new net configuration format HW addresses must be predefined cosmetics added USE_LIBCURL cosmetics found libraries are not appended to LIBS anymore version bump to 4.0.5 fixed DPD to survive IKE_SA rekeying introduced printf() specifiers for: host_t (%H) identification_t (%D) chunk pointers (%B) memory pointer/length (%b) added a signaling bus: receives event and debug messages, sends them to its listeners stream_logger, sys_logger, file_logger added, listen to bus some other tweaks here and there added often used RFCs and drafts DES for private key encryption is not supported updated NEWS and ChangeLog for 4.0.4 release fixed retransmission policy for responder fixed dpd for responder added ID_ANY check to matches_binary() replaced 'missing value' warning by zero length chunk_t value defined maximum hash size support of AES-192-CBC private key encryption added hostaccess support added hostaccess support moved auth_method to policy added hostaccess support added hostaccess support more consistent authentication logging added hostaccess support moved auth_method to policy moved auth_method to policy added hostaccess support; moved auth_method to policy added hostaccess support added hostaccess support added new test scenarios fixed some compiler warnings strongswan-4.0.4 / R:1289 =========================== fixed some compiler warnings extended statusall output added job/event-queue statistics added allocation statistics when using LEAK_DETECTIVE fixed include typo public declaration of all HASH_SIZEs in hasher.h support of encrypted private key files added copyright notice to sha2_hasher included SHA2 in build process implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512 added support for 3DES encryption algorithm in IKE fixed the ids parsing bug fixed the ids parsing bug updated TODOs fixed memleak fixed proper handling of id parsing errors proper return value when no PSK found added HOST_ACCESS for firewall script as default more debugging output for PSK authentication some cleanups here and there added auth_method field added auth_method field cosmetics verify_emsa_pkcs1_signature returns status_t cosmetics added PSK support enabled firewall support proper error handling for socket creation handle certificate parsing error more generous fixed certificate verification bug! fixed memleak when receiving invalid certificate version bump to 4.0.4 version bump to 4.0.4 two new test scenarios fixed path to images directory implemented updown script to handle firewalling add priority management for kernel policy let ROUTED policies installed, until manuall removed introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs ike_sa_manager cleanups implemented handling of dpdaction and dpddelay ipsec.conf parameters reuse reqid when a ROUTED child_sa gets INSTALLED fixed a bug in retransmission code added support for the "keyingtries" ipsec.conf parameter added support for the "dpddelay" ipsec.conf parameter done some work for "dpdaction" behavior some other cleanups and fixes fixed a at-least-one-year-old bug which caused crashed in the scheduler added raw socket filter for IPv6 implemented NAT detection for IPv6 removed unneeded constructor initial support for IPv6 (more testing needed) socket works (without v6 filter) traffic selector handle IPv4/v4 cleanly improvements in traffic selector code kernel interface accepts v6 traffic selectors and hosts host_t class has full IPv6 support added stddef.h include for compilers which do not support the offsetof() directive moved interface enumeration code to socket, where it belongs query interfaces every time we need it to respect changes in network config added address listing on startup and "ipsec statusall" version bump of UML kernel to 2.6.17.11 fixed crash bug when doing "ipsec down" with an unknown connection added name property in CHILD_SA, allows proper status output fixed bug which prevented port float when nat is detected version bumps 'sha' and 'sha1' are now treated as synonyms updated Changelog and other docs strongswan-4.0.3 / R:1235 =========================== fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD) implement proper handling of most simultaneous IKE_SA rekeying cases version bump to 4.0.3 implemented proper refcounting using atomic operations implemented IKE_SA rekeying uses ikelifetime, rekeymargin and rekeyfuzz config settings no handling of simultaneus exchanges yet! added possibility to route CHILD_SAs, without to set them up support for auto=route parameter support for ipsec route and ipsec unroute initiating of CHILD and/or IKE_SAs based on kernel acquires reuse an existing IKE_SA to set up additional CHILD_SAs introduced refcounting on policy and connections aren't stored in the IKE_SA anymore, they are queried on the fly are immutable now, allows it to share them policy selection based on traffic selectors, leads to valid lookup results rekeying queries the policy based on its traffic selectors cleanups in kernel interface code added proper traffic selector to string conversion some cleanups here & there X.509 certificate trust path verification added fixed UDP decapsulation by adding inbound bypass policy for send socket updated mixed tests to new charon output corrected DPD entry reenabled module tests for charon fixed bug which erroneously detected KE payload when rekeying added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT improved logging on verify errors for some payloads enforcing IKE_SA shutdown, even when transactions are outstanding proper reject of CREATE_CHILD_SA message with KE payload added test cases from NAT team updated all IKEv2 tests to work with new status output added tcpdumpcount function from NATT guys added possibility to mount the strongswan tree into all UMLs added script for installing from shared tree in all UMLs added script to shut down all UMLs properly removed in favour of tests from NAT team fixed CREATE_CHILD_SA transaction dispatching added CHILD_SA states, which allows us to detect further simultaneous transactions reimplemented the buggy message id handling updated some inline docs fixed crypter/signer in/out to conform with standard fixed payload order added message id logging added all currently known notify payload types added policy cache to kernel interface allows refcounting of multiple installed policies finally brings us stable simultaneous rekeying leak detective blanks memory on free & alloc, allows further membug detection code cleanups identification_t.matches() supports multiple wildcard counts identification_t.matches() supports multiple wildcard counts further work done for simultaneous rekeying/delete still some cases which cause trouble fixed compiler warnings in parser when using -O2 reenabled check_expiry updated copyright information reimplemented CHILD_SA rekeying & delete no simultanous transaction with CHILD_SAs yet! removed NAT_TRAVERSAL and VIRTUAL_IP compile options removed NAT_TRAVERSAL compile option removed NAT_TRAVERSAL and VIRTUAL_IP compile options added updated NEWS added support for leftprotoport and rightprotoport improved CHILD_SA output for "ipsec statusall" updated whitelist (getprotobynumber) redesigned IKE_SA using a transaction mechanism: removed old state machine reimplemented IKE_SA setup and delete implemented dead peer detection implemented keep-alives a lot of fixes no rekeying yet fixed compiler warnings made thread ids unsigned again, to avoid negative thread ids on some systems fixed memleak when initiating a connection already up updated leak detective whitelist applied latest NATT patch with some fixes and cleanups test currently without firewall added added added removed removed version information from ipsec.conf log entries start with lowcercase character restored lost IKEv2 packet suppression added USE_LEAK_DETECTIVE option fixed natd_hash memory leak tests with subdirectory structure removed tests introduced subdirectory structure support of cert payloads lowercase log entries distributed by ITA added support of updown parameter generation of default key cosmetics added support of updown parameter version bump to 4.0.2 added X.509 trust chain verification version bump to 4.0.2 ESP packet size changed fixed bad_proposal_syntax bug updated ingorelist for stroke_keywords.c applied new changes from NATT team DPD only done when no IPsec and IKE traffic processed minor changes here and there some message code cleanups fixed identification_t clone to apply function pointers cleaner error handling on UDP encapsultion sockopt failure added mysterious UDP encapsulation socket option to get encapsulation working fixed BAD_PROPOSAL_SYNTAX vulnerability first merge of NATT code fixed testing build updated for 4.0.1 release updated news for 4.0.1 release fixed whitelist detection strongswan-4.0.1 / R:1144 =========================== fixed whitelist detection reworked function ignore mechanism to not-report whitelist rather than overriding functions fixed execv call args to work when using strictcrl and syslog fixed bug: usage of already freed mem readded local_credential_store added sendcert policy to connection some other cleanups implemented rereadcrls rereadcacerts implemented rereadcrls rereadcacerts implemented rereadcrls rereadcacerts removed local_credential_store fixed SPI when acting as initiator of rekeying fixed SPI when rekeying and deleting CHILD_SAs change key derivation order to fullfill RFC added crl support added listcrls added chunk_equals_or_null() added crl support changed tabs from 8 to 4 spaces added crl support cosmetics cosmetics (space) fixed compilation error updated for release fixed aes code, we support now aes128, aes192, aes256 in IKE added support for "ike" and "esp" keywords fixed bugs in proposal code algorithm selection for charon works now with ipsec.conf a lot of other fixes implemented clean spi allocation behavior when using multiple proposals fixed logleve(l) keyword typo handling of "rekey=no" parameter added changed default algorithms to: ike: aes128-sha-modp2048 esp: aes128-sha1, 3des-md5 added default CRL directory path added strictcrlpolicy command line argument added option parsing added local CRLs added rekeying parameters corrected some descriptions moved RSA key size constraints to definitions.h fixed down keyword debug and logging improvements support for stroke listcerts|listcacerts|listcrls|listall support for stroke listcerts|listcacerts|listall and left|rightca= gperf creates optimum hash table for stroke keywords using same reqid if a child sa rekeys an existing one NULL string argument is treated as %any add_certificate() now returns pointer to added cert cosmetics single tests now start up faster workaround for peers rekeying at the same time loading lifetime policies from ipsec.conf old child_sa gets deleted after rekeying rekeying almost complete, but: IKE_SA get in an invalid state when both initiate rekeying at the same time, corrected type improved kernel interface logging fixed clone/destroy behavior when not using CAs specifying keysize in bits, as it is required in IKEv2 added generic kernel SA algorithm handling, which brings us: aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs added support for leftsendcert= and left|rightca= parameters discard cert if CA basic constraints flag is not set and warn if cert is not valide added public methods is_ca() and is_valid() changed ASN.1 CONTROL log output to LEVEL2 cosmetics removed unused Makefile stroke.h requires libstrongswan/types.h fixed compile warnings when using -Wall further CHILD_SA rekeying work done: creation of a new CHILD_SA on a expire from a kernel works delete of old CHILD_SA still missing some issues when both initiate rekeing updated INSTALL to conform with autotools added a short HACKING introduction further work for rekeying: get liftimes from policy added new state initiation of rekeying done proposal redone: removed support for AH+ESP proposals proper leak detective hook for realloc excluded pthread_setspecific from leak detective fixed a memleak cosmetics ipv6-host2host scenario added created IPv6 environment job management: moved job code from thread_pool to job, jobs have an "execute" method now added two new jobs: delete_child_sa & rekey_child_sa kernel interface: listens now for ACQUIRE & EXPIRE supports hard and soft lifetimes fires jobs for delete and rekey child sa ike sa manager: can checkout IKE SAs by requid of owned CHILD SAs we have now the infrastructure to do the rekeying... :-) fixed some memleaks/freebugs leak detective works almost usable now (?!) added host2host test for ikev2 fixed host-host tunnel traffic selection, host-host works now bug fixed circumventing an assertion in delete_connection when ikev1 is not set minimized prefixed on stroke logger output charon outputs strongSwan version tests with subjectAltNames now fixed event queue for events >36min included charons module tests to build & dist full support of ikev1 and ikev2 connection flags cosmetics in log_status output use of streq added testing files to dist required the use of the "ustar" format to support filenames longer than 99 chars lookup of private key based on keyid of public key new functions to add certificates and retrieve private and public keys changed log level list ca certificates computation of SHA-1 hash over publicKeyInfo object moved abbreviated thread_id in front of brackets added has_key parameter to log_certificates() log_certificates() now shows keyid and availability of matching private key indented loaded file log entry moved TIMETOA_BUF definition to types.h moved TIMETOA_BUF definition from asn1.h define default CA_CERTIFICATE_DIR load all ca certificates fixed daemon destruction order to prevent crashes on termination fixed memleak when deleting a connection updated todo list policies contain a connections name now used for initiate and delete connections won't get initiated twice anymore deleting of connections is now possible, which allows us to use ipsec update and ipsec reload changed iterator->remove behavior ipsec up|down|route|delete require a connection name stroke now uses constant size string buffer changed to standard connection log output reworked parsing and matching of subjectAltNames added memeq() macro moved timetoa() from asn1.c to types.c corrected type some logging improvements and cosmetics handle IKE_SA setup without a piggy-packed CHILD_SA more IKEv2 conform initiate IKE_SA deletion befor manager destruction improved code of chunk_equals added streq() macro and defined default BUF_LEN typo build gets perl and gperf from configure now moved built sources to maintainer-clean show connection templates in status & statusall don't complain on termination of IKEv1 connections updated ipsec.conf manual to reflect actual state of keyexchange-parameter using hubs instead of switches, which allows us to sniff the traffic from the host system. changed config load strategy: starter loads both connections in charon & pluto, charon ignores anything with keyexchange!=ikev2. pluto needs the same behavior. changed build order to fix build error after distclean load_end_certificate() now loads certificates cosmetics moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber moved definition of generalNames_t to identification.h corrrected description reimplemented proper IKE SA deletion using a seperate state, should conform now to IKEv2 fixed build when using --enable-leak-detective added removed files to svn:ignore fixed bug in pluto/Makefile.am removed perl-generated oid.c/h from svn, added them to "dist" and "distclean" removed lex, yacc and gperf output from svn, added them to "dist" and "distclean" storing release revision in svn property "release-revision", because I forget it all the times fixed ignorelist, should work now added ingorelist for builded files re-added doxygen apidoc, buildable with "make apidoc" added missing ipsec.conf.5 to distribution :-/ fixed another typo added missing ipsec.conf ipsec.conf.5 existing ipsec.conf won't get overwritten anymore fixed typo in Makefile which corrupted the build applied patch from the NAT-T team fixing several typos applied patch from andreas, which allows certificate listing via stroke added ipsec.conf template and man page back removed old Makefiles added new strongswan KDevelop project & startup hack fixed Revision in changelog fo 4.0.0 started ChangeLog simple script for ChangeLog update via "svn log" fixed compliation error using --enable-smartcard added test for ikev1-ikev2 mixed mode added test ikev2 roadwarrior scenario applied andreas's patch logger output improvements testin gupdates and a lot more updated testsuite to autotools added random source ./configure options fixed default-pkcs11 option testcommit fixed errors when --enable-pkcs11 added autogen script introduced autotools first working version make dist should work things to do: UML testing! more cleanups fixed build started to rebuild source layout fixed stroke error output to starter using random SPIs now, but without collision checks applied some -W's from strongswan fixed that warnings removed IKEV2 ifdefs applied patch from andreas added charonstart option to config new ikev2 tests for UML strongSwan-4.0.0 / R:967 ========================== removed IKEV2 ifdefs applied patch from andreas added charonstart option to config new ikev2 tests for UML applied patch from andreas pem loading secrets file parsing ikev2 testcase some other additions here and there connection termination is handled cleanly by name now fixed bad bug, certs load now cleanly again fixed make install (subdir order) fixed include path added missing script finished initial import of strongswan file tree removed a lot of old and unused stuff moved RFCs from ikev2 into doc dir added missing files for starter applied patch for charon (this time really) import of strongswan-2.7.0 applied patch for charon renamed get_block_size of hasher reworked usage of IDs in various states using ID_ANY for any, not NULL as before initiator sends IDr payload in IKE_AUTH when ID unique fixed charon checks using status & statusall patch for 2.7.0 add connection names to connections stroke status / ipsec status shows them added statusall for stroke added status by connection name some tests repaired, more to come fixed spi conversion improved "stroke status" output setup PID file after daemon initilization, to correctly inform starter about daemon startup added separate implementation for connection_store, credential_store, policy_store added folder structure to config credentials are fetched solely on IDs now identification_t supports now almost all id types x509 certificates work with identification_t now fixes here, fixes there fixed doxygen build seperates now in lib and charon library initialization done at a central point (library.c) some leak_detective fixes updated Todos fixed log-to-syslog behavior added patch against strongswan-2.6.4 x509 certificate loading with pluto asn1 code x509 needs a lot more attention! renamed some files using asn1 pluto stuff now removed, since we use pluto asn1 stuff leak detective is usable, but does not show static function names a script which gets address via ldd and resolves address via addr2line would be nice fixed a leak in child_sa with new detective ;-) some improvements to new asn1 stuff to be continued fixed bad bugs in kernel interface added some logging info works now much more stable startet importing pluto ASN1 stuff der PKCS#1 key loading works (as it did with der_decoder) split up in libstrong, charon, stroke, testing done new leak detective with malloc hook in library useable, but needs improvements logger_manager has now a single instance per library allows use of loggers from any linking prog a LOT of other things ../svn-commit.tmp added misssing stroke.h improved strokeing down connection status some other tweaks rewrote a lot of RSA stuff done major work for ASN1/decoder allow loading of ASN1 der encoded private keys, public keys and certificates extracting public key from certificates passing certificates from stroke to charon => basic authentication with RSA certificates works! starter work on asn1 with der de/encoder RSA private and public key can load read key from ASN1 DER some other fixes here and there rewrite of logger_manager, uses now one instance per context cleanups for logger here and there removed critical flag check in payload verification (conformance to IKEv2) so thats and theres everywere... ;-) patch for strongswan-2.6.3 added charon support for strongswan build process ipsec starter supports charon startup and control removed old diploma thesis scripts some cleanups compatibility to strongswan, Makefile can be called by "make programs" and "make install" (ikev2 patch must be applied to strongswan) first version of stroke control utility moved output to doc/api, since doc is used for other docs now some first documentation in english removed old eclipse project files works quite well now with ipsec.conf & ipsec starter belongs to previous commit ;-) reworked configuration framework completly configuration is now split up in: connections, policies, credentials and daemon config further alloc/free fixes needed! first attempt for connection loading and starting via "stroke" some improvements here and there configuration_manager replaced by configuration_t interface current configuration_manager is now static_configuration (testing) first draft of starter_configuration, which should once interact with ipsec starter (via whack?) some cleanups socket_t uses RAW socket, which allows parallel service of pluto/charon comments and cleanups working policy installation and removal fixed policy setup bug proposal setup implementation begun fixed socket code, so we know on which address we receive traffic AH/ESP setup in kernel is working now!!! :-))) installing of child sa works need correct IP adresses to actually use IPsec new RFCs of IKEv2, IKEv2 algs and IPSec arch added update of IKEv2 clarification document refactored ike proposal uses now proposal_t, wich is also used by child proposals ike key derivation refactored crypter_t api has get_key_size now some other improvements here and there config uses uml hosts alice and bob key derivation for child_sa works some fixes here and there fixed memleaks works with new proposal code still some(!) memleaks fixed alot of bugs in child_proposal near to working state ;-) dead end implementation ... there is a lot more of it, but nothing of interest