1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
|
strongswan-4.1.0 / R:2552
===========================
fixed nat detection bug
OCSP support
updated NEWS, TODO and man page
respecting "keyingtries" parameter on IKE_SA setup
cleanups
fixed reset()
not installing a route when policy gets updated
renamed keyingtries attribute
adjusted loglevels
delay OCSP response by 5 seconds
always update reqid on policy install, fixes dpdaction=hold issue
EAP-SIM cleanups
fixed CHILD_SA rekeying/delete bug on 64bit machines
removed obsolete methods in delete_payload
Shortened distribution string
Shortened distribution string
shortened distribution string
add daemon.log to web page
remove /etc/resolv.conf
version bump to 4.1.0
added apache2/ocsp log directory to winnetou
removed killall openssl
removed killall openssl
deleted
deleted
create apach2/ocsp/ logging directory on winnetou
do not check for type of dpd action any more
create /var/log/apache2/ocsp on winnetou
added
added
added
delete virtual IP addresses after use
deleted
added
fixed case of missing subjectKeyID
corrected typo
version bump to 4.1.0
added
use CURLOPT_NOSIGNAL
added --with-sim-reader option to configure script
some cleanups in eap_sim
removed dublicated code in eap_authenticator
log reception of trusted signer certificate
version bump to 4.1.0
deleted
added
changed OCSPSigner to OCSPSigning
fixed carry bug in FIPS prf
user standard cert
deleted
deleted
added
added
modified description.txt and evaltest.dat
version number selection fix
some cleanups
cleaned up and fixed DPD handling code
removed cfg-payload dns test code
added
added
version bump to strongswan-4.1.0 and linux-2.6.20.3
cosmetics
increased control debugging output
added EAP-SIM authentication
client side only
uses an external SIM reader library specified with SIM_READER_LIB
untested
not detaching from bus when IKE_SA_INIT is retried
added AES-192/256 proposals to IKE
added generic EAP_IDENTITY client implementation using peers IKEv2 ID
fixed compilation warnings and errors when not using curl
results from the single responses is stored in the corresponding certinfo_t structs
moved credential_store.h from charon/config/credentials to libstrongswan
last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA
fixed memory leak by calling curl_slist_free_all(headers)
fixed memory leak by calling curl_slist_free_all(headers)
whitelisting static Curl_getaddrinfo() memory leak
fixed a certinfo_t memory leak in verify()
fixed a memory leak in response_t
ocsp signer certificate and ocsp response signature can be verified
fixed memleaks when using EAP authentication
fixed configuration payloads when using EAP
fixed payload order (again)
including peers certificate when his certreq is empty
implemented cookies as initiator
proper logging of notifies in IKE_SA setup
disabling routing for IPv6, does not work correctly
fixed call of add_auth_certificate()
generalized get_ca_certificate() to get_auth_certificate(auth_flags)
added fetcher_finalize() to clean up libcurl
some cleanups
not installing %any DNS servers
support of setting and getting authority flags
support if ocsp signing certificates
support if ocsp signing certificates
fixed payload order in IKE_AUTH
removed SHA2 kernel proposals from default, the kernel doesn't support them yet
allocation fixes, not complete
handling "No policy found" properly
added more debugging output for policy lookup
returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE
fixed CHILD_SA creation within existing IKE_SA
added ocsp_parse_single_response
ported changes from EAP branch, renabling EAP framework
added (not yet supported) sha2 algorithms to kernel
only adding a route if using tunnel mode
added SHA2 MAC and PRF to default proposal
added more debug output
experimental SHA2 HMAC and PRF implementations
parsing basic ocsp response
forgot to assign public.is_ocsp_signer() method
added parsing level to x509_create_from_chunk()
added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method
http post fetching using libcurl implemented
added fetcher.h and fetcher.c
added
corrected @ingroup to utils
corrected comment
start ocsp checking only if there are any ocspuris present
conntrack -F is used to flush the NAT states
the hostaccess=yes parameters are not needed anymore
use conntrack -F to flush NAT states
replaced actual virtual IP addresses by symbolic ones
removed unnecessary double quotes
nonce in ocsp_t was not properly initialized
ocsp request is now fully built but without requestor signature
starting to build ocsp request
prevent from initiating multiple exchanges the same time
updated apidoc documentation
fixed notify handling in IKE_AUTH
moved nonce payload before TS in CHILD_SA setup
moved REKEY_SA notify to the beginning of the message
fixed traffic selector redundancy removal code (not completely tested)
add crl and ocsp uris to linked list after partial verification
added print hook for certinfo_t printing
fixed typo
sending an SPI of 0 as responder when IKE_SA_INIT fails
iterate certinfos linked list for matching serialNumber
some cleanups
not assigning %any virtual IPs to peer anymore
fixed double free bug
added
fixed ID selection bug when peer doesn't include IDr payload
allowing vendor ID in any messag
moved listing of crls to local_credential_store and ca
refactored ca_info_t
refactored ca_info_t
fixed netlink socket receiver code
implemented interface enumeration code with netlink: no getifaddrs reqired anymore
refactored kernel interface, works reliable again
implemented get_iface() using RTM_GETADDR
added support for multi-header netlink messages
really ugly now, need a lot of refactoring
added debuggin for interface lookup
fixed address lookup when !using getifaddrs()
added firewalling support when using virtual IPs
added support for 0.0.0.0/0 traffic selectors
fixed routing to make correct 0.0.0.0/0 routes
config-payload scenario fixes
preparations for PLUTO_MY_SOURCEIP
corrected typo
added cert with OCSP access info
dpd now takes 180 s and 5 retransmits
changed grep to creating aquire job for CHILD SA
replaced actual virtual IPs by place holders
virtual-ip scenario has been replaces by config-payload scenario
added
added
added ocsp.h and ocsp.c
added
r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines
virtual ip uml test
fixed reauthentication when connections other is %any
merged tasking branch into trunk
fixed big endian bug in md5 hasher
cosmetics
added once flag to certinfo_t
cosmetics
added certinfos linked list
changed ca info to ca
support of ca info sections
added support of OCSP accessLocations
correct interface definition
added support of OCSP accessLocations
full support of ca info records
added the create_crluri_iterator method
replace ca is realized as del_ca followed by add_ca
last CA keyword is KW_OCSPURI2
full support of ca info records
full support of ca info records
alphabetically sorting print commands
listing ca_info items
replace printf.h by stdio.h
addin get_keyid() method
support of ca info records
support of ca info records
version bump to 4.0.8
support of ca info records
support of ca info records
typo
SHA512-HMAC bug fix and hash function self-test support
SHA512-HMAC bug fix and hash function self-test support
handle strong SHA-2 signatures in X.509 certificates
SHA-2 fixes and add-ons
version bumps
remove strong certs and keys after test
added
using "left" as my host per default, swapping to "right" when needed
respecting source address when sending packets
added PRINT_CAINFO hook
stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp
enable IP forwarding
prepared support of ca information records and ocsp functionality
added support of ca information records and ocsp keywords
enabled adding and deleting ca information records
fixed starter crash due to freeing default IPSEC_EAPDIR string
add --eapdir option only if defined in ipsec.conf
removed eap aka module due nda
merged EAP framework from branch into trunk
includes a lot of other modifications
%T requires time_t ptr
removed my time_t printf handler patch, applied the one of andreas (64bit save)
fixed printf() hooks for time
added support for NULL encryption in ESP
be more liberal in accepting notifies with a protocol id
include NO_EXT_SEQUENCE_NUMBER in default proposal
output peer id if RSA public key is not found
fixed typo
version bump to 4.0.8
added address listing without getifaddrs for uclibc (only IPv4 yet)
added threads to support multiple simultaneous stroke requests
renamed all static clone() functions to avoid naming conflicts with uclibc
sending proper signal to the bus when detecting a dead peer
added configuration of XAUTH and ModeConfig push mode
version bump
version bump
Cisco XAUTH interoperability
XAUTH interoperability with Cisco
removed IPSECPOLICY compile option
unload xauth_module only if XAUTH_DEFAULT_LIB is defined
loading the XAUTH module requires libdl
added some more attributes, inst XAUTH_TYPE in reply
Mode Config refactoring
XAUTH fixes and Cisco Unity support
log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings
added Cisco Unity ModeCfg attributes
version bump to 4.0.7
fixed 64 bit issue with print time
fixed XAUTHResp bug
included xauth.h
use uml_mconsole to check end of booting process
name the created CHILD_SA
doubled PAYLIMIT to 40 payloads
version bump
show rekeying|reauthentication time
show name of created CHILD_SA
combined use_in and use_fwd
corrected typo
cosmetics
cosmetics
fixed an enumeration error, added CISCO_IOS VID
fixed mismatch in interface definition of get_secret()
forward declaration of struct state not needed
cosmetics
added firewall support to scenario
updated changelog for 4.0.6
fixed crash when CA for certrequest not found
fixed build when !using smartcard
removed unused debugging code
updated NEWS for 4.0.6
strongswan-4.0.6 / R:2131
===========================
updated NEWS for 4.0.6
readded tranport mode test using new status output
removed dublicated host2host-transport test
fixed reauthentication when using %any hosts
support for transport in create_child_sa
include TRANSPORT/TUNNEL information in statusall
load xauth module via dlopen()
define path to xauth module
added host2host-transport scenario
removed trailing lines
added XAUTH support
fixed typo
added XAUTH server and client support
load and unload XAUTH module
added xauth.h and xauth.c
added enable-cisco-quirks configure option
added xauth scenarios
added config option for BEET mode
fixed reuathentication when connections other host is %any
fixed host conversion length check
negated POLICY_REAUTH to POLICY_DONT_REAUTH
negated POLICY_REAUTH to POLICY_DONT_REAUTH
enable XAUTH_VID by default
added support for transport mode and (experimental!) BEET mode
support for the type=transport/tunnel parameter in charon
fixed charset & cleanups
added XAUTH server and client support
additional parentheses for same_chunk() macro
renamed to appear in doxygen build
added a roadmap of the strongSwan project (TODO)
added some NEWS
first try to update ipsec.conf manual
implemented reauthentication using the new reauth=yes|no parameter
fixed more uClibc issues
should compile against a uClibc > 0.9.28 (untested)
added XAUTH client states
version bump to 4.0.6
fixed stddef.h include
fixed encoding rules string
updated todo
fixed some byte-order issues
fixed HAVE_BACKTRACE checks
starter Makefile now uses proper $(COMPILE) to build pluto objects
made backtrace() calls optional to support uClibc
XAUTH support
XAUTH support
fixed bug in ifdef CISCO_QUIRKS
added XAUTH support
support of Cisco Unity VID
added new VIDs
version bump to 4.0.6
fixed case with wildcard peer ID and static peer address
added simple script to port trunk changes into branches
start kdevelop with project file from actual branch
updated changelog
fixed typos
strongswan-4.0.5 / R:1447
===========================
fixed typos
improved selection of ipsec status|statusall <name>
fixed NEWS (runtime debug level options)
fixed credits
fixed very old bug in linked_list's remove_first and remove_last
proper "ipsec up" signal handling when initiating to %any
removed iterator hook for replace
fixed output of proto/port selectors
cosmetics
due to console logging, no need for final sleep anymore
adapted checks to changed ipsec status output
due to narrowing no need for rightsubnetwithin
no need to send certreq
fixed ipsec status|statusall <name>
log IKE SPIs on a separate line
redesigned formatting of ipsec status|statusall
cosmetics
version bumps of strongSwan, Linux kernel and Gentoo root file system
corrected description
added dpd-hold scenario
added new features
fixed 64 bit issue
solved 64 bit issue by changing long to int
solved 64 bit issue in push/pop stroke interface
fixed 64 bit issue
some fixes for doxygen
better split up of library files "types.h" & "definitions.h"
centralized all printf specifier character definitions
reuse of arginfo handlers
more cleanups
fixed more AMD64 issues
added DEBUG_LEVEL compile flag to exclude DBGn() statements
added nodebug configure script without any debug messages and without -g
preparations to include certreqs in policy decisions
do not sent certreq payloads when the peer is known to use PSK
position of (myself) moved in log output
do not sent certreq payloads when using self-signed certs
moved (myself) in log output
moved typedefs to beginning of files to solve some include problems
splitted authenticator to have a separate implementation for each auth_method_t
using va_copy to clone va_lists, should fix proplems on AMD64
some other cleanups
do not sanitize '*' character
fixed SIGSEGV when setup of an additional CHILD_SA fails
added IKEv2 clarifications RFC
changed debug level of certreq log output
cosmetics in debug output
support of certreq payload in IKE_AUTH messages
chunk_to_hex() function declaration deleted
added function certreq_payload_create_from_x509()
send a certreq as initiator if other_ca is set
added method get_ca_certificate()
added methods get_my_ca() and get_other_ca()
added methods get_my_ca() and get_other_ca()
added some missing 'AUD' entries
cosmetics
cosmetics
change due to change debug output
spaces should not be sanitized
fixed due to new logging concept
some improvements in signaling code
include only source NATD payloads really needed
updated for NAT team
improved signal handling and emitting
support of ModeCfg Push mode
support of mixed RSA/PSK static connections
support of ipsec statusall in state output
output of 'DPD active' in ISAKMP SAs
support of ipsec statusall in state output
added natip support
added has_natip flag
added ModeCfg push policy and states
added ModeCfg push policy and states
fixed typo in debug statement
redesigned list output format
added 'modeconfig=pull|push' and 'left|rightnatip' keywords
added has_natip flag
added has_natip flag
added 'exit' statement in listcerts,.. case
fixed two bugs in the time_t and chunk_ct print functions
redesigned format of print function
replaced 'times' by 'dates'
added private flag to asn1_init
added private flag to asn1_ctx_t
removed DES-EDE3-CBC only comment
removed deprecated iterator methods (has_next & current)
added iterator hook to manipulate iterator the clean way
linked list cleanups
added list methods invoke(), destroy_offset(), destroy_function()
simplified list destruction when destroying its items
added verbosity level to stroke
upgrade to new Gentoo root file system and tcpdump command
added
deleted
renamed ikev1 scenario and added ikev2 scenario
added new scenarios
Version bumps of UML kernel, Gentoo root file system and strongSwan release
code cleanups in printf handlers
added eap authentication draft for ikev2
updated stroke to allow run-time manipulation of debug levels
added charondebug config parameter to set debug level at startup
introduced new logging subsystem using bus:
passive listeners can register on the bus
active listeners wait for signals actively
multiplexing allows multiple listeners to receive debug signals
a lot more...
updated file filter for kdev project
include CREDITS file in distribution
moved various scripts in scripts/ dir
add configure script wrappers
removed txt files from doxygen
removed module tests, outdated. We need something more system-test like
added missing -DDEBUG compile option
fixed auxillary message data parsing for IPV6 socket
using SOL_* constants for socket level
fixed IPV6_PKTINFO setsockopt() to work with most kernel headers
replaced strerror(errno) with %m printf specifier
added stronger certs for moon, carol, and dave
added IPv6 hw and multicast addresses
adapted to new tcpdump ipv6 output
multi-level-ca scenarios use unencrypted private key
added scenario
fixed timing
new gentoo root file system
fixed bug with openldap 2.3
removed ipsec.conf version information
carolKey.pem is now protected by 3DES passphrase
updated net runlevel scripts
updated net init scripts
new net configuration format
HW addresses must be predefined
cosmetics
added USE_LIBCURL
cosmetics
found libraries are not appended to LIBS anymore
version bump to 4.0.5
fixed DPD to survive IKE_SA rekeying
introduced printf() specifiers for:
host_t (%H)
identification_t (%D)
chunk pointers (%B)
memory pointer/length (%b)
added a signaling bus:
receives event and debug messages, sends them to its listeners
stream_logger, sys_logger, file_logger added, listen to bus
some other tweaks here and there
added often used RFCs and drafts
DES for private key encryption is not supported
updated NEWS and ChangeLog for 4.0.4 release
fixed retransmission policy for responder
fixed dpd for responder
added ID_ANY check to matches_binary()
replaced 'missing value' warning by zero length chunk_t value
defined maximum hash size
support of AES-192-CBC private key encryption
added hostaccess support
added hostaccess support
moved auth_method to policy
added hostaccess support
added hostaccess support
more consistent authentication logging
added hostaccess support
moved auth_method to policy
moved auth_method to policy
added hostaccess support; moved auth_method to policy
added hostaccess support
added hostaccess support
added new test scenarios
fixed some compiler warnings
strongswan-4.0.4 / R:1289
===========================
fixed some compiler warnings
extended statusall output
added job/event-queue statistics
added allocation statistics when using LEAK_DETECTIVE
fixed include typo
public declaration of all HASH_SIZEs in hasher.h
support of encrypted private key files
added copyright notice to sha2_hasher
included SHA2 in build process
implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512
added support for 3DES encryption algorithm in IKE
fixed the ids parsing bug
fixed the ids parsing bug
updated TODOs
fixed memleak
fixed proper handling of id parsing errors
proper return value when no PSK found
added HOST_ACCESS for firewall script as default
more debugging output for PSK authentication
some cleanups here and there
added auth_method field
added auth_method field
cosmetics
verify_emsa_pkcs1_signature returns status_t
cosmetics
added PSK support
enabled firewall support
proper error handling for socket creation
handle certificate parsing error more generous
fixed certificate verification bug!
fixed memleak when receiving invalid certificate
version bump to 4.0.4
version bump to 4.0.4
two new test scenarios
fixed path to images directory
implemented updown script to handle firewalling
add priority management for kernel policy
let ROUTED policies installed, until manuall removed
introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
ike_sa_manager cleanups
implemented handling of dpdaction and dpddelay ipsec.conf parameters
reuse reqid when a ROUTED child_sa gets INSTALLED
fixed a bug in retransmission code
added support for the "keyingtries" ipsec.conf parameter
added support for the "dpddelay" ipsec.conf parameter
done some work for "dpdaction" behavior
some other cleanups and fixes
fixed a at-least-one-year-old bug which caused crashed in the scheduler
added raw socket filter for IPv6
implemented NAT detection for IPv6
removed unneeded constructor
initial support for IPv6 (more testing needed)
socket works (without v6 filter)
traffic selector handle IPv4/v4 cleanly
improvements in traffic selector code
kernel interface accepts v6 traffic selectors and hosts
host_t class has full IPv6 support
added stddef.h include for compilers which do not support the offsetof() directive
moved interface enumeration code to socket, where it belongs
query interfaces every time we need it to respect changes in network config
added address listing on startup and "ipsec statusall"
version bump of UML kernel to 2.6.17.11
fixed crash bug when doing "ipsec down" with an unknown connection
added name property in CHILD_SA, allows proper status output
fixed bug which prevented port float when nat is detected
version bumps
'sha' and 'sha1' are now treated as synonyms
updated Changelog and other docs
strongswan-4.0.3 / R:1235
===========================
fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
implement proper handling of most simultaneous IKE_SA rekeying cases
version bump to 4.0.3
implemented proper refcounting using atomic operations
implemented IKE_SA rekeying
uses ikelifetime, rekeymargin and rekeyfuzz config settings
no handling of simultaneus exchanges yet!
added possibility to route CHILD_SAs, without to set them up
support for auto=route parameter
support for ipsec route and ipsec unroute
initiating of CHILD and/or IKE_SAs based on kernel acquires
reuse an existing IKE_SA to set up additional CHILD_SAs
introduced refcounting on policy and connections
aren't stored in the IKE_SA anymore, they are queried on the fly
are immutable now, allows it to share them
policy selection based on traffic selectors, leads to valid lookup results
rekeying queries the policy based on its traffic selectors
cleanups in kernel interface code
added proper traffic selector to string conversion
some cleanups here & there
X.509 certificate trust path verification
added
fixed UDP decapsulation by adding inbound bypass policy for send socket
updated mixed tests to new charon output
corrected DPD entry
reenabled module tests for charon
fixed bug which erroneously detected KE payload when rekeying
added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
improved logging on verify errors for some payloads
enforcing IKE_SA shutdown, even when transactions are outstanding
proper reject of CREATE_CHILD_SA message with KE payload
added test cases from NAT team
updated all IKEv2 tests to work with new status output
added tcpdumpcount function from NATT guys
added possibility to mount the strongswan tree into all UMLs
added script for installing from shared tree in all UMLs
added script to shut down all UMLs properly
removed in favour of tests from NAT team
fixed CREATE_CHILD_SA transaction dispatching
added CHILD_SA states, which allows us to detect further simultaneous transactions
reimplemented the buggy message id handling
updated some inline docs
fixed crypter/signer in/out to conform with standard
fixed payload order
added message id logging
added all currently known notify payload types
added policy cache to kernel interface
allows refcounting of multiple installed policies
finally brings us stable simultaneous rekeying
leak detective blanks memory on free & alloc, allows further membug detection
code cleanups
identification_t.matches() supports multiple wildcard counts
identification_t.matches() supports multiple wildcard counts
further work done for simultaneous rekeying/delete
still some cases which cause trouble
fixed compiler warnings in parser when using -O2
reenabled check_expiry
updated copyright information
reimplemented CHILD_SA rekeying & delete
no simultanous transaction with CHILD_SAs yet!
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
removed NAT_TRAVERSAL compile option
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
added
updated NEWS
added support for leftprotoport and rightprotoport
improved CHILD_SA output for "ipsec statusall"
updated whitelist (getprotobynumber)
redesigned IKE_SA using a transaction mechanism:
removed old state machine
reimplemented IKE_SA setup and delete
implemented dead peer detection
implemented keep-alives
a lot of fixes
no rekeying yet
fixed compiler warnings
made thread ids unsigned again, to avoid negative thread ids on some systems
fixed memleak when initiating a connection already up
updated leak detective whitelist
applied latest NATT patch with some fixes and cleanups
test currently without firewall
added
added
added
removed
removed version information from ipsec.conf
log entries start with lowcercase character
restored lost IKEv2 packet suppression
added USE_LEAK_DETECTIVE option
fixed natd_hash memory leak
tests with subdirectory structure
removed tests
introduced subdirectory structure
support of cert payloads
lowercase log entries
distributed by ITA
added support of updown parameter
generation of default key
cosmetics
added support of updown parameter
version bump to 4.0.2
added X.509 trust chain verification
version bump to 4.0.2
ESP packet size changed
fixed bad_proposal_syntax bug
updated ingorelist for stroke_keywords.c
applied new changes from NATT team
DPD only done when no IPsec and IKE traffic processed
minor changes here and there
some message code cleanups
fixed identification_t clone to apply function pointers
cleaner error handling on UDP encapsultion sockopt failure
added mysterious UDP encapsulation socket option to get encapsulation working
fixed BAD_PROPOSAL_SYNTAX vulnerability
first merge of NATT code
fixed testing build
updated for 4.0.1 release
updated news for 4.0.1 release
fixed whitelist detection
strongswan-4.0.1 / R:1144
===========================
fixed whitelist detection
reworked function ignore mechanism to not-report whitelist
rather than overriding functions
fixed execv call args to work when using strictcrl and syslog
fixed bug: usage of already freed mem
readded local_credential_store
added sendcert policy to connection
some other cleanups
implemented rereadcrls rereadcacerts
implemented rereadcrls rereadcacerts
implemented rereadcrls rereadcacerts
removed local_credential_store
fixed SPI when acting as initiator of rekeying
fixed SPI when rekeying and deleting CHILD_SAs
change key derivation order to fullfill RFC
added crl support
added listcrls
added chunk_equals_or_null()
added crl support
changed tabs from 8 to 4 spaces
added crl support
cosmetics
cosmetics (space)
fixed compilation error
updated for release
fixed aes code, we support now aes128, aes192, aes256 in IKE
added support for "ike" and "esp" keywords
fixed bugs in proposal code
algorithm selection for charon works now with ipsec.conf
a lot of other fixes
implemented clean spi allocation behavior when using multiple proposals
fixed logleve(l) keyword typo
handling of "rekey=no" parameter added
changed default algorithms to:
ike: aes128-sha-modp2048
esp: aes128-sha1, 3des-md5
added default CRL directory path
added strictcrlpolicy command line argument
added option parsing
added local CRLs
added rekeying parameters
corrected some descriptions
moved RSA key size constraints to definitions.h
fixed down keyword
debug and logging improvements
support for stroke listcerts|listcacerts|listcrls|listall
support for stroke listcerts|listcacerts|listall and left|rightca=
gperf creates optimum hash table for stroke keywords
using same reqid if a child sa rekeys an existing one
NULL string argument is treated as %any
add_certificate() now returns pointer to added cert
cosmetics
single tests now start up faster
workaround for peers rekeying at the same time
loading lifetime policies from ipsec.conf
old child_sa gets deleted after rekeying
rekeying almost complete, but:
IKE_SA get in an invalid state when both initiate rekeying at the same time,
corrected type
improved kernel interface logging
fixed clone/destroy behavior when not using CAs
specifying keysize in bits, as it is required in IKEv2
added generic kernel SA algorithm handling, which brings us:
aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
added support for leftsendcert= and left|rightca= parameters
discard cert if CA basic constraints flag is not set and warn if cert is not valide
added public methods is_ca() and is_valid()
changed ASN.1 CONTROL log output to LEVEL2
cosmetics
removed unused Makefile
stroke.h requires libstrongswan/types.h
fixed compile warnings when using -Wall
further CHILD_SA rekeying work done:
creation of a new CHILD_SA on a expire from a kernel works
delete of old CHILD_SA still missing
some issues when both initiate rekeing
updated INSTALL to conform with autotools
added a short HACKING introduction
further work for rekeying:
get liftimes from policy
added new state
initiation of rekeying done
proposal redone:
removed support for AH+ESP proposals
proper leak detective hook for realloc
excluded pthread_setspecific from leak detective
fixed a memleak
cosmetics
ipv6-host2host scenario added
created IPv6 environment
job management:
moved job code from thread_pool to job, jobs have an "execute" method now
added two new jobs: delete_child_sa & rekey_child_sa
kernel interface:
listens now for ACQUIRE & EXPIRE
supports hard and soft lifetimes
fires jobs for delete and rekey child sa
ike sa manager:
can checkout IKE SAs by requid of owned CHILD SAs
we have now the infrastructure to do the rekeying... :-)
fixed some memleaks/freebugs
leak detective works almost usable now (?!)
added host2host test for ikev2
fixed host-host tunnel traffic selection, host-host works now
bug fixed circumventing an assertion in delete_connection when ikev1 is not set
minimized prefixed on stroke logger output
charon outputs strongSwan version
tests with subjectAltNames now
fixed event queue for events >36min
included charons module tests to build & dist
full support of ikev1 and ikev2 connection flags
cosmetics in log_status output
use of streq
added testing files to dist
required the use of the "ustar" format to support
filenames longer than 99 chars
lookup of private key based on keyid of public key
new functions to add certificates and retrieve private and public keys
changed log level
list ca certificates
computation of SHA-1 hash over publicKeyInfo object
moved abbreviated thread_id in front of brackets
added has_key parameter to log_certificates()
log_certificates() now shows keyid and availability of matching private key
indented loaded file log entry
moved TIMETOA_BUF definition to types.h
moved TIMETOA_BUF definition from asn1.h
define default CA_CERTIFICATE_DIR
load all ca certificates
fixed daemon destruction order to prevent
crashes on termination
fixed memleak when deleting a connection
updated todo list
policies contain a connections name now
used for initiate and delete
connections won't get initiated twice anymore
deleting of connections is now possible, which allows us to use
ipsec update and ipsec reload
changed iterator->remove behavior
ipsec up|down|route|delete require a connection name
stroke now uses constant size string buffer
changed to standard connection log output
reworked parsing and matching of subjectAltNames
added memeq() macro
moved timetoa() from asn1.c to types.c
corrected type
some logging improvements and cosmetics
handle IKE_SA setup without a piggy-packed CHILD_SA
more IKEv2 conform
initiate IKE_SA deletion befor manager destruction
improved code of chunk_equals
added streq() macro and defined default BUF_LEN
typo
build gets perl and gperf from configure now
moved built sources to maintainer-clean
show connection templates in status & statusall
don't complain on termination of IKEv1 connections
updated ipsec.conf manual to reflect actual state of
keyexchange-parameter
using hubs instead of switches, which allows us
to sniff the traffic from the host system.
changed config load strategy:
starter loads both connections in charon & pluto,
charon ignores anything with keyexchange!=ikev2.
pluto needs the same behavior.
changed build order to fix build error after distclean
load_end_certificate() now loads certificates
cosmetics
moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber
moved definition of generalNames_t to identification.h
corrrected description
reimplemented proper IKE SA deletion using a seperate state,
should conform now to IKEv2
fixed build when using --enable-leak-detective
added removed files to svn:ignore
fixed bug in pluto/Makefile.am
removed perl-generated oid.c/h from svn,
added them to "dist" and "distclean"
removed lex, yacc and gperf output from svn,
added them to "dist" and "distclean"
storing release revision in svn property "release-revision", because I forget it all the times
fixed ignorelist, should work now
added ingorelist for builded files
re-added doxygen apidoc, buildable with "make apidoc"
added missing ipsec.conf.5 to distribution :-/
fixed another typo
added missing ipsec.conf ipsec.conf.5
existing ipsec.conf won't get overwritten anymore
fixed typo in Makefile which corrupted the build
applied patch from the NAT-T team fixing several typos
applied patch from andreas, which allows certificate listing via stroke
added ipsec.conf template and man page back
removed old Makefiles
added new strongswan KDevelop project & startup hack
fixed Revision in changelog fo 4.0.0
started ChangeLog
simple script for ChangeLog update via "svn log"
fixed compliation error using --enable-smartcard
added test for ikev1-ikev2 mixed mode
added test ikev2 roadwarrior scenario
applied andreas's patch
logger output improvements
testin gupdates
and a lot more
updated testsuite to autotools
added random source ./configure options
fixed default-pkcs11 option
testcommit
fixed errors when --enable-pkcs11
added autogen script
introduced autotools
first working version
make dist should work
things to do:
UML testing!
more cleanups
fixed build
started to rebuild source layout
fixed stroke error output to starter
using random SPIs now, but without collision checks
applied some -W's from strongswan
fixed that warnings
removed IKEV2 ifdefs
applied patch from andreas
added charonstart option to config
new ikev2 tests for UML
strongSwan-4.0.0 / R:967
==========================
removed IKEV2 ifdefs
applied patch from andreas
added charonstart option to config
new ikev2 tests for UML
applied patch from andreas
pem loading
secrets file parsing
ikev2 testcase
some other additions here and there
connection termination is handled cleanly by name now
fixed bad bug, certs load now cleanly again
fixed make install (subdir order)
fixed include path
added missing script
finished initial import of strongswan file tree
removed a lot of old and unused stuff
moved RFCs from ikev2 into doc dir
added missing files for starter
applied patch for charon (this time really)
import of strongswan-2.7.0
applied patch for charon
renamed get_block_size of hasher
reworked usage of IDs in various states
using ID_ANY for any, not NULL as before
initiator sends IDr payload in IKE_AUTH when ID unique
fixed charon checks
using status & statusall
patch for 2.7.0
add connection names to connections
stroke status / ipsec status shows them
added statusall for stroke
added status by connection name
some tests repaired, more to come
fixed spi conversion
improved "stroke status" output
setup PID file after daemon initilization, to correctly inform
starter about daemon startup
added separate implementation for connection_store, credential_store, policy_store
added folder structure to config
credentials are fetched solely on IDs now
identification_t supports now almost all id types
x509 certificates work with identification_t now
fixes here, fixes there
fixed doxygen build
seperates now in lib and charon
library initialization done at a central point (library.c)
some leak_detective fixes
updated Todos
fixed log-to-syslog behavior
added patch against strongswan-2.6.4
x509 certificate loading with pluto asn1 code
x509 needs a lot more attention!
renamed some files
using asn1 pluto stuff now
removed, since we use pluto asn1 stuff
leak detective is usable, but does not show static function names
a script which gets address via ldd and resolves address via addr2line would be nice
fixed a leak in child_sa with new detective ;-)
some improvements to new asn1 stuff
to be continued
fixed bad bugs in kernel interface
added some logging info
works now much more stable
startet importing pluto ASN1 stuff
der PKCS#1 key loading works (as it did with der_decoder)
split up in libstrong, charon, stroke, testing done
new leak detective with malloc hook in library
useable, but needs improvements
logger_manager has now a single instance per library
allows use of loggers from any linking prog
a LOT of other things
../svn-commit.tmp
added misssing stroke.h
improved strokeing
down connection
status
some other tweaks
rewrote a lot of RSA stuff
done major work for ASN1/decoder
allow loading of ASN1 der encoded private keys, public keys and certificates
extracting public key from certificates
passing certificates from stroke to charon
=> basic authentication with RSA certificates works!
starter work on asn1 with der de/encoder
RSA private and public key can load read key from ASN1 DER
some other fixes here and there
rewrite of logger_manager, uses now one instance per context
cleanups for logger here and there
removed critical flag check in payload verification (conformance to IKEv2)
so thats and theres everywere... ;-)
patch for strongswan-2.6.3
added charon support for strongswan build process
ipsec starter supports charon startup and control
removed old diploma thesis scripts
some cleanups
compatibility to strongswan, Makefile can be called by "make programs"
and "make install" (ikev2 patch must be applied to strongswan)
first version of stroke control utility
moved output to doc/api, since doc is used for other docs now
some first documentation in english
removed old eclipse project files
works quite well now with ipsec.conf & ipsec starter
belongs to previous commit ;-)
reworked configuration framework completly
configuration is now split up in: connections, policies, credentials and daemon config
further alloc/free fixes needed!
first attempt for connection loading and starting via "stroke"
some improvements here and there
configuration_manager replaced by configuration_t interface
current configuration_manager is now static_configuration (testing)
first draft of starter_configuration, which should once interact with ipsec starter (via whack?)
some cleanups
socket_t uses RAW socket, which allows parallel service of pluto/charon
comments and cleanups
working policy installation and removal
fixed policy setup bug
proposal setup implementation begun
fixed socket code, so we know on which address we receive traffic
AH/ESP setup in kernel is working now!!! :-)))
installing of child sa works
need correct IP adresses to actually use IPsec
new RFCs of IKEv2, IKEv2 algs and IPSec arch added
update of IKEv2 clarification document
refactored ike proposal
uses now proposal_t, wich is also used by child proposals
ike key derivation refactored
crypter_t api has get_key_size now
some other improvements here and there
config uses uml hosts alice and bob
key derivation for child_sa works
some fixes here and there
fixed memleaks
works with new proposal code
still some(!) memleaks
fixed alot of bugs in child_proposal
near to working state ;-)
dead end implementation
... there is a lot more of it, but nothing of interest
|