updated Changelog and other docs

2006-08-23 11:48:33 +00:00 · 2006-08-23 11:48:33 +00:00 · a1310b6b92
parent d03ab568a6
commit a1310b6b92
5 changed files with 149 additions and 13 deletions
--- a/124
+++ b/124
@ -1,3 +1,127 @@
+ strongswan-4.0.3 / R:1235 
+===========================
+
+fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
+implement proper handling of most simultaneous IKE_SA rekeying cases
+version bump to 4.0.3
+implemented proper refcounting using atomic operations
+implemented IKE_SA rekeying
+	uses ikelifetime, rekeymargin and rekeyfuzz config settings
+	no handling of simultaneus exchanges yet!
+added possibility to route CHILD_SAs, without to set them up
+	support for auto=route parameter
+	support for ipsec route and ipsec unroute
+	initiating of CHILD and/or IKE_SAs based on kernel acquires
+reuse an existing IKE_SA to set up additional CHILD_SAs
+introduced refcounting on policy and connections
+	aren't stored in the IKE_SA anymore, they are queried on the fly
+	are immutable now, allows it to share them
+policy selection based on traffic selectors, leads to valid lookup results
+	rekeying queries the policy based on its traffic selectors
+cleanups in kernel interface code
+added proper traffic selector to string conversion
+some cleanups here & there
+X.509 certificate trust path verification
+added
+fixed UDP decapsulation by adding inbound bypass policy for send socket
+updated mixed tests to new charon output
+corrected DPD entry
+reenabled module tests for charon
+fixed bug which erroneously detected KE payload when rekeying
+added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
+improved logging on verify errors for some payloads
+enforcing IKE_SA shutdown, even when transactions are outstanding
+proper reject of CREATE_CHILD_SA message with KE payload
+added test cases from NAT team
+updated all IKEv2 tests to work with new status output
+added tcpdumpcount function from NATT guys
+added possibility to mount the strongswan tree into all UMLs
+added script for installing from shared tree in all UMLs
+added script to shut down all UMLs properly
+removed in favour of tests from NAT team
+fixed CREATE_CHILD_SA transaction dispatching
+added CHILD_SA states, which allows us to detect further simultaneous transactions
+reimplemented the buggy message id handling
+updated some inline docs
+fixed crypter/signer in/out to conform with standard
+fixed payload order
+added message id logging
+added all currently known notify payload types
+added policy cache to kernel interface
+	allows refcounting of multiple installed policies
+	finally brings us stable simultaneous rekeying
+leak detective blanks memory on free & alloc, allows further membug detection
+code cleanups
+identification_t.matches() supports multiple wildcard counts
+identification_t.matches() supports multiple wildcard counts
+further work done for simultaneous rekeying/delete
+	still some cases which cause trouble
+fixed compiler warnings in parser when using -O2
+reenabled check_expiry
+updated copyright information
+reimplemented CHILD_SA rekeying & delete
+	no simultanous transaction with CHILD_SAs yet!
+removed NAT_TRAVERSAL and VIRTUAL_IP compile options
+removed NAT_TRAVERSAL compile option
+removed NAT_TRAVERSAL and VIRTUAL_IP compile options
+added
+updated NEWS
+added support for leftprotoport and rightprotoport
+improved CHILD_SA output for "ipsec statusall"
+updated whitelist (getprotobynumber)
+redesigned IKE_SA using a transaction mechanism:
+	removed old state machine
+	reimplemented IKE_SA setup and delete
+	implemented dead peer detection
+	implemented keep-alives
+	a lot of fixes
+	no rekeying yet		
+fixed compiler warnings
+made thread ids unsigned again, to avoid negative thread ids on some systems
+fixed memleak when initiating a connection already up
+updated leak detective whitelist
+applied latest NATT patch with some fixes and cleanups
+test currently without firewall
+added
+added
+added
+removed
+removed version information from ipsec.conf
+log entries start with lowcercase character
+restored lost IKEv2 packet suppression
+added USE_LEAK_DETECTIVE option
+fixed natd_hash memory leak
+tests with subdirectory structure
+removed tests
+introduced subdirectory structure
+support of cert payloads
+lowercase log entries
+distributed by ITA
+added support of updown parameter
+generation of default key
+cosmetics
+added support of updown parameter
+version bump to 4.0.2
+added X.509 trust chain verification
+version bump to 4.0.2
+ESP packet size changed
+fixed bad_proposal_syntax bug
+updated ingorelist for stroke_keywords.c
+applied new changes from NATT team
+	DPD only done when no IPsec and IKE traffic processed
+	minor changes here and there
+some message code cleanups
+fixed identification_t clone to apply function pointers
+cleaner error handling on UDP encapsultion sockopt failure
+added mysterious UDP encapsulation socket option to get encapsulation working
+fixed BAD_PROPOSAL_SYNTAX vulnerability
+first merge of NATT code
+fixed testing build
+updated for 4.0.1 release
+updated news for 4.0.1 release
+fixed whitelist detection
+
+
 strongswan-4.0.1 / R:1144 
 ===========================

--- a/13
+++ b/13
@ -1,3 +1,16 @@
+strongswan-4.0.3
+----------------
+
+- Added support for the auto=route ipsec.conf parameter and the
+  ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and 
+  CHILD_SAs dynamically on demand when traffic is detected by the 
+  kernel.
+
+- Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter.
+  As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only
+  new keys are generated using perfect forward secrecy. An optional flag
+  which enforces reauthentication will be implemented later.
+
 strongswan-4.0.2
 ----------------

--- a/autogen.sh
+++ b/autogen.sh
@ -1,6 +1,6 @@
 #!/bin/sh
 libtoolize &&
-aclocal &&
-automake -a &&
+aclocal-1.9 &&
+automake-1.9 -a &&
 autoconf

--- a/src/charon/doc/Known-bugs.txt
+++ b/src/charon/doc/Known-bugs.txt
@ -1,8 +1,5 @@
 Known bugs in charon
 ======================

- leak_detective gets confused from libpthread (invalid frees)
- inititate rekeying at the same time causes troubles, as the current state
-  machine can't handle it properly
- traffic selector changes while rekeying may cause troubles
+

--- a/src/charon/doc/Todo-list.txt
+++ b/src/charon/doc/Todo-list.txt
@ -52,16 +52,18 @@

 + trapping
 + proper delete messages
- notifys on connection setup failure
+ notifys on connection setup failure
 + create child sa message/rekeying
-/ IKE_SA rekeying
-  - handle all simultaneous rekeying/delete/create cases
-
- implement a mechanism against thread exhaustion
-  when a blocked IKE_SA receives a lot of messages
- add a crl fetch mechanism which synchronizes equal fetches
+ IKE_SA rekeying
+  + handle all simultaneous rekeying/delete/create cases

 + replace state machine with something more transaction oriented
 + find existing IKE_SA on CHILD_SA initiation

 - configure flag which allows to ommit vendor id in pluto
+- use dpdaction/dpddelay parameters from ipsec.conf
+- ikelifetime should optionally enforce reauthentication
+- implement a mechanism against thread exhaustion
+  when a blocked IKE_SA receives a lot of messages
+- add a crl fetch mechanism which synchronizes equal fetches
+- add support for CERTREQs