updated Changelog and other docs
This commit is contained in:
parent
d03ab568a6
commit
a1310b6b92
124
ChangeLog
124
ChangeLog
|
@ -1,3 +1,127 @@
|
|||
strongswan-4.0.3 / R:1235
|
||||
===========================
|
||||
|
||||
fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
|
||||
implement proper handling of most simultaneous IKE_SA rekeying cases
|
||||
version bump to 4.0.3
|
||||
implemented proper refcounting using atomic operations
|
||||
implemented IKE_SA rekeying
|
||||
uses ikelifetime, rekeymargin and rekeyfuzz config settings
|
||||
no handling of simultaneus exchanges yet!
|
||||
added possibility to route CHILD_SAs, without to set them up
|
||||
support for auto=route parameter
|
||||
support for ipsec route and ipsec unroute
|
||||
initiating of CHILD and/or IKE_SAs based on kernel acquires
|
||||
reuse an existing IKE_SA to set up additional CHILD_SAs
|
||||
introduced refcounting on policy and connections
|
||||
aren't stored in the IKE_SA anymore, they are queried on the fly
|
||||
are immutable now, allows it to share them
|
||||
policy selection based on traffic selectors, leads to valid lookup results
|
||||
rekeying queries the policy based on its traffic selectors
|
||||
cleanups in kernel interface code
|
||||
added proper traffic selector to string conversion
|
||||
some cleanups here & there
|
||||
X.509 certificate trust path verification
|
||||
added
|
||||
fixed UDP decapsulation by adding inbound bypass policy for send socket
|
||||
updated mixed tests to new charon output
|
||||
corrected DPD entry
|
||||
reenabled module tests for charon
|
||||
fixed bug which erroneously detected KE payload when rekeying
|
||||
added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
|
||||
improved logging on verify errors for some payloads
|
||||
enforcing IKE_SA shutdown, even when transactions are outstanding
|
||||
proper reject of CREATE_CHILD_SA message with KE payload
|
||||
added test cases from NAT team
|
||||
updated all IKEv2 tests to work with new status output
|
||||
added tcpdumpcount function from NATT guys
|
||||
added possibility to mount the strongswan tree into all UMLs
|
||||
added script for installing from shared tree in all UMLs
|
||||
added script to shut down all UMLs properly
|
||||
removed in favour of tests from NAT team
|
||||
fixed CREATE_CHILD_SA transaction dispatching
|
||||
added CHILD_SA states, which allows us to detect further simultaneous transactions
|
||||
reimplemented the buggy message id handling
|
||||
updated some inline docs
|
||||
fixed crypter/signer in/out to conform with standard
|
||||
fixed payload order
|
||||
added message id logging
|
||||
added all currently known notify payload types
|
||||
added policy cache to kernel interface
|
||||
allows refcounting of multiple installed policies
|
||||
finally brings us stable simultaneous rekeying
|
||||
leak detective blanks memory on free & alloc, allows further membug detection
|
||||
code cleanups
|
||||
identification_t.matches() supports multiple wildcard counts
|
||||
identification_t.matches() supports multiple wildcard counts
|
||||
further work done for simultaneous rekeying/delete
|
||||
still some cases which cause trouble
|
||||
fixed compiler warnings in parser when using -O2
|
||||
reenabled check_expiry
|
||||
updated copyright information
|
||||
reimplemented CHILD_SA rekeying & delete
|
||||
no simultanous transaction with CHILD_SAs yet!
|
||||
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
|
||||
removed NAT_TRAVERSAL compile option
|
||||
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
|
||||
added
|
||||
updated NEWS
|
||||
added support for leftprotoport and rightprotoport
|
||||
improved CHILD_SA output for "ipsec statusall"
|
||||
updated whitelist (getprotobynumber)
|
||||
redesigned IKE_SA using a transaction mechanism:
|
||||
removed old state machine
|
||||
reimplemented IKE_SA setup and delete
|
||||
implemented dead peer detection
|
||||
implemented keep-alives
|
||||
a lot of fixes
|
||||
no rekeying yet
|
||||
fixed compiler warnings
|
||||
made thread ids unsigned again, to avoid negative thread ids on some systems
|
||||
fixed memleak when initiating a connection already up
|
||||
updated leak detective whitelist
|
||||
applied latest NATT patch with some fixes and cleanups
|
||||
test currently without firewall
|
||||
added
|
||||
added
|
||||
added
|
||||
removed
|
||||
removed version information from ipsec.conf
|
||||
log entries start with lowcercase character
|
||||
restored lost IKEv2 packet suppression
|
||||
added USE_LEAK_DETECTIVE option
|
||||
fixed natd_hash memory leak
|
||||
tests with subdirectory structure
|
||||
removed tests
|
||||
introduced subdirectory structure
|
||||
support of cert payloads
|
||||
lowercase log entries
|
||||
distributed by ITA
|
||||
added support of updown parameter
|
||||
generation of default key
|
||||
cosmetics
|
||||
added support of updown parameter
|
||||
version bump to 4.0.2
|
||||
added X.509 trust chain verification
|
||||
version bump to 4.0.2
|
||||
ESP packet size changed
|
||||
fixed bad_proposal_syntax bug
|
||||
updated ingorelist for stroke_keywords.c
|
||||
applied new changes from NATT team
|
||||
DPD only done when no IPsec and IKE traffic processed
|
||||
minor changes here and there
|
||||
some message code cleanups
|
||||
fixed identification_t clone to apply function pointers
|
||||
cleaner error handling on UDP encapsultion sockopt failure
|
||||
added mysterious UDP encapsulation socket option to get encapsulation working
|
||||
fixed BAD_PROPOSAL_SYNTAX vulnerability
|
||||
first merge of NATT code
|
||||
fixed testing build
|
||||
updated for 4.0.1 release
|
||||
updated news for 4.0.1 release
|
||||
fixed whitelist detection
|
||||
|
||||
|
||||
strongswan-4.0.1 / R:1144
|
||||
===========================
|
||||
|
||||
|
|
13
NEWS
13
NEWS
|
@ -1,3 +1,16 @@
|
|||
strongswan-4.0.3
|
||||
----------------
|
||||
|
||||
- Added support for the auto=route ipsec.conf parameter and the
|
||||
ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and
|
||||
CHILD_SAs dynamically on demand when traffic is detected by the
|
||||
kernel.
|
||||
|
||||
- Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter.
|
||||
As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only
|
||||
new keys are generated using perfect forward secrecy. An optional flag
|
||||
which enforces reauthentication will be implemented later.
|
||||
|
||||
strongswan-4.0.2
|
||||
----------------
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#!/bin/sh
|
||||
libtoolize &&
|
||||
aclocal &&
|
||||
automake -a &&
|
||||
aclocal-1.9 &&
|
||||
automake-1.9 -a &&
|
||||
autoconf
|
||||
|
||||
|
|
|
@ -1,8 +1,5 @@
|
|||
Known bugs in charon
|
||||
======================
|
||||
|
||||
- leak_detective gets confused from libpthread (invalid frees)
|
||||
- inititate rekeying at the same time causes troubles, as the current state
|
||||
machine can't handle it properly
|
||||
- traffic selector changes while rekeying may cause troubles
|
||||
|
||||
|
||||
|
|
|
@ -52,16 +52,18 @@
|
|||
|
||||
+ trapping
|
||||
+ proper delete messages
|
||||
- notifys on connection setup failure
|
||||
+ notifys on connection setup failure
|
||||
+ create child sa message/rekeying
|
||||
/ IKE_SA rekeying
|
||||
- handle all simultaneous rekeying/delete/create cases
|
||||
|
||||
- implement a mechanism against thread exhaustion
|
||||
when a blocked IKE_SA receives a lot of messages
|
||||
- add a crl fetch mechanism which synchronizes equal fetches
|
||||
+ IKE_SA rekeying
|
||||
+ handle all simultaneous rekeying/delete/create cases
|
||||
|
||||
+ replace state machine with something more transaction oriented
|
||||
+ find existing IKE_SA on CHILD_SA initiation
|
||||
|
||||
- configure flag which allows to ommit vendor id in pluto
|
||||
- use dpdaction/dpddelay parameters from ipsec.conf
|
||||
- ikelifetime should optionally enforce reauthentication
|
||||
- implement a mechanism against thread exhaustion
|
||||
when a blocked IKE_SA receives a lot of messages
|
||||
- add a crl fetch mechanism which synchronizes equal fetches
|
||||
- add support for CERTREQs
|
||||
|
|
Loading…
Reference in New Issue