strongswan-4.0.4 / R:1289 =========================== fixed some compiler warnings extended statusall output added job/event-queue statistics added allocation statistics when using LEAK_DETECTIVE fixed include typo public declaration of all HASH_SIZEs in hasher.h support of encrypted private key files added copyright notice to sha2_hasher included SHA2 in build process implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512 added support for 3DES encryption algorithm in IKE fixed the ids parsing bug fixed the ids parsing bug updated TODOs fixed memleak fixed proper handling of id parsing errors proper return value when no PSK found added HOST_ACCESS for firewall script as default more debugging output for PSK authentication some cleanups here and there added auth_method field added auth_method field cosmetics verify_emsa_pkcs1_signature returns status_t cosmetics added PSK support enabled firewall support proper error handling for socket creation handle certificate parsing error more generous fixed certificate verification bug! fixed memleak when receiving invalid certificate version bump to 4.0.4 version bump to 4.0.4 two new test scenarios fixed path to images directory implemented updown script to handle firewalling add priority management for kernel policy let ROUTED policies installed, until manuall removed introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs ike_sa_manager cleanups implemented handling of dpdaction and dpddelay ipsec.conf parameters reuse reqid when a ROUTED child_sa gets INSTALLED fixed a bug in retransmission code added support for the "keyingtries" ipsec.conf parameter added support for the "dpddelay" ipsec.conf parameter done some work for "dpdaction" behavior some other cleanups and fixes fixed a at-least-one-year-old bug which caused crashed in the scheduler added raw socket filter for IPv6 implemented NAT detection for IPv6 removed unneeded constructor initial support for IPv6 (more testing needed) socket works (without v6 filter) traffic selector handle IPv4/v4 cleanly improvements in traffic selector code kernel interface accepts v6 traffic selectors and hosts host_t class has full IPv6 support added stddef.h include for compilers which do not support the offsetof() directive moved interface enumeration code to socket, where it belongs query interfaces every time we need it to respect changes in network config added address listing on startup and "ipsec statusall" version bump of UML kernel to 2.6.17.11 fixed crash bug when doing "ipsec down" with an unknown connection added name property in CHILD_SA, allows proper status output fixed bug which prevented port float when nat is detected version bumps 'sha' and 'sha1' are now treated as synonyms updated Changelog and other docs strongswan-4.0.3 / R:1235 =========================== fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD) implement proper handling of most simultaneous IKE_SA rekeying cases version bump to 4.0.3 implemented proper refcounting using atomic operations implemented IKE_SA rekeying uses ikelifetime, rekeymargin and rekeyfuzz config settings no handling of simultaneus exchanges yet! added possibility to route CHILD_SAs, without to set them up support for auto=route parameter support for ipsec route and ipsec unroute initiating of CHILD and/or IKE_SAs based on kernel acquires reuse an existing IKE_SA to set up additional CHILD_SAs introduced refcounting on policy and connections aren't stored in the IKE_SA anymore, they are queried on the fly are immutable now, allows it to share them policy selection based on traffic selectors, leads to valid lookup results rekeying queries the policy based on its traffic selectors cleanups in kernel interface code added proper traffic selector to string conversion some cleanups here & there X.509 certificate trust path verification added fixed UDP decapsulation by adding inbound bypass policy for send socket updated mixed tests to new charon output corrected DPD entry reenabled module tests for charon fixed bug which erroneously detected KE payload when rekeying added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT improved logging on verify errors for some payloads enforcing IKE_SA shutdown, even when transactions are outstanding proper reject of CREATE_CHILD_SA message with KE payload added test cases from NAT team updated all IKEv2 tests to work with new status output added tcpdumpcount function from NATT guys added possibility to mount the strongswan tree into all UMLs added script for installing from shared tree in all UMLs added script to shut down all UMLs properly removed in favour of tests from NAT team fixed CREATE_CHILD_SA transaction dispatching added CHILD_SA states, which allows us to detect further simultaneous transactions reimplemented the buggy message id handling updated some inline docs fixed crypter/signer in/out to conform with standard fixed payload order added message id logging added all currently known notify payload types added policy cache to kernel interface allows refcounting of multiple installed policies finally brings us stable simultaneous rekeying leak detective blanks memory on free & alloc, allows further membug detection code cleanups identification_t.matches() supports multiple wildcard counts identification_t.matches() supports multiple wildcard counts further work done for simultaneous rekeying/delete still some cases which cause trouble fixed compiler warnings in parser when using -O2 reenabled check_expiry updated copyright information reimplemented CHILD_SA rekeying & delete no simultanous transaction with CHILD_SAs yet! removed NAT_TRAVERSAL and VIRTUAL_IP compile options removed NAT_TRAVERSAL compile option removed NAT_TRAVERSAL and VIRTUAL_IP compile options added updated NEWS added support for leftprotoport and rightprotoport improved CHILD_SA output for "ipsec statusall" updated whitelist (getprotobynumber) redesigned IKE_SA using a transaction mechanism: removed old state machine reimplemented IKE_SA setup and delete implemented dead peer detection implemented keep-alives a lot of fixes no rekeying yet fixed compiler warnings made thread ids unsigned again, to avoid negative thread ids on some systems fixed memleak when initiating a connection already up updated leak detective whitelist applied latest NATT patch with some fixes and cleanups test currently without firewall added added added removed removed version information from ipsec.conf log entries start with lowcercase character restored lost IKEv2 packet suppression added USE_LEAK_DETECTIVE option fixed natd_hash memory leak tests with subdirectory structure removed tests introduced subdirectory structure support of cert payloads lowercase log entries distributed by ITA added support of updown parameter generation of default key cosmetics added support of updown parameter version bump to 4.0.2 added X.509 trust chain verification version bump to 4.0.2 ESP packet size changed fixed bad_proposal_syntax bug updated ingorelist for stroke_keywords.c applied new changes from NATT team DPD only done when no IPsec and IKE traffic processed minor changes here and there some message code cleanups fixed identification_t clone to apply function pointers cleaner error handling on UDP encapsultion sockopt failure added mysterious UDP encapsulation socket option to get encapsulation working fixed BAD_PROPOSAL_SYNTAX vulnerability first merge of NATT code fixed testing build updated for 4.0.1 release updated news for 4.0.1 release fixed whitelist detection strongswan-4.0.1 / R:1144 =========================== fixed whitelist detection reworked function ignore mechanism to not-report whitelist rather than overriding functions fixed execv call args to work when using strictcrl and syslog fixed bug: usage of already freed mem readded local_credential_store added sendcert policy to connection some other cleanups implemented rereadcrls rereadcacerts implemented rereadcrls rereadcacerts implemented rereadcrls rereadcacerts removed local_credential_store fixed SPI when acting as initiator of rekeying fixed SPI when rekeying and deleting CHILD_SAs change key derivation order to fullfill RFC added crl support added listcrls added chunk_equals_or_null() added crl support changed tabs from 8 to 4 spaces added crl support cosmetics cosmetics (space) fixed compilation error updated for release fixed aes code, we support now aes128, aes192, aes256 in IKE added support for "ike" and "esp" keywords fixed bugs in proposal code algorithm selection for charon works now with ipsec.conf a lot of other fixes implemented clean spi allocation behavior when using multiple proposals fixed logleve(l) keyword typo handling of "rekey=no" parameter added changed default algorithms to: ike: aes128-sha-modp2048 esp: aes128-sha1, 3des-md5 added default CRL directory path added strictcrlpolicy command line argument added option parsing added local CRLs added rekeying parameters corrected some descriptions moved RSA key size constraints to definitions.h fixed down keyword debug and logging improvements support for stroke listcerts|listcacerts|listcrls|listall support for stroke listcerts|listcacerts|listall and left|rightca= gperf creates optimum hash table for stroke keywords using same reqid if a child sa rekeys an existing one NULL string argument is treated as %any add_certificate() now returns pointer to added cert cosmetics single tests now start up faster workaround for peers rekeying at the same time loading lifetime policies from ipsec.conf old child_sa gets deleted after rekeying rekeying almost complete, but: IKE_SA get in an invalid state when both initiate rekeying at the same time, corrected type improved kernel interface logging fixed clone/destroy behavior when not using CAs specifying keysize in bits, as it is required in IKEv2 added generic kernel SA algorithm handling, which brings us: aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs added support for leftsendcert= and left|rightca= parameters discard cert if CA basic constraints flag is not set and warn if cert is not valide added public methods is_ca() and is_valid() changed ASN.1 CONTROL log output to LEVEL2 cosmetics removed unused Makefile stroke.h requires libstrongswan/types.h fixed compile warnings when using -Wall further CHILD_SA rekeying work done: creation of a new CHILD_SA on a expire from a kernel works delete of old CHILD_SA still missing some issues when both initiate rekeing updated INSTALL to conform with autotools added a short HACKING introduction further work for rekeying: get liftimes from policy added new state initiation of rekeying done proposal redone: removed support for AH+ESP proposals proper leak detective hook for realloc excluded pthread_setspecific from leak detective fixed a memleak cosmetics ipv6-host2host scenario added created IPv6 environment job management: moved job code from thread_pool to job, jobs have an "execute" method now added two new jobs: delete_child_sa & rekey_child_sa kernel interface: listens now for ACQUIRE & EXPIRE supports hard and soft lifetimes fires jobs for delete and rekey child sa ike sa manager: can checkout IKE SAs by requid of owned CHILD SAs we have now the infrastructure to do the rekeying... :-) fixed some memleaks/freebugs leak detective works almost usable now (?!) added host2host test for ikev2 fixed host-host tunnel traffic selection, host-host works now bug fixed circumventing an assertion in delete_connection when ikev1 is not set minimized prefixed on stroke logger output charon outputs strongSwan version tests with subjectAltNames now fixed event queue for events >36min included charons module tests to build & dist full support of ikev1 and ikev2 connection flags cosmetics in log_status output use of streq added testing files to dist required the use of the "ustar" format to support filenames longer than 99 chars lookup of private key based on keyid of public key new functions to add certificates and retrieve private and public keys changed log level list ca certificates computation of SHA-1 hash over publicKeyInfo object moved abbreviated thread_id in front of brackets added has_key parameter to log_certificates() log_certificates() now shows keyid and availability of matching private key indented loaded file log entry moved TIMETOA_BUF definition to types.h moved TIMETOA_BUF definition from asn1.h define default CA_CERTIFICATE_DIR load all ca certificates fixed daemon destruction order to prevent crashes on termination fixed memleak when deleting a connection updated todo list policies contain a connections name now used for initiate and delete connections won't get initiated twice anymore deleting of connections is now possible, which allows us to use ipsec update and ipsec reload changed iterator->remove behavior ipsec up|down|route|delete require a connection name stroke now uses constant size string buffer changed to standard connection log output reworked parsing and matching of subjectAltNames added memeq() macro moved timetoa() from asn1.c to types.c corrected type some logging improvements and cosmetics handle IKE_SA setup without a piggy-packed CHILD_SA more IKEv2 conform initiate IKE_SA deletion befor manager destruction improved code of chunk_equals added streq() macro and defined default BUF_LEN typo build gets perl and gperf from configure now moved built sources to maintainer-clean show connection templates in status & statusall don't complain on termination of IKEv1 connections updated ipsec.conf manual to reflect actual state of keyexchange-parameter using hubs instead of switches, which allows us to sniff the traffic from the host system. changed config load strategy: starter loads both connections in charon & pluto, charon ignores anything with keyexchange!=ikev2. pluto needs the same behavior. changed build order to fix build error after distclean load_end_certificate() now loads certificates cosmetics moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber moved definition of generalNames_t to identification.h corrrected description reimplemented proper IKE SA deletion using a seperate state, should conform now to IKEv2 fixed build when using --enable-leak-detective added removed files to svn:ignore fixed bug in pluto/Makefile.am removed perl-generated oid.c/h from svn, added them to "dist" and "distclean" removed lex, yacc and gperf output from svn, added them to "dist" and "distclean" storing release revision in svn property "release-revision", because I forget it all the times fixed ignorelist, should work now added ingorelist for builded files re-added doxygen apidoc, buildable with "make apidoc" added missing ipsec.conf.5 to distribution :-/ fixed another typo added missing ipsec.conf ipsec.conf.5 existing ipsec.conf won't get overwritten anymore fixed typo in Makefile which corrupted the build applied patch from the NAT-T team fixing several typos applied patch from andreas, which allows certificate listing via stroke added ipsec.conf template and man page back removed old Makefiles added new strongswan KDevelop project & startup hack fixed Revision in changelog fo 4.0.0 started ChangeLog simple script for ChangeLog update via "svn log" fixed compliation error using --enable-smartcard added test for ikev1-ikev2 mixed mode added test ikev2 roadwarrior scenario applied andreas's patch logger output improvements testin gupdates and a lot more updated testsuite to autotools added random source ./configure options fixed default-pkcs11 option testcommit fixed errors when --enable-pkcs11 added autogen script introduced autotools first working version make dist should work things to do: UML testing! more cleanups fixed build started to rebuild source layout fixed stroke error output to starter using random SPIs now, but without collision checks applied some -W's from strongswan fixed that warnings removed IKEV2 ifdefs applied patch from andreas added charonstart option to config new ikev2 tests for UML strongSwan-4.0.0 / R:967 ========================== removed IKEV2 ifdefs applied patch from andreas added charonstart option to config new ikev2 tests for UML applied patch from andreas pem loading secrets file parsing ikev2 testcase some other additions here and there connection termination is handled cleanly by name now fixed bad bug, certs load now cleanly again fixed make install (subdir order) fixed include path added missing script finished initial import of strongswan file tree removed a lot of old and unused stuff moved RFCs from ikev2 into doc dir added missing files for starter applied patch for charon (this time really) import of strongswan-2.7.0 applied patch for charon renamed get_block_size of hasher reworked usage of IDs in various states using ID_ANY for any, not NULL as before initiator sends IDr payload in IKE_AUTH when ID unique fixed charon checks using status & statusall patch for 2.7.0 add connection names to connections stroke status / ipsec status shows them added statusall for stroke added status by connection name some tests repaired, more to come fixed spi conversion improved "stroke status" output setup PID file after daemon initilization, to correctly inform starter about daemon startup added separate implementation for connection_store, credential_store, policy_store added folder structure to config credentials are fetched solely on IDs now identification_t supports now almost all id types x509 certificates work with identification_t now fixes here, fixes there fixed doxygen build seperates now in lib and charon library initialization done at a central point (library.c) some leak_detective fixes updated Todos fixed log-to-syslog behavior added patch against strongswan-2.6.4 x509 certificate loading with pluto asn1 code x509 needs a lot more attention! renamed some files using asn1 pluto stuff now removed, since we use pluto asn1 stuff leak detective is usable, but does not show static function names a script which gets address via ldd and resolves address via addr2line would be nice fixed a leak in child_sa with new detective ;-) some improvements to new asn1 stuff to be continued fixed bad bugs in kernel interface added some logging info works now much more stable startet importing pluto ASN1 stuff der PKCS#1 key loading works (as it did with der_decoder) split up in libstrong, charon, stroke, testing done new leak detective with malloc hook in library useable, but needs improvements logger_manager has now a single instance per library allows use of loggers from any linking prog a LOT of other things ../svn-commit.tmp added misssing stroke.h improved strokeing down connection status some other tweaks rewrote a lot of RSA stuff done major work for ASN1/decoder allow loading of ASN1 der encoded private keys, public keys and certificates extracting public key from certificates passing certificates from stroke to charon => basic authentication with RSA certificates works! starter work on asn1 with der de/encoder RSA private and public key can load read key from ASN1 DER some other fixes here and there rewrite of logger_manager, uses now one instance per context cleanups for logger here and there removed critical flag check in payload verification (conformance to IKEv2) so thats and theres everywere... ;-) patch for strongswan-2.6.3 added charon support for strongswan build process ipsec starter supports charon startup and control removed old diploma thesis scripts some cleanups compatibility to strongswan, Makefile can be called by "make programs" and "make install" (ikev2 patch must be applied to strongswan) first version of stroke control utility moved output to doc/api, since doc is used for other docs now some first documentation in english removed old eclipse project files works quite well now with ipsec.conf & ipsec starter belongs to previous commit ;-) reworked configuration framework completly configuration is now split up in: connections, policies, credentials and daemon config further alloc/free fixes needed! first attempt for connection loading and starting via "stroke" some improvements here and there configuration_manager replaced by configuration_t interface current configuration_manager is now static_configuration (testing) first draft of starter_configuration, which should once interact with ipsec starter (via whack?) some cleanups socket_t uses RAW socket, which allows parallel service of pluto/charon comments and cleanups working policy installation and removal fixed policy setup bug proposal setup implementation begun fixed socket code, so we know on which address we receive traffic AH/ESP setup in kernel is working now!!! :-))) installing of child sa works need correct IP adresses to actually use IPsec new RFCs of IKEv2, IKEv2 algs and IPSec arch added update of IKEv2 clarification document refactored ike proposal uses now proposal_t, wich is also used by child proposals ike key derivation refactored crypter_t api has get_key_size now some other improvements here and there config uses uml hosts alice and bob key derivation for child_sa works some fixes here and there fixed memleaks works with new proposal code still some(!) memleaks fixed alot of bugs in child_proposal near to working state ;-) dead end implementation ... there is a lot more of it, but nothing of interest