strongswan-4.0.1 / R:1144 =========================== fixed whitelist detection reworked function ignore mechanism to not-report whitelist rather than overriding functions fixed execv call args to work when using strictcrl and syslog fixed bug: usage of already freed mem readded local_credential_store added sendcert policy to connection some other cleanups implemented rereadcrls rereadcacerts implemented rereadcrls rereadcacerts implemented rereadcrls rereadcacerts removed local_credential_store fixed SPI when acting as initiator of rekeying fixed SPI when rekeying and deleting CHILD_SAs change key derivation order to fullfill RFC added crl support added listcrls added chunk_equals_or_null() added crl support changed tabs from 8 to 4 spaces added crl support cosmetics cosmetics (space) fixed compilation error updated for release fixed aes code, we support now aes128, aes192, aes256 in IKE added support for "ike" and "esp" keywords fixed bugs in proposal code algorithm selection for charon works now with ipsec.conf a lot of other fixes implemented clean spi allocation behavior when using multiple proposals fixed logleve(l) keyword typo handling of "rekey=no" parameter added changed default algorithms to: ike: aes128-sha-modp2048 esp: aes128-sha1, 3des-md5 added default CRL directory path added strictcrlpolicy command line argument added option parsing added local CRLs added rekeying parameters corrected some descriptions moved RSA key size constraints to definitions.h fixed down keyword debug and logging improvements support for stroke listcerts|listcacerts|listcrls|listall support for stroke listcerts|listcacerts|listall and left|rightca= gperf creates optimum hash table for stroke keywords using same reqid if a child sa rekeys an existing one NULL string argument is treated as %any add_certificate() now returns pointer to added cert cosmetics single tests now start up faster workaround for peers rekeying at the same time loading lifetime policies from ipsec.conf old child_sa gets deleted after rekeying rekeying almost complete, but: IKE_SA get in an invalid state when both initiate rekeying at the same time, corrected type improved kernel interface logging fixed clone/destroy behavior when not using CAs specifying keysize in bits, as it is required in IKEv2 added generic kernel SA algorithm handling, which brings us: aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs added support for leftsendcert= and left|rightca= parameters discard cert if CA basic constraints flag is not set and warn if cert is not valide added public methods is_ca() and is_valid() changed ASN.1 CONTROL log output to LEVEL2 cosmetics removed unused Makefile stroke.h requires libstrongswan/types.h fixed compile warnings when using -Wall further CHILD_SA rekeying work done: creation of a new CHILD_SA on a expire from a kernel works delete of old CHILD_SA still missing some issues when both initiate rekeing updated INSTALL to conform with autotools added a short HACKING introduction further work for rekeying: get liftimes from policy added new state initiation of rekeying done proposal redone: removed support for AH+ESP proposals proper leak detective hook for realloc excluded pthread_setspecific from leak detective fixed a memleak cosmetics ipv6-host2host scenario added created IPv6 environment job management: moved job code from thread_pool to job, jobs have an "execute" method now added two new jobs: delete_child_sa & rekey_child_sa kernel interface: listens now for ACQUIRE & EXPIRE supports hard and soft lifetimes fires jobs for delete and rekey child sa ike sa manager: can checkout IKE SAs by requid of owned CHILD SAs we have now the infrastructure to do the rekeying... :-) fixed some memleaks/freebugs leak detective works almost usable now (?!) added host2host test for ikev2 fixed host-host tunnel traffic selection, host-host works now bug fixed circumventing an assertion in delete_connection when ikev1 is not set minimized prefixed on stroke logger output charon outputs strongSwan version tests with subjectAltNames now fixed event queue for events >36min included charons module tests to build & dist full support of ikev1 and ikev2 connection flags cosmetics in log_status output use of streq added testing files to dist required the use of the "ustar" format to support filenames longer than 99 chars lookup of private key based on keyid of public key new functions to add certificates and retrieve private and public keys changed log level list ca certificates computation of SHA-1 hash over publicKeyInfo object moved abbreviated thread_id in front of brackets added has_key parameter to log_certificates() log_certificates() now shows keyid and availability of matching private key indented loaded file log entry moved TIMETOA_BUF definition to types.h moved TIMETOA_BUF definition from asn1.h define default CA_CERTIFICATE_DIR load all ca certificates fixed daemon destruction order to prevent crashes on termination fixed memleak when deleting a connection updated todo list policies contain a connections name now used for initiate and delete connections won't get initiated twice anymore deleting of connections is now possible, which allows us to use ipsec update and ipsec reload changed iterator->remove behavior ipsec up|down|route|delete require a connection name stroke now uses constant size string buffer changed to standard connection log output reworked parsing and matching of subjectAltNames added memeq() macro moved timetoa() from asn1.c to types.c corrected type some logging improvements and cosmetics handle IKE_SA setup without a piggy-packed CHILD_SA more IKEv2 conform initiate IKE_SA deletion befor manager destruction improved code of chunk_equals added streq() macro and defined default BUF_LEN typo build gets perl and gperf from configure now moved built sources to maintainer-clean show connection templates in status & statusall don't complain on termination of IKEv1 connections updated ipsec.conf manual to reflect actual state of keyexchange-parameter using hubs instead of switches, which allows us to sniff the traffic from the host system. changed config load strategy: starter loads both connections in charon & pluto, charon ignores anything with keyexchange!=ikev2. pluto needs the same behavior. changed build order to fix build error after distclean load_end_certificate() now loads certificates cosmetics moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber moved definition of generalNames_t to identification.h corrrected description reimplemented proper IKE SA deletion using a seperate state, should conform now to IKEv2 fixed build when using --enable-leak-detective added removed files to svn:ignore fixed bug in pluto/Makefile.am removed perl-generated oid.c/h from svn, added them to "dist" and "distclean" removed lex, yacc and gperf output from svn, added them to "dist" and "distclean" storing release revision in svn property "release-revision", because I forget it all the times fixed ignorelist, should work now added ingorelist for builded files re-added doxygen apidoc, buildable with "make apidoc" added missing ipsec.conf.5 to distribution :-/ fixed another typo added missing ipsec.conf ipsec.conf.5 existing ipsec.conf won't get overwritten anymore fixed typo in Makefile which corrupted the build applied patch from the NAT-T team fixing several typos applied patch from andreas, which allows certificate listing via stroke added ipsec.conf template and man page back removed old Makefiles added new strongswan KDevelop project & startup hack fixed Revision in changelog fo 4.0.0 started ChangeLog simple script for ChangeLog update via "svn log" fixed compliation error using --enable-smartcard added test for ikev1-ikev2 mixed mode added test ikev2 roadwarrior scenario applied andreas's patch logger output improvements testin gupdates and a lot more updated testsuite to autotools added random source ./configure options fixed default-pkcs11 option testcommit fixed errors when --enable-pkcs11 added autogen script introduced autotools first working version make dist should work things to do: UML testing! more cleanups fixed build started to rebuild source layout fixed stroke error output to starter using random SPIs now, but without collision checks applied some -W's from strongswan fixed that warnings removed IKEV2 ifdefs applied patch from andreas added charonstart option to config new ikev2 tests for UML strongSwan-4.0.0 / R:967 ========================== removed IKEV2 ifdefs applied patch from andreas added charonstart option to config new ikev2 tests for UML applied patch from andreas pem loading secrets file parsing ikev2 testcase some other additions here and there connection termination is handled cleanly by name now fixed bad bug, certs load now cleanly again fixed make install (subdir order) fixed include path added missing script finished initial import of strongswan file tree removed a lot of old and unused stuff moved RFCs from ikev2 into doc dir added missing files for starter applied patch for charon (this time really) import of strongswan-2.7.0 applied patch for charon renamed get_block_size of hasher reworked usage of IDs in various states using ID_ANY for any, not NULL as before initiator sends IDr payload in IKE_AUTH when ID unique fixed charon checks using status & statusall patch for 2.7.0 add connection names to connections stroke status / ipsec status shows them added statusall for stroke added status by connection name some tests repaired, more to come fixed spi conversion improved "stroke status" output setup PID file after daemon initilization, to correctly inform starter about daemon startup added separate implementation for connection_store, credential_store, policy_store added folder structure to config credentials are fetched solely on IDs now identification_t supports now almost all id types x509 certificates work with identification_t now fixes here, fixes there fixed doxygen build seperates now in lib and charon library initialization done at a central point (library.c) some leak_detective fixes updated Todos fixed log-to-syslog behavior added patch against strongswan-2.6.4 x509 certificate loading with pluto asn1 code x509 needs a lot more attention! renamed some files using asn1 pluto stuff now removed, since we use pluto asn1 stuff leak detective is usable, but does not show static function names a script which gets address via ldd and resolves address via addr2line would be nice fixed a leak in child_sa with new detective ;-) some improvements to new asn1 stuff to be continued fixed bad bugs in kernel interface added some logging info works now much more stable startet importing pluto ASN1 stuff der PKCS#1 key loading works (as it did with der_decoder) split up in libstrong, charon, stroke, testing done new leak detective with malloc hook in library useable, but needs improvements logger_manager has now a single instance per library allows use of loggers from any linking prog a LOT of other things ../svn-commit.tmp added misssing stroke.h improved strokeing down connection status some other tweaks rewrote a lot of RSA stuff done major work for ASN1/decoder allow loading of ASN1 der encoded private keys, public keys and certificates extracting public key from certificates passing certificates from stroke to charon => basic authentication with RSA certificates works! starter work on asn1 with der de/encoder RSA private and public key can load read key from ASN1 DER some other fixes here and there rewrite of logger_manager, uses now one instance per context cleanups for logger here and there removed critical flag check in payload verification (conformance to IKEv2) so thats and theres everywere... ;-) patch for strongswan-2.6.3 added charon support for strongswan build process ipsec starter supports charon startup and control removed old diploma thesis scripts some cleanups compatibility to strongswan, Makefile can be called by "make programs" and "make install" (ikev2 patch must be applied to strongswan) first version of stroke control utility moved output to doc/api, since doc is used for other docs now some first documentation in english removed old eclipse project files works quite well now with ipsec.conf & ipsec starter belongs to previous commit ;-) reworked configuration framework completly configuration is now split up in: connections, policies, credentials and daemon config further alloc/free fixes needed! first attempt for connection loading and starting via "stroke" some improvements here and there configuration_manager replaced by configuration_t interface current configuration_manager is now static_configuration (testing) first draft of starter_configuration, which should once interact with ipsec starter (via whack?) some cleanups socket_t uses RAW socket, which allows parallel service of pluto/charon comments and cleanups working policy installation and removal fixed policy setup bug proposal setup implementation begun fixed socket code, so we know on which address we receive traffic AH/ESP setup in kernel is working now!!! :-))) installing of child sa works need correct IP adresses to actually use IPsec new RFCs of IKEv2, IKEv2 algs and IPSec arch added update of IKEv2 clarification document refactored ike proposal uses now proposal_t, wich is also used by child proposals ike key derivation refactored crypter_t api has get_key_size now some other improvements here and there config uses uml hosts alice and bob key derivation for child_sa works some fixes here and there fixed memleaks works with new proposal code still some(!) memleaks fixed alot of bugs in child_proposal near to working state ;-) dead end implementation ... there is a lot more of it, but nothing of interest