1080 lines
39 KiB
Plaintext
1080 lines
39 KiB
Plaintext
strongswan-4.1.0 / R:2552
|
|
===========================
|
|
|
|
fixed nat detection bug
|
|
OCSP support
|
|
updated NEWS, TODO and man page
|
|
respecting "keyingtries" parameter on IKE_SA setup
|
|
cleanups
|
|
fixed reset()
|
|
not installing a route when policy gets updated
|
|
renamed keyingtries attribute
|
|
adjusted loglevels
|
|
delay OCSP response by 5 seconds
|
|
always update reqid on policy install, fixes dpdaction=hold issue
|
|
EAP-SIM cleanups
|
|
fixed CHILD_SA rekeying/delete bug on 64bit machines
|
|
removed obsolete methods in delete_payload
|
|
Shortened distribution string
|
|
Shortened distribution string
|
|
shortened distribution string
|
|
add daemon.log to web page
|
|
remove /etc/resolv.conf
|
|
version bump to 4.1.0
|
|
added apache2/ocsp log directory to winnetou
|
|
removed killall openssl
|
|
removed killall openssl
|
|
deleted
|
|
deleted
|
|
create apach2/ocsp/ logging directory on winnetou
|
|
do not check for type of dpd action any more
|
|
create /var/log/apache2/ocsp on winnetou
|
|
added
|
|
added
|
|
added
|
|
delete virtual IP addresses after use
|
|
deleted
|
|
added
|
|
fixed case of missing subjectKeyID
|
|
corrected typo
|
|
version bump to 4.1.0
|
|
added
|
|
use CURLOPT_NOSIGNAL
|
|
added --with-sim-reader option to configure script
|
|
some cleanups in eap_sim
|
|
removed dublicated code in eap_authenticator
|
|
log reception of trusted signer certificate
|
|
version bump to 4.1.0
|
|
deleted
|
|
added
|
|
changed OCSPSigner to OCSPSigning
|
|
fixed carry bug in FIPS prf
|
|
user standard cert
|
|
deleted
|
|
deleted
|
|
added
|
|
added
|
|
modified description.txt and evaltest.dat
|
|
version number selection fix
|
|
some cleanups
|
|
cleaned up and fixed DPD handling code
|
|
removed cfg-payload dns test code
|
|
added
|
|
added
|
|
version bump to strongswan-4.1.0 and linux-2.6.20.3
|
|
cosmetics
|
|
increased control debugging output
|
|
added EAP-SIM authentication
|
|
client side only
|
|
uses an external SIM reader library specified with SIM_READER_LIB
|
|
untested
|
|
not detaching from bus when IKE_SA_INIT is retried
|
|
added AES-192/256 proposals to IKE
|
|
added generic EAP_IDENTITY client implementation using peers IKEv2 ID
|
|
fixed compilation warnings and errors when not using curl
|
|
results from the single responses is stored in the corresponding certinfo_t structs
|
|
moved credential_store.h from charon/config/credentials to libstrongswan
|
|
last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA
|
|
fixed memory leak by calling curl_slist_free_all(headers)
|
|
fixed memory leak by calling curl_slist_free_all(headers)
|
|
whitelisting static Curl_getaddrinfo() memory leak
|
|
fixed a certinfo_t memory leak in verify()
|
|
fixed a memory leak in response_t
|
|
ocsp signer certificate and ocsp response signature can be verified
|
|
fixed memleaks when using EAP authentication
|
|
fixed configuration payloads when using EAP
|
|
fixed payload order (again)
|
|
including peers certificate when his certreq is empty
|
|
implemented cookies as initiator
|
|
proper logging of notifies in IKE_SA setup
|
|
disabling routing for IPv6, does not work correctly
|
|
fixed call of add_auth_certificate()
|
|
generalized get_ca_certificate() to get_auth_certificate(auth_flags)
|
|
added fetcher_finalize() to clean up libcurl
|
|
some cleanups
|
|
not installing %any DNS servers
|
|
support of setting and getting authority flags
|
|
support if ocsp signing certificates
|
|
support if ocsp signing certificates
|
|
fixed payload order in IKE_AUTH
|
|
removed SHA2 kernel proposals from default, the kernel doesn't support them yet
|
|
allocation fixes, not complete
|
|
handling "No policy found" properly
|
|
added more debugging output for policy lookup
|
|
returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE
|
|
fixed CHILD_SA creation within existing IKE_SA
|
|
added ocsp_parse_single_response
|
|
ported changes from EAP branch, renabling EAP framework
|
|
added (not yet supported) sha2 algorithms to kernel
|
|
only adding a route if using tunnel mode
|
|
added SHA2 MAC and PRF to default proposal
|
|
added more debug output
|
|
experimental SHA2 HMAC and PRF implementations
|
|
parsing basic ocsp response
|
|
forgot to assign public.is_ocsp_signer() method
|
|
added parsing level to x509_create_from_chunk()
|
|
added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method
|
|
http post fetching using libcurl implemented
|
|
added fetcher.h and fetcher.c
|
|
added
|
|
corrected @ingroup to utils
|
|
corrected comment
|
|
start ocsp checking only if there are any ocspuris present
|
|
conntrack -F is used to flush the NAT states
|
|
the hostaccess=yes parameters are not needed anymore
|
|
use conntrack -F to flush NAT states
|
|
replaced actual virtual IP addresses by symbolic ones
|
|
removed unnecessary double quotes
|
|
nonce in ocsp_t was not properly initialized
|
|
ocsp request is now fully built but without requestor signature
|
|
starting to build ocsp request
|
|
prevent from initiating multiple exchanges the same time
|
|
updated apidoc documentation
|
|
fixed notify handling in IKE_AUTH
|
|
moved nonce payload before TS in CHILD_SA setup
|
|
moved REKEY_SA notify to the beginning of the message
|
|
fixed traffic selector redundancy removal code (not completely tested)
|
|
add crl and ocsp uris to linked list after partial verification
|
|
added print hook for certinfo_t printing
|
|
fixed typo
|
|
sending an SPI of 0 as responder when IKE_SA_INIT fails
|
|
iterate certinfos linked list for matching serialNumber
|
|
some cleanups
|
|
not assigning %any virtual IPs to peer anymore
|
|
fixed double free bug
|
|
added
|
|
fixed ID selection bug when peer doesn't include IDr payload
|
|
allowing vendor ID in any messag
|
|
moved listing of crls to local_credential_store and ca
|
|
refactored ca_info_t
|
|
refactored ca_info_t
|
|
fixed netlink socket receiver code
|
|
implemented interface enumeration code with netlink: no getifaddrs reqired anymore
|
|
refactored kernel interface, works reliable again
|
|
implemented get_iface() using RTM_GETADDR
|
|
added support for multi-header netlink messages
|
|
really ugly now, need a lot of refactoring
|
|
added debuggin for interface lookup
|
|
fixed address lookup when !using getifaddrs()
|
|
added firewalling support when using virtual IPs
|
|
added support for 0.0.0.0/0 traffic selectors
|
|
fixed routing to make correct 0.0.0.0/0 routes
|
|
config-payload scenario fixes
|
|
preparations for PLUTO_MY_SOURCEIP
|
|
corrected typo
|
|
added cert with OCSP access info
|
|
dpd now takes 180 s and 5 retransmits
|
|
changed grep to creating aquire job for CHILD SA
|
|
replaced actual virtual IPs by place holders
|
|
virtual-ip scenario has been replaces by config-payload scenario
|
|
added
|
|
added
|
|
added ocsp.h and ocsp.c
|
|
added
|
|
r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines
|
|
virtual ip uml test
|
|
fixed reauthentication when connections other is %any
|
|
merged tasking branch into trunk
|
|
fixed big endian bug in md5 hasher
|
|
cosmetics
|
|
added once flag to certinfo_t
|
|
cosmetics
|
|
added certinfos linked list
|
|
changed ca info to ca
|
|
support of ca info sections
|
|
added support of OCSP accessLocations
|
|
correct interface definition
|
|
added support of OCSP accessLocations
|
|
full support of ca info records
|
|
added the create_crluri_iterator method
|
|
replace ca is realized as del_ca followed by add_ca
|
|
last CA keyword is KW_OCSPURI2
|
|
full support of ca info records
|
|
full support of ca info records
|
|
alphabetically sorting print commands
|
|
listing ca_info items
|
|
replace printf.h by stdio.h
|
|
addin get_keyid() method
|
|
support of ca info records
|
|
support of ca info records
|
|
version bump to 4.0.8
|
|
support of ca info records
|
|
support of ca info records
|
|
typo
|
|
SHA512-HMAC bug fix and hash function self-test support
|
|
SHA512-HMAC bug fix and hash function self-test support
|
|
handle strong SHA-2 signatures in X.509 certificates
|
|
SHA-2 fixes and add-ons
|
|
version bumps
|
|
remove strong certs and keys after test
|
|
added
|
|
using "left" as my host per default, swapping to "right" when needed
|
|
respecting source address when sending packets
|
|
added PRINT_CAINFO hook
|
|
stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp
|
|
enable IP forwarding
|
|
prepared support of ca information records and ocsp functionality
|
|
added support of ca information records and ocsp keywords
|
|
enabled adding and deleting ca information records
|
|
fixed starter crash due to freeing default IPSEC_EAPDIR string
|
|
add --eapdir option only if defined in ipsec.conf
|
|
removed eap aka module due nda
|
|
merged EAP framework from branch into trunk
|
|
includes a lot of other modifications
|
|
%T requires time_t ptr
|
|
removed my time_t printf handler patch, applied the one of andreas (64bit save)
|
|
fixed printf() hooks for time
|
|
added support for NULL encryption in ESP
|
|
be more liberal in accepting notifies with a protocol id
|
|
include NO_EXT_SEQUENCE_NUMBER in default proposal
|
|
output peer id if RSA public key is not found
|
|
fixed typo
|
|
version bump to 4.0.8
|
|
added address listing without getifaddrs for uclibc (only IPv4 yet)
|
|
added threads to support multiple simultaneous stroke requests
|
|
renamed all static clone() functions to avoid naming conflicts with uclibc
|
|
sending proper signal to the bus when detecting a dead peer
|
|
added configuration of XAUTH and ModeConfig push mode
|
|
version bump
|
|
version bump
|
|
Cisco XAUTH interoperability
|
|
XAUTH interoperability with Cisco
|
|
removed IPSECPOLICY compile option
|
|
unload xauth_module only if XAUTH_DEFAULT_LIB is defined
|
|
loading the XAUTH module requires libdl
|
|
added some more attributes, inst XAUTH_TYPE in reply
|
|
Mode Config refactoring
|
|
XAUTH fixes and Cisco Unity support
|
|
log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings
|
|
added Cisco Unity ModeCfg attributes
|
|
version bump to 4.0.7
|
|
fixed 64 bit issue with print time
|
|
fixed XAUTHResp bug
|
|
included xauth.h
|
|
use uml_mconsole to check end of booting process
|
|
name the created CHILD_SA
|
|
doubled PAYLIMIT to 40 payloads
|
|
version bump
|
|
show rekeying|reauthentication time
|
|
show name of created CHILD_SA
|
|
combined use_in and use_fwd
|
|
corrected typo
|
|
cosmetics
|
|
cosmetics
|
|
fixed an enumeration error, added CISCO_IOS VID
|
|
fixed mismatch in interface definition of get_secret()
|
|
forward declaration of struct state not needed
|
|
cosmetics
|
|
added firewall support to scenario
|
|
updated changelog for 4.0.6
|
|
fixed crash when CA for certrequest not found
|
|
fixed build when !using smartcard
|
|
removed unused debugging code
|
|
updated NEWS for 4.0.6
|
|
|
|
|
|
strongswan-4.0.6 / R:2131
|
|
===========================
|
|
|
|
updated NEWS for 4.0.6
|
|
readded tranport mode test using new status output
|
|
removed dublicated host2host-transport test
|
|
fixed reauthentication when using %any hosts
|
|
support for transport in create_child_sa
|
|
include TRANSPORT/TUNNEL information in statusall
|
|
load xauth module via dlopen()
|
|
define path to xauth module
|
|
added host2host-transport scenario
|
|
removed trailing lines
|
|
added XAUTH support
|
|
fixed typo
|
|
added XAUTH server and client support
|
|
load and unload XAUTH module
|
|
added xauth.h and xauth.c
|
|
added enable-cisco-quirks configure option
|
|
added xauth scenarios
|
|
added config option for BEET mode
|
|
fixed reuathentication when connections other host is %any
|
|
fixed host conversion length check
|
|
negated POLICY_REAUTH to POLICY_DONT_REAUTH
|
|
negated POLICY_REAUTH to POLICY_DONT_REAUTH
|
|
enable XAUTH_VID by default
|
|
added support for transport mode and (experimental!) BEET mode
|
|
support for the type=transport/tunnel parameter in charon
|
|
fixed charset & cleanups
|
|
added XAUTH server and client support
|
|
additional parentheses for same_chunk() macro
|
|
renamed to appear in doxygen build
|
|
added a roadmap of the strongSwan project (TODO)
|
|
added some NEWS
|
|
first try to update ipsec.conf manual
|
|
implemented reauthentication using the new reauth=yes|no parameter
|
|
fixed more uClibc issues
|
|
should compile against a uClibc > 0.9.28 (untested)
|
|
added XAUTH client states
|
|
version bump to 4.0.6
|
|
fixed stddef.h include
|
|
fixed encoding rules string
|
|
updated todo
|
|
fixed some byte-order issues
|
|
fixed HAVE_BACKTRACE checks
|
|
starter Makefile now uses proper $(COMPILE) to build pluto objects
|
|
made backtrace() calls optional to support uClibc
|
|
XAUTH support
|
|
XAUTH support
|
|
fixed bug in ifdef CISCO_QUIRKS
|
|
added XAUTH support
|
|
support of Cisco Unity VID
|
|
added new VIDs
|
|
version bump to 4.0.6
|
|
fixed case with wildcard peer ID and static peer address
|
|
added simple script to port trunk changes into branches
|
|
start kdevelop with project file from actual branch
|
|
updated changelog
|
|
fixed typos
|
|
|
|
|
|
strongswan-4.0.5 / R:1447
|
|
===========================
|
|
|
|
fixed typos
|
|
improved selection of ipsec status|statusall <name>
|
|
fixed NEWS (runtime debug level options)
|
|
fixed credits
|
|
fixed very old bug in linked_list's remove_first and remove_last
|
|
proper "ipsec up" signal handling when initiating to %any
|
|
removed iterator hook for replace
|
|
fixed output of proto/port selectors
|
|
cosmetics
|
|
due to console logging, no need for final sleep anymore
|
|
adapted checks to changed ipsec status output
|
|
due to narrowing no need for rightsubnetwithin
|
|
no need to send certreq
|
|
fixed ipsec status|statusall <name>
|
|
log IKE SPIs on a separate line
|
|
redesigned formatting of ipsec status|statusall
|
|
cosmetics
|
|
version bumps of strongSwan, Linux kernel and Gentoo root file system
|
|
corrected description
|
|
added dpd-hold scenario
|
|
added new features
|
|
fixed 64 bit issue
|
|
solved 64 bit issue by changing long to int
|
|
solved 64 bit issue in push/pop stroke interface
|
|
fixed 64 bit issue
|
|
some fixes for doxygen
|
|
better split up of library files "types.h" & "definitions.h"
|
|
centralized all printf specifier character definitions
|
|
reuse of arginfo handlers
|
|
more cleanups
|
|
fixed more AMD64 issues
|
|
added DEBUG_LEVEL compile flag to exclude DBGn() statements
|
|
added nodebug configure script without any debug messages and without -g
|
|
preparations to include certreqs in policy decisions
|
|
do not sent certreq payloads when the peer is known to use PSK
|
|
position of (myself) moved in log output
|
|
do not sent certreq payloads when using self-signed certs
|
|
moved (myself) in log output
|
|
moved typedefs to beginning of files to solve some include problems
|
|
splitted authenticator to have a separate implementation for each auth_method_t
|
|
using va_copy to clone va_lists, should fix proplems on AMD64
|
|
some other cleanups
|
|
do not sanitize '*' character
|
|
fixed SIGSEGV when setup of an additional CHILD_SA fails
|
|
added IKEv2 clarifications RFC
|
|
changed debug level of certreq log output
|
|
cosmetics in debug output
|
|
support of certreq payload in IKE_AUTH messages
|
|
chunk_to_hex() function declaration deleted
|
|
added function certreq_payload_create_from_x509()
|
|
send a certreq as initiator if other_ca is set
|
|
added method get_ca_certificate()
|
|
added methods get_my_ca() and get_other_ca()
|
|
added methods get_my_ca() and get_other_ca()
|
|
added some missing 'AUD' entries
|
|
cosmetics
|
|
cosmetics
|
|
change due to change debug output
|
|
spaces should not be sanitized
|
|
fixed due to new logging concept
|
|
some improvements in signaling code
|
|
include only source NATD payloads really needed
|
|
updated for NAT team
|
|
improved signal handling and emitting
|
|
support of ModeCfg Push mode
|
|
support of mixed RSA/PSK static connections
|
|
support of ipsec statusall in state output
|
|
output of 'DPD active' in ISAKMP SAs
|
|
support of ipsec statusall in state output
|
|
added natip support
|
|
added has_natip flag
|
|
added ModeCfg push policy and states
|
|
added ModeCfg push policy and states
|
|
fixed typo in debug statement
|
|
redesigned list output format
|
|
added 'modeconfig=pull|push' and 'left|rightnatip' keywords
|
|
added has_natip flag
|
|
added has_natip flag
|
|
added 'exit' statement in listcerts,.. case
|
|
fixed two bugs in the time_t and chunk_ct print functions
|
|
redesigned format of print function
|
|
replaced 'times' by 'dates'
|
|
added private flag to asn1_init
|
|
added private flag to asn1_ctx_t
|
|
removed DES-EDE3-CBC only comment
|
|
removed deprecated iterator methods (has_next & current)
|
|
added iterator hook to manipulate iterator the clean way
|
|
linked list cleanups
|
|
added list methods invoke(), destroy_offset(), destroy_function()
|
|
simplified list destruction when destroying its items
|
|
added verbosity level to stroke
|
|
upgrade to new Gentoo root file system and tcpdump command
|
|
added
|
|
deleted
|
|
renamed ikev1 scenario and added ikev2 scenario
|
|
added new scenarios
|
|
Version bumps of UML kernel, Gentoo root file system and strongSwan release
|
|
code cleanups in printf handlers
|
|
added eap authentication draft for ikev2
|
|
updated stroke to allow run-time manipulation of debug levels
|
|
added charondebug config parameter to set debug level at startup
|
|
introduced new logging subsystem using bus:
|
|
passive listeners can register on the bus
|
|
active listeners wait for signals actively
|
|
multiplexing allows multiple listeners to receive debug signals
|
|
a lot more...
|
|
updated file filter for kdev project
|
|
include CREDITS file in distribution
|
|
moved various scripts in scripts/ dir
|
|
add configure script wrappers
|
|
removed txt files from doxygen
|
|
removed module tests, outdated. We need something more system-test like
|
|
added missing -DDEBUG compile option
|
|
fixed auxillary message data parsing for IPV6 socket
|
|
using SOL_* constants for socket level
|
|
fixed IPV6_PKTINFO setsockopt() to work with most kernel headers
|
|
replaced strerror(errno) with %m printf specifier
|
|
added stronger certs for moon, carol, and dave
|
|
added IPv6 hw and multicast addresses
|
|
adapted to new tcpdump ipv6 output
|
|
multi-level-ca scenarios use unencrypted private key
|
|
added scenario
|
|
fixed timing
|
|
new gentoo root file system
|
|
fixed bug with openldap 2.3
|
|
removed ipsec.conf version information
|
|
carolKey.pem is now protected by 3DES passphrase
|
|
updated net runlevel scripts
|
|
updated net init scripts
|
|
new net configuration format
|
|
HW addresses must be predefined
|
|
cosmetics
|
|
added USE_LIBCURL
|
|
cosmetics
|
|
found libraries are not appended to LIBS anymore
|
|
version bump to 4.0.5
|
|
fixed DPD to survive IKE_SA rekeying
|
|
introduced printf() specifiers for:
|
|
host_t (%H)
|
|
identification_t (%D)
|
|
chunk pointers (%B)
|
|
memory pointer/length (%b)
|
|
added a signaling bus:
|
|
receives event and debug messages, sends them to its listeners
|
|
stream_logger, sys_logger, file_logger added, listen to bus
|
|
some other tweaks here and there
|
|
added often used RFCs and drafts
|
|
DES for private key encryption is not supported
|
|
updated NEWS and ChangeLog for 4.0.4 release
|
|
fixed retransmission policy for responder
|
|
fixed dpd for responder
|
|
added ID_ANY check to matches_binary()
|
|
replaced 'missing value' warning by zero length chunk_t value
|
|
defined maximum hash size
|
|
support of AES-192-CBC private key encryption
|
|
added hostaccess support
|
|
added hostaccess support
|
|
moved auth_method to policy
|
|
added hostaccess support
|
|
added hostaccess support
|
|
more consistent authentication logging
|
|
added hostaccess support
|
|
moved auth_method to policy
|
|
moved auth_method to policy
|
|
added hostaccess support; moved auth_method to policy
|
|
added hostaccess support
|
|
added hostaccess support
|
|
added new test scenarios
|
|
fixed some compiler warnings
|
|
|
|
|
|
strongswan-4.0.4 / R:1289
|
|
===========================
|
|
|
|
fixed some compiler warnings
|
|
extended statusall output
|
|
added job/event-queue statistics
|
|
added allocation statistics when using LEAK_DETECTIVE
|
|
fixed include typo
|
|
public declaration of all HASH_SIZEs in hasher.h
|
|
support of encrypted private key files
|
|
added copyright notice to sha2_hasher
|
|
included SHA2 in build process
|
|
implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512
|
|
added support for 3DES encryption algorithm in IKE
|
|
fixed the ids parsing bug
|
|
fixed the ids parsing bug
|
|
updated TODOs
|
|
fixed memleak
|
|
fixed proper handling of id parsing errors
|
|
proper return value when no PSK found
|
|
added HOST_ACCESS for firewall script as default
|
|
more debugging output for PSK authentication
|
|
some cleanups here and there
|
|
added auth_method field
|
|
added auth_method field
|
|
cosmetics
|
|
verify_emsa_pkcs1_signature returns status_t
|
|
cosmetics
|
|
added PSK support
|
|
enabled firewall support
|
|
proper error handling for socket creation
|
|
handle certificate parsing error more generous
|
|
fixed certificate verification bug!
|
|
fixed memleak when receiving invalid certificate
|
|
version bump to 4.0.4
|
|
version bump to 4.0.4
|
|
two new test scenarios
|
|
fixed path to images directory
|
|
implemented updown script to handle firewalling
|
|
add priority management for kernel policy
|
|
let ROUTED policies installed, until manuall removed
|
|
introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
|
|
ike_sa_manager cleanups
|
|
implemented handling of dpdaction and dpddelay ipsec.conf parameters
|
|
reuse reqid when a ROUTED child_sa gets INSTALLED
|
|
fixed a bug in retransmission code
|
|
added support for the "keyingtries" ipsec.conf parameter
|
|
added support for the "dpddelay" ipsec.conf parameter
|
|
done some work for "dpdaction" behavior
|
|
some other cleanups and fixes
|
|
fixed a at-least-one-year-old bug which caused crashed in the scheduler
|
|
added raw socket filter for IPv6
|
|
implemented NAT detection for IPv6
|
|
removed unneeded constructor
|
|
initial support for IPv6 (more testing needed)
|
|
socket works (without v6 filter)
|
|
traffic selector handle IPv4/v4 cleanly
|
|
improvements in traffic selector code
|
|
kernel interface accepts v6 traffic selectors and hosts
|
|
host_t class has full IPv6 support
|
|
added stddef.h include for compilers which do not support the offsetof() directive
|
|
moved interface enumeration code to socket, where it belongs
|
|
query interfaces every time we need it to respect changes in network config
|
|
added address listing on startup and "ipsec statusall"
|
|
version bump of UML kernel to 2.6.17.11
|
|
fixed crash bug when doing "ipsec down" with an unknown connection
|
|
added name property in CHILD_SA, allows proper status output
|
|
fixed bug which prevented port float when nat is detected
|
|
version bumps
|
|
'sha' and 'sha1' are now treated as synonyms
|
|
updated Changelog and other docs
|
|
|
|
|
|
strongswan-4.0.3 / R:1235
|
|
===========================
|
|
|
|
fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
|
|
implement proper handling of most simultaneous IKE_SA rekeying cases
|
|
version bump to 4.0.3
|
|
implemented proper refcounting using atomic operations
|
|
implemented IKE_SA rekeying
|
|
uses ikelifetime, rekeymargin and rekeyfuzz config settings
|
|
no handling of simultaneus exchanges yet!
|
|
added possibility to route CHILD_SAs, without to set them up
|
|
support for auto=route parameter
|
|
support for ipsec route and ipsec unroute
|
|
initiating of CHILD and/or IKE_SAs based on kernel acquires
|
|
reuse an existing IKE_SA to set up additional CHILD_SAs
|
|
introduced refcounting on policy and connections
|
|
aren't stored in the IKE_SA anymore, they are queried on the fly
|
|
are immutable now, allows it to share them
|
|
policy selection based on traffic selectors, leads to valid lookup results
|
|
rekeying queries the policy based on its traffic selectors
|
|
cleanups in kernel interface code
|
|
added proper traffic selector to string conversion
|
|
some cleanups here & there
|
|
X.509 certificate trust path verification
|
|
added
|
|
fixed UDP decapsulation by adding inbound bypass policy for send socket
|
|
updated mixed tests to new charon output
|
|
corrected DPD entry
|
|
reenabled module tests for charon
|
|
fixed bug which erroneously detected KE payload when rekeying
|
|
added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
|
|
improved logging on verify errors for some payloads
|
|
enforcing IKE_SA shutdown, even when transactions are outstanding
|
|
proper reject of CREATE_CHILD_SA message with KE payload
|
|
added test cases from NAT team
|
|
updated all IKEv2 tests to work with new status output
|
|
added tcpdumpcount function from NATT guys
|
|
added possibility to mount the strongswan tree into all UMLs
|
|
added script for installing from shared tree in all UMLs
|
|
added script to shut down all UMLs properly
|
|
removed in favour of tests from NAT team
|
|
fixed CREATE_CHILD_SA transaction dispatching
|
|
added CHILD_SA states, which allows us to detect further simultaneous transactions
|
|
reimplemented the buggy message id handling
|
|
updated some inline docs
|
|
fixed crypter/signer in/out to conform with standard
|
|
fixed payload order
|
|
added message id logging
|
|
added all currently known notify payload types
|
|
added policy cache to kernel interface
|
|
allows refcounting of multiple installed policies
|
|
finally brings us stable simultaneous rekeying
|
|
leak detective blanks memory on free & alloc, allows further membug detection
|
|
code cleanups
|
|
identification_t.matches() supports multiple wildcard counts
|
|
identification_t.matches() supports multiple wildcard counts
|
|
further work done for simultaneous rekeying/delete
|
|
still some cases which cause trouble
|
|
fixed compiler warnings in parser when using -O2
|
|
reenabled check_expiry
|
|
updated copyright information
|
|
reimplemented CHILD_SA rekeying & delete
|
|
no simultanous transaction with CHILD_SAs yet!
|
|
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
|
|
removed NAT_TRAVERSAL compile option
|
|
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
|
|
added
|
|
updated NEWS
|
|
added support for leftprotoport and rightprotoport
|
|
improved CHILD_SA output for "ipsec statusall"
|
|
updated whitelist (getprotobynumber)
|
|
redesigned IKE_SA using a transaction mechanism:
|
|
removed old state machine
|
|
reimplemented IKE_SA setup and delete
|
|
implemented dead peer detection
|
|
implemented keep-alives
|
|
a lot of fixes
|
|
no rekeying yet
|
|
fixed compiler warnings
|
|
made thread ids unsigned again, to avoid negative thread ids on some systems
|
|
fixed memleak when initiating a connection already up
|
|
updated leak detective whitelist
|
|
applied latest NATT patch with some fixes and cleanups
|
|
test currently without firewall
|
|
added
|
|
added
|
|
added
|
|
removed
|
|
removed version information from ipsec.conf
|
|
log entries start with lowcercase character
|
|
restored lost IKEv2 packet suppression
|
|
added USE_LEAK_DETECTIVE option
|
|
fixed natd_hash memory leak
|
|
tests with subdirectory structure
|
|
removed tests
|
|
introduced subdirectory structure
|
|
support of cert payloads
|
|
lowercase log entries
|
|
distributed by ITA
|
|
added support of updown parameter
|
|
generation of default key
|
|
cosmetics
|
|
added support of updown parameter
|
|
version bump to 4.0.2
|
|
added X.509 trust chain verification
|
|
version bump to 4.0.2
|
|
ESP packet size changed
|
|
fixed bad_proposal_syntax bug
|
|
updated ingorelist for stroke_keywords.c
|
|
applied new changes from NATT team
|
|
DPD only done when no IPsec and IKE traffic processed
|
|
minor changes here and there
|
|
some message code cleanups
|
|
fixed identification_t clone to apply function pointers
|
|
cleaner error handling on UDP encapsultion sockopt failure
|
|
added mysterious UDP encapsulation socket option to get encapsulation working
|
|
fixed BAD_PROPOSAL_SYNTAX vulnerability
|
|
first merge of NATT code
|
|
fixed testing build
|
|
updated for 4.0.1 release
|
|
updated news for 4.0.1 release
|
|
fixed whitelist detection
|
|
|
|
|
|
strongswan-4.0.1 / R:1144
|
|
===========================
|
|
|
|
fixed whitelist detection
|
|
reworked function ignore mechanism to not-report whitelist
|
|
rather than overriding functions
|
|
fixed execv call args to work when using strictcrl and syslog
|
|
fixed bug: usage of already freed mem
|
|
readded local_credential_store
|
|
added sendcert policy to connection
|
|
some other cleanups
|
|
implemented rereadcrls rereadcacerts
|
|
implemented rereadcrls rereadcacerts
|
|
implemented rereadcrls rereadcacerts
|
|
removed local_credential_store
|
|
fixed SPI when acting as initiator of rekeying
|
|
fixed SPI when rekeying and deleting CHILD_SAs
|
|
change key derivation order to fullfill RFC
|
|
added crl support
|
|
added listcrls
|
|
added chunk_equals_or_null()
|
|
added crl support
|
|
changed tabs from 8 to 4 spaces
|
|
added crl support
|
|
cosmetics
|
|
cosmetics (space)
|
|
fixed compilation error
|
|
updated for release
|
|
fixed aes code, we support now aes128, aes192, aes256 in IKE
|
|
added support for "ike" and "esp" keywords
|
|
fixed bugs in proposal code
|
|
algorithm selection for charon works now with ipsec.conf
|
|
a lot of other fixes
|
|
implemented clean spi allocation behavior when using multiple proposals
|
|
fixed logleve(l) keyword typo
|
|
handling of "rekey=no" parameter added
|
|
changed default algorithms to:
|
|
ike: aes128-sha-modp2048
|
|
esp: aes128-sha1, 3des-md5
|
|
added default CRL directory path
|
|
added strictcrlpolicy command line argument
|
|
added option parsing
|
|
added local CRLs
|
|
added rekeying parameters
|
|
corrected some descriptions
|
|
moved RSA key size constraints to definitions.h
|
|
fixed down keyword
|
|
debug and logging improvements
|
|
support for stroke listcerts|listcacerts|listcrls|listall
|
|
support for stroke listcerts|listcacerts|listall and left|rightca=
|
|
gperf creates optimum hash table for stroke keywords
|
|
using same reqid if a child sa rekeys an existing one
|
|
NULL string argument is treated as %any
|
|
add_certificate() now returns pointer to added cert
|
|
cosmetics
|
|
single tests now start up faster
|
|
workaround for peers rekeying at the same time
|
|
loading lifetime policies from ipsec.conf
|
|
old child_sa gets deleted after rekeying
|
|
rekeying almost complete, but:
|
|
IKE_SA get in an invalid state when both initiate rekeying at the same time,
|
|
corrected type
|
|
improved kernel interface logging
|
|
fixed clone/destroy behavior when not using CAs
|
|
specifying keysize in bits, as it is required in IKEv2
|
|
added generic kernel SA algorithm handling, which brings us:
|
|
aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
|
|
added support for leftsendcert= and left|rightca= parameters
|
|
discard cert if CA basic constraints flag is not set and warn if cert is not valide
|
|
added public methods is_ca() and is_valid()
|
|
changed ASN.1 CONTROL log output to LEVEL2
|
|
cosmetics
|
|
removed unused Makefile
|
|
stroke.h requires libstrongswan/types.h
|
|
fixed compile warnings when using -Wall
|
|
further CHILD_SA rekeying work done:
|
|
creation of a new CHILD_SA on a expire from a kernel works
|
|
delete of old CHILD_SA still missing
|
|
some issues when both initiate rekeing
|
|
updated INSTALL to conform with autotools
|
|
added a short HACKING introduction
|
|
further work for rekeying:
|
|
get liftimes from policy
|
|
added new state
|
|
initiation of rekeying done
|
|
proposal redone:
|
|
removed support for AH+ESP proposals
|
|
proper leak detective hook for realloc
|
|
excluded pthread_setspecific from leak detective
|
|
fixed a memleak
|
|
cosmetics
|
|
ipv6-host2host scenario added
|
|
created IPv6 environment
|
|
job management:
|
|
moved job code from thread_pool to job, jobs have an "execute" method now
|
|
added two new jobs: delete_child_sa & rekey_child_sa
|
|
kernel interface:
|
|
listens now for ACQUIRE & EXPIRE
|
|
supports hard and soft lifetimes
|
|
fires jobs for delete and rekey child sa
|
|
ike sa manager:
|
|
can checkout IKE SAs by requid of owned CHILD SAs
|
|
we have now the infrastructure to do the rekeying... :-)
|
|
fixed some memleaks/freebugs
|
|
leak detective works almost usable now (?!)
|
|
added host2host test for ikev2
|
|
fixed host-host tunnel traffic selection, host-host works now
|
|
bug fixed circumventing an assertion in delete_connection when ikev1 is not set
|
|
minimized prefixed on stroke logger output
|
|
charon outputs strongSwan version
|
|
tests with subjectAltNames now
|
|
fixed event queue for events >36min
|
|
included charons module tests to build & dist
|
|
full support of ikev1 and ikev2 connection flags
|
|
cosmetics in log_status output
|
|
use of streq
|
|
added testing files to dist
|
|
required the use of the "ustar" format to support
|
|
filenames longer than 99 chars
|
|
lookup of private key based on keyid of public key
|
|
new functions to add certificates and retrieve private and public keys
|
|
changed log level
|
|
list ca certificates
|
|
computation of SHA-1 hash over publicKeyInfo object
|
|
moved abbreviated thread_id in front of brackets
|
|
added has_key parameter to log_certificates()
|
|
log_certificates() now shows keyid and availability of matching private key
|
|
indented loaded file log entry
|
|
moved TIMETOA_BUF definition to types.h
|
|
moved TIMETOA_BUF definition from asn1.h
|
|
define default CA_CERTIFICATE_DIR
|
|
load all ca certificates
|
|
fixed daemon destruction order to prevent
|
|
crashes on termination
|
|
fixed memleak when deleting a connection
|
|
updated todo list
|
|
policies contain a connections name now
|
|
used for initiate and delete
|
|
connections won't get initiated twice anymore
|
|
deleting of connections is now possible, which allows us to use
|
|
ipsec update and ipsec reload
|
|
changed iterator->remove behavior
|
|
ipsec up|down|route|delete require a connection name
|
|
stroke now uses constant size string buffer
|
|
changed to standard connection log output
|
|
reworked parsing and matching of subjectAltNames
|
|
added memeq() macro
|
|
moved timetoa() from asn1.c to types.c
|
|
corrected type
|
|
some logging improvements and cosmetics
|
|
handle IKE_SA setup without a piggy-packed CHILD_SA
|
|
more IKEv2 conform
|
|
initiate IKE_SA deletion befor manager destruction
|
|
improved code of chunk_equals
|
|
added streq() macro and defined default BUF_LEN
|
|
typo
|
|
build gets perl and gperf from configure now
|
|
moved built sources to maintainer-clean
|
|
show connection templates in status & statusall
|
|
don't complain on termination of IKEv1 connections
|
|
updated ipsec.conf manual to reflect actual state of
|
|
keyexchange-parameter
|
|
using hubs instead of switches, which allows us
|
|
to sniff the traffic from the host system.
|
|
changed config load strategy:
|
|
starter loads both connections in charon & pluto,
|
|
charon ignores anything with keyexchange!=ikev2.
|
|
pluto needs the same behavior.
|
|
changed build order to fix build error after distclean
|
|
load_end_certificate() now loads certificates
|
|
cosmetics
|
|
moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber
|
|
moved definition of generalNames_t to identification.h
|
|
corrrected description
|
|
reimplemented proper IKE SA deletion using a seperate state,
|
|
should conform now to IKEv2
|
|
fixed build when using --enable-leak-detective
|
|
added removed files to svn:ignore
|
|
fixed bug in pluto/Makefile.am
|
|
removed perl-generated oid.c/h from svn,
|
|
added them to "dist" and "distclean"
|
|
removed lex, yacc and gperf output from svn,
|
|
added them to "dist" and "distclean"
|
|
storing release revision in svn property "release-revision", because I forget it all the times
|
|
fixed ignorelist, should work now
|
|
added ingorelist for builded files
|
|
re-added doxygen apidoc, buildable with "make apidoc"
|
|
added missing ipsec.conf.5 to distribution :-/
|
|
fixed another typo
|
|
added missing ipsec.conf ipsec.conf.5
|
|
existing ipsec.conf won't get overwritten anymore
|
|
fixed typo in Makefile which corrupted the build
|
|
applied patch from the NAT-T team fixing several typos
|
|
applied patch from andreas, which allows certificate listing via stroke
|
|
added ipsec.conf template and man page back
|
|
removed old Makefiles
|
|
added new strongswan KDevelop project & startup hack
|
|
fixed Revision in changelog fo 4.0.0
|
|
started ChangeLog
|
|
simple script for ChangeLog update via "svn log"
|
|
fixed compliation error using --enable-smartcard
|
|
added test for ikev1-ikev2 mixed mode
|
|
added test ikev2 roadwarrior scenario
|
|
applied andreas's patch
|
|
logger output improvements
|
|
testin gupdates
|
|
and a lot more
|
|
updated testsuite to autotools
|
|
added random source ./configure options
|
|
fixed default-pkcs11 option
|
|
testcommit
|
|
fixed errors when --enable-pkcs11
|
|
added autogen script
|
|
introduced autotools
|
|
first working version
|
|
make dist should work
|
|
things to do:
|
|
UML testing!
|
|
more cleanups
|
|
fixed build
|
|
started to rebuild source layout
|
|
fixed stroke error output to starter
|
|
using random SPIs now, but without collision checks
|
|
applied some -W's from strongswan
|
|
fixed that warnings
|
|
removed IKEV2 ifdefs
|
|
applied patch from andreas
|
|
added charonstart option to config
|
|
new ikev2 tests for UML
|
|
|
|
strongSwan-4.0.0 / R:967
|
|
==========================
|
|
|
|
removed IKEV2 ifdefs
|
|
applied patch from andreas
|
|
added charonstart option to config
|
|
new ikev2 tests for UML
|
|
applied patch from andreas
|
|
pem loading
|
|
secrets file parsing
|
|
ikev2 testcase
|
|
some other additions here and there
|
|
connection termination is handled cleanly by name now
|
|
fixed bad bug, certs load now cleanly again
|
|
fixed make install (subdir order)
|
|
fixed include path
|
|
added missing script
|
|
finished initial import of strongswan file tree
|
|
removed a lot of old and unused stuff
|
|
moved RFCs from ikev2 into doc dir
|
|
added missing files for starter
|
|
applied patch for charon (this time really)
|
|
import of strongswan-2.7.0
|
|
applied patch for charon
|
|
renamed get_block_size of hasher
|
|
reworked usage of IDs in various states
|
|
using ID_ANY for any, not NULL as before
|
|
initiator sends IDr payload in IKE_AUTH when ID unique
|
|
fixed charon checks
|
|
using status & statusall
|
|
patch for 2.7.0
|
|
add connection names to connections
|
|
stroke status / ipsec status shows them
|
|
added statusall for stroke
|
|
added status by connection name
|
|
some tests repaired, more to come
|
|
fixed spi conversion
|
|
improved "stroke status" output
|
|
setup PID file after daemon initilization, to correctly inform
|
|
starter about daemon startup
|
|
added separate implementation for connection_store, credential_store, policy_store
|
|
added folder structure to config
|
|
credentials are fetched solely on IDs now
|
|
identification_t supports now almost all id types
|
|
x509 certificates work with identification_t now
|
|
fixes here, fixes there
|
|
fixed doxygen build
|
|
seperates now in lib and charon
|
|
library initialization done at a central point (library.c)
|
|
some leak_detective fixes
|
|
updated Todos
|
|
fixed log-to-syslog behavior
|
|
added patch against strongswan-2.6.4
|
|
x509 certificate loading with pluto asn1 code
|
|
x509 needs a lot more attention!
|
|
renamed some files
|
|
using asn1 pluto stuff now
|
|
removed, since we use pluto asn1 stuff
|
|
leak detective is usable, but does not show static function names
|
|
a script which gets address via ldd and resolves address via addr2line would be nice
|
|
fixed a leak in child_sa with new detective ;-)
|
|
some improvements to new asn1 stuff
|
|
to be continued
|
|
fixed bad bugs in kernel interface
|
|
added some logging info
|
|
works now much more stable
|
|
startet importing pluto ASN1 stuff
|
|
der PKCS#1 key loading works (as it did with der_decoder)
|
|
split up in libstrong, charon, stroke, testing done
|
|
new leak detective with malloc hook in library
|
|
useable, but needs improvements
|
|
logger_manager has now a single instance per library
|
|
allows use of loggers from any linking prog
|
|
a LOT of other things
|
|
../svn-commit.tmp
|
|
added misssing stroke.h
|
|
improved strokeing
|
|
down connection
|
|
status
|
|
some other tweaks
|
|
rewrote a lot of RSA stuff
|
|
done major work for ASN1/decoder
|
|
allow loading of ASN1 der encoded private keys, public keys and certificates
|
|
extracting public key from certificates
|
|
passing certificates from stroke to charon
|
|
=> basic authentication with RSA certificates works!
|
|
starter work on asn1 with der de/encoder
|
|
RSA private and public key can load read key from ASN1 DER
|
|
some other fixes here and there
|
|
rewrite of logger_manager, uses now one instance per context
|
|
cleanups for logger here and there
|
|
removed critical flag check in payload verification (conformance to IKEv2)
|
|
so thats and theres everywere... ;-)
|
|
patch for strongswan-2.6.3
|
|
added charon support for strongswan build process
|
|
ipsec starter supports charon startup and control
|
|
removed old diploma thesis scripts
|
|
some cleanups
|
|
compatibility to strongswan, Makefile can be called by "make programs"
|
|
and "make install" (ikev2 patch must be applied to strongswan)
|
|
first version of stroke control utility
|
|
moved output to doc/api, since doc is used for other docs now
|
|
some first documentation in english
|
|
removed old eclipse project files
|
|
works quite well now with ipsec.conf & ipsec starter
|
|
belongs to previous commit ;-)
|
|
reworked configuration framework completly
|
|
configuration is now split up in: connections, policies, credentials and daemon config
|
|
further alloc/free fixes needed!
|
|
first attempt for connection loading and starting via "stroke"
|
|
some improvements here and there
|
|
configuration_manager replaced by configuration_t interface
|
|
current configuration_manager is now static_configuration (testing)
|
|
first draft of starter_configuration, which should once interact with ipsec starter (via whack?)
|
|
some cleanups
|
|
socket_t uses RAW socket, which allows parallel service of pluto/charon
|
|
comments and cleanups
|
|
working policy installation and removal
|
|
fixed policy setup bug
|
|
proposal setup implementation begun
|
|
fixed socket code, so we know on which address we receive traffic
|
|
AH/ESP setup in kernel is working now!!! :-)))
|
|
installing of child sa works
|
|
need correct IP adresses to actually use IPsec
|
|
new RFCs of IKEv2, IKEv2 algs and IPSec arch added
|
|
update of IKEv2 clarification document
|
|
refactored ike proposal
|
|
uses now proposal_t, wich is also used by child proposals
|
|
ike key derivation refactored
|
|
crypter_t api has get_key_size now
|
|
some other improvements here and there
|
|
config uses uml hosts alice and bob
|
|
key derivation for child_sa works
|
|
some fixes here and there
|
|
fixed memleaks
|
|
works with new proposal code
|
|
still some(!) memleaks
|
|
fixed alot of bugs in child_proposal
|
|
near to working state ;-)
|
|
dead end implementation
|
|
|
|
... there is a lot more of it, but nothing of interest
|