]>
Commit | Line | Data |
---|---|---|
59c5a853 MW |
1 | strongswan-4.1.0 / R:2552 |
2 | =========================== | |
3 | ||
4 | fixed nat detection bug | |
5 | OCSP support | |
6 | updated NEWS, TODO and man page | |
7 | respecting "keyingtries" parameter on IKE_SA setup | |
8 | cleanups | |
9 | fixed reset() | |
10 | not installing a route when policy gets updated | |
11 | renamed keyingtries attribute | |
12 | adjusted loglevels | |
13 | delay OCSP response by 5 seconds | |
14 | always update reqid on policy install, fixes dpdaction=hold issue | |
15 | EAP-SIM cleanups | |
16 | fixed CHILD_SA rekeying/delete bug on 64bit machines | |
17 | removed obsolete methods in delete_payload | |
18 | Shortened distribution string | |
19 | Shortened distribution string | |
20 | shortened distribution string | |
21 | add daemon.log to web page | |
22 | remove /etc/resolv.conf | |
23 | version bump to 4.1.0 | |
24 | added apache2/ocsp log directory to winnetou | |
25 | removed killall openssl | |
26 | removed killall openssl | |
27 | deleted | |
28 | deleted | |
29 | create apach2/ocsp/ logging directory on winnetou | |
30 | do not check for type of dpd action any more | |
31 | create /var/log/apache2/ocsp on winnetou | |
32 | added | |
33 | added | |
34 | added | |
35 | delete virtual IP addresses after use | |
36 | deleted | |
37 | added | |
38 | fixed case of missing subjectKeyID | |
39 | corrected typo | |
40 | version bump to 4.1.0 | |
41 | added | |
42 | use CURLOPT_NOSIGNAL | |
43 | added --with-sim-reader option to configure script | |
44 | some cleanups in eap_sim | |
45 | removed dublicated code in eap_authenticator | |
46 | log reception of trusted signer certificate | |
47 | version bump to 4.1.0 | |
48 | deleted | |
49 | added | |
50 | changed OCSPSigner to OCSPSigning | |
51 | fixed carry bug in FIPS prf | |
52 | user standard cert | |
53 | deleted | |
54 | deleted | |
55 | added | |
56 | added | |
57 | modified description.txt and evaltest.dat | |
58 | version number selection fix | |
59 | some cleanups | |
60 | cleaned up and fixed DPD handling code | |
61 | removed cfg-payload dns test code | |
62 | added | |
63 | added | |
64 | version bump to strongswan-4.1.0 and linux-2.6.20.3 | |
65 | cosmetics | |
66 | increased control debugging output | |
67 | added EAP-SIM authentication | |
68 | client side only | |
69 | uses an external SIM reader library specified with SIM_READER_LIB | |
70 | untested | |
71 | not detaching from bus when IKE_SA_INIT is retried | |
72 | added AES-192/256 proposals to IKE | |
73 | added generic EAP_IDENTITY client implementation using peers IKEv2 ID | |
74 | fixed compilation warnings and errors when not using curl | |
75 | results from the single responses is stored in the corresponding certinfo_t structs | |
76 | moved credential_store.h from charon/config/credentials to libstrongswan | |
77 | last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA | |
78 | fixed memory leak by calling curl_slist_free_all(headers) | |
79 | fixed memory leak by calling curl_slist_free_all(headers) | |
80 | whitelisting static Curl_getaddrinfo() memory leak | |
81 | fixed a certinfo_t memory leak in verify() | |
82 | fixed a memory leak in response_t | |
83 | ocsp signer certificate and ocsp response signature can be verified | |
84 | fixed memleaks when using EAP authentication | |
85 | fixed configuration payloads when using EAP | |
86 | fixed payload order (again) | |
87 | including peers certificate when his certreq is empty | |
88 | implemented cookies as initiator | |
89 | proper logging of notifies in IKE_SA setup | |
90 | disabling routing for IPv6, does not work correctly | |
91 | fixed call of add_auth_certificate() | |
92 | generalized get_ca_certificate() to get_auth_certificate(auth_flags) | |
93 | added fetcher_finalize() to clean up libcurl | |
94 | some cleanups | |
95 | not installing %any DNS servers | |
96 | support of setting and getting authority flags | |
97 | support if ocsp signing certificates | |
98 | support if ocsp signing certificates | |
99 | fixed payload order in IKE_AUTH | |
100 | removed SHA2 kernel proposals from default, the kernel doesn't support them yet | |
101 | allocation fixes, not complete | |
102 | handling "No policy found" properly | |
103 | added more debugging output for policy lookup | |
104 | returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE | |
105 | fixed CHILD_SA creation within existing IKE_SA | |
106 | added ocsp_parse_single_response | |
107 | ported changes from EAP branch, renabling EAP framework | |
108 | added (not yet supported) sha2 algorithms to kernel | |
109 | only adding a route if using tunnel mode | |
110 | added SHA2 MAC and PRF to default proposal | |
111 | added more debug output | |
112 | experimental SHA2 HMAC and PRF implementations | |
113 | parsing basic ocsp response | |
114 | forgot to assign public.is_ocsp_signer() method | |
115 | added parsing level to x509_create_from_chunk() | |
116 | added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method | |
117 | http post fetching using libcurl implemented | |
118 | added fetcher.h and fetcher.c | |
119 | added | |
120 | corrected @ingroup to utils | |
121 | corrected comment | |
122 | start ocsp checking only if there are any ocspuris present | |
123 | conntrack -F is used to flush the NAT states | |
124 | the hostaccess=yes parameters are not needed anymore | |
125 | use conntrack -F to flush NAT states | |
126 | replaced actual virtual IP addresses by symbolic ones | |
127 | removed unnecessary double quotes | |
128 | nonce in ocsp_t was not properly initialized | |
129 | ocsp request is now fully built but without requestor signature | |
130 | starting to build ocsp request | |
131 | prevent from initiating multiple exchanges the same time | |
132 | updated apidoc documentation | |
133 | fixed notify handling in IKE_AUTH | |
134 | moved nonce payload before TS in CHILD_SA setup | |
135 | moved REKEY_SA notify to the beginning of the message | |
136 | fixed traffic selector redundancy removal code (not completely tested) | |
137 | add crl and ocsp uris to linked list after partial verification | |
138 | added print hook for certinfo_t printing | |
139 | fixed typo | |
140 | sending an SPI of 0 as responder when IKE_SA_INIT fails | |
141 | iterate certinfos linked list for matching serialNumber | |
142 | some cleanups | |
143 | not assigning %any virtual IPs to peer anymore | |
144 | fixed double free bug | |
145 | added | |
146 | fixed ID selection bug when peer doesn't include IDr payload | |
147 | allowing vendor ID in any messag | |
148 | moved listing of crls to local_credential_store and ca | |
149 | refactored ca_info_t | |
150 | refactored ca_info_t | |
151 | fixed netlink socket receiver code | |
152 | implemented interface enumeration code with netlink: no getifaddrs reqired anymore | |
153 | refactored kernel interface, works reliable again | |
154 | implemented get_iface() using RTM_GETADDR | |
155 | added support for multi-header netlink messages | |
156 | really ugly now, need a lot of refactoring | |
157 | added debuggin for interface lookup | |
158 | fixed address lookup when !using getifaddrs() | |
159 | added firewalling support when using virtual IPs | |
160 | added support for 0.0.0.0/0 traffic selectors | |
161 | fixed routing to make correct 0.0.0.0/0 routes | |
162 | config-payload scenario fixes | |
163 | preparations for PLUTO_MY_SOURCEIP | |
164 | corrected typo | |
165 | added cert with OCSP access info | |
166 | dpd now takes 180 s and 5 retransmits | |
167 | changed grep to creating aquire job for CHILD SA | |
168 | replaced actual virtual IPs by place holders | |
169 | virtual-ip scenario has been replaces by config-payload scenario | |
170 | added | |
171 | added | |
172 | added ocsp.h and ocsp.c | |
173 | added | |
174 | r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines | |
175 | virtual ip uml test | |
176 | fixed reauthentication when connections other is %any | |
177 | merged tasking branch into trunk | |
178 | fixed big endian bug in md5 hasher | |
179 | cosmetics | |
180 | added once flag to certinfo_t | |
181 | cosmetics | |
182 | added certinfos linked list | |
183 | changed ca info to ca | |
184 | support of ca info sections | |
185 | added support of OCSP accessLocations | |
186 | correct interface definition | |
187 | added support of OCSP accessLocations | |
188 | full support of ca info records | |
189 | added the create_crluri_iterator method | |
190 | replace ca is realized as del_ca followed by add_ca | |
191 | last CA keyword is KW_OCSPURI2 | |
192 | full support of ca info records | |
193 | full support of ca info records | |
194 | alphabetically sorting print commands | |
195 | listing ca_info items | |
196 | replace printf.h by stdio.h | |
197 | addin get_keyid() method | |
198 | support of ca info records | |
199 | support of ca info records | |
200 | version bump to 4.0.8 | |
201 | support of ca info records | |
202 | support of ca info records | |
203 | typo | |
204 | SHA512-HMAC bug fix and hash function self-test support | |
205 | SHA512-HMAC bug fix and hash function self-test support | |
206 | handle strong SHA-2 signatures in X.509 certificates | |
207 | SHA-2 fixes and add-ons | |
208 | version bumps | |
209 | remove strong certs and keys after test | |
210 | added | |
211 | using "left" as my host per default, swapping to "right" when needed | |
212 | respecting source address when sending packets | |
213 | added PRINT_CAINFO hook | |
214 | stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp | |
215 | enable IP forwarding | |
216 | prepared support of ca information records and ocsp functionality | |
217 | added support of ca information records and ocsp keywords | |
218 | enabled adding and deleting ca information records | |
219 | fixed starter crash due to freeing default IPSEC_EAPDIR string | |
220 | add --eapdir option only if defined in ipsec.conf | |
221 | removed eap aka module due nda | |
222 | merged EAP framework from branch into trunk | |
223 | includes a lot of other modifications | |
224 | %T requires time_t ptr | |
225 | removed my time_t printf handler patch, applied the one of andreas (64bit save) | |
226 | fixed printf() hooks for time | |
227 | added support for NULL encryption in ESP | |
228 | be more liberal in accepting notifies with a protocol id | |
229 | include NO_EXT_SEQUENCE_NUMBER in default proposal | |
230 | output peer id if RSA public key is not found | |
231 | fixed typo | |
232 | version bump to 4.0.8 | |
233 | added address listing without getifaddrs for uclibc (only IPv4 yet) | |
234 | added threads to support multiple simultaneous stroke requests | |
235 | renamed all static clone() functions to avoid naming conflicts with uclibc | |
236 | sending proper signal to the bus when detecting a dead peer | |
237 | added configuration of XAUTH and ModeConfig push mode | |
238 | version bump | |
239 | version bump | |
240 | Cisco XAUTH interoperability | |
241 | XAUTH interoperability with Cisco | |
242 | removed IPSECPOLICY compile option | |
243 | unload xauth_module only if XAUTH_DEFAULT_LIB is defined | |
244 | loading the XAUTH module requires libdl | |
245 | added some more attributes, inst XAUTH_TYPE in reply | |
246 | Mode Config refactoring | |
247 | XAUTH fixes and Cisco Unity support | |
248 | log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings | |
249 | added Cisco Unity ModeCfg attributes | |
250 | version bump to 4.0.7 | |
251 | fixed 64 bit issue with print time | |
252 | fixed XAUTHResp bug | |
253 | included xauth.h | |
254 | use uml_mconsole to check end of booting process | |
255 | name the created CHILD_SA | |
256 | doubled PAYLIMIT to 40 payloads | |
257 | version bump | |
258 | show rekeying|reauthentication time | |
259 | show name of created CHILD_SA | |
260 | combined use_in and use_fwd | |
261 | corrected typo | |
262 | cosmetics | |
263 | cosmetics | |
264 | fixed an enumeration error, added CISCO_IOS VID | |
265 | fixed mismatch in interface definition of get_secret() | |
266 | forward declaration of struct state not needed | |
267 | cosmetics | |
268 | added firewall support to scenario | |
269 | updated changelog for 4.0.6 | |
270 | fixed crash when CA for certrequest not found | |
271 | fixed build when !using smartcard | |
272 | removed unused debugging code | |
273 | updated NEWS for 4.0.6 | |
274 | ||
275 | ||
1f0b770b MW |
276 | strongswan-4.0.6 / R:2131 |
277 | =========================== | |
278 | ||
279 | updated NEWS for 4.0.6 | |
280 | readded tranport mode test using new status output | |
281 | removed dublicated host2host-transport test | |
282 | fixed reauthentication when using %any hosts | |
283 | support for transport in create_child_sa | |
284 | include TRANSPORT/TUNNEL information in statusall | |
285 | load xauth module via dlopen() | |
286 | define path to xauth module | |
287 | added host2host-transport scenario | |
288 | removed trailing lines | |
289 | added XAUTH support | |
290 | fixed typo | |
291 | added XAUTH server and client support | |
292 | load and unload XAUTH module | |
293 | added xauth.h and xauth.c | |
294 | added enable-cisco-quirks configure option | |
295 | added xauth scenarios | |
296 | added config option for BEET mode | |
297 | fixed reuathentication when connections other host is %any | |
298 | fixed host conversion length check | |
299 | negated POLICY_REAUTH to POLICY_DONT_REAUTH | |
300 | negated POLICY_REAUTH to POLICY_DONT_REAUTH | |
301 | enable XAUTH_VID by default | |
302 | added support for transport mode and (experimental!) BEET mode | |
303 | support for the type=transport/tunnel parameter in charon | |
304 | fixed charset & cleanups | |
305 | added XAUTH server and client support | |
306 | additional parentheses for same_chunk() macro | |
307 | renamed to appear in doxygen build | |
308 | added a roadmap of the strongSwan project (TODO) | |
309 | added some NEWS | |
310 | first try to update ipsec.conf manual | |
311 | implemented reauthentication using the new reauth=yes|no parameter | |
312 | fixed more uClibc issues | |
313 | should compile against a uClibc > 0.9.28 (untested) | |
314 | added XAUTH client states | |
315 | version bump to 4.0.6 | |
316 | fixed stddef.h include | |
317 | fixed encoding rules string | |
318 | updated todo | |
319 | fixed some byte-order issues | |
320 | fixed HAVE_BACKTRACE checks | |
321 | starter Makefile now uses proper $(COMPILE) to build pluto objects | |
322 | made backtrace() calls optional to support uClibc | |
323 | XAUTH support | |
324 | XAUTH support | |
325 | fixed bug in ifdef CISCO_QUIRKS | |
326 | added XAUTH support | |
327 | support of Cisco Unity VID | |
328 | added new VIDs | |
329 | version bump to 4.0.6 | |
330 | fixed case with wildcard peer ID and static peer address | |
331 | added simple script to port trunk changes into branches | |
332 | start kdevelop with project file from actual branch | |
333 | updated changelog | |
334 | fixed typos | |
335 | ||
336 | ||
d4f91102 MW |
337 | strongswan-4.0.5 / R:1447 |
338 | =========================== | |
339 | ||
340 | fixed typos | |
341 | improved selection of ipsec status|statusall <name> | |
342 | fixed NEWS (runtime debug level options) | |
343 | fixed credits | |
344 | fixed very old bug in linked_list's remove_first and remove_last | |
345 | proper "ipsec up" signal handling when initiating to %any | |
346 | removed iterator hook for replace | |
347 | fixed output of proto/port selectors | |
348 | cosmetics | |
349 | due to console logging, no need for final sleep anymore | |
350 | adapted checks to changed ipsec status output | |
351 | due to narrowing no need for rightsubnetwithin | |
352 | no need to send certreq | |
353 | fixed ipsec status|statusall <name> | |
354 | log IKE SPIs on a separate line | |
355 | redesigned formatting of ipsec status|statusall | |
356 | cosmetics | |
357 | version bumps of strongSwan, Linux kernel and Gentoo root file system | |
358 | corrected description | |
359 | added dpd-hold scenario | |
360 | added new features | |
361 | fixed 64 bit issue | |
362 | solved 64 bit issue by changing long to int | |
363 | solved 64 bit issue in push/pop stroke interface | |
364 | fixed 64 bit issue | |
365 | some fixes for doxygen | |
366 | better split up of library files "types.h" & "definitions.h" | |
367 | centralized all printf specifier character definitions | |
368 | reuse of arginfo handlers | |
369 | more cleanups | |
370 | fixed more AMD64 issues | |
371 | added DEBUG_LEVEL compile flag to exclude DBGn() statements | |
372 | added nodebug configure script without any debug messages and without -g | |
373 | preparations to include certreqs in policy decisions | |
374 | do not sent certreq payloads when the peer is known to use PSK | |
375 | position of (myself) moved in log output | |
376 | do not sent certreq payloads when using self-signed certs | |
377 | moved (myself) in log output | |
378 | moved typedefs to beginning of files to solve some include problems | |
379 | splitted authenticator to have a separate implementation for each auth_method_t | |
380 | using va_copy to clone va_lists, should fix proplems on AMD64 | |
381 | some other cleanups | |
382 | do not sanitize '*' character | |
383 | fixed SIGSEGV when setup of an additional CHILD_SA fails | |
384 | added IKEv2 clarifications RFC | |
385 | changed debug level of certreq log output | |
386 | cosmetics in debug output | |
387 | support of certreq payload in IKE_AUTH messages | |
388 | chunk_to_hex() function declaration deleted | |
389 | added function certreq_payload_create_from_x509() | |
390 | send a certreq as initiator if other_ca is set | |
391 | added method get_ca_certificate() | |
392 | added methods get_my_ca() and get_other_ca() | |
393 | added methods get_my_ca() and get_other_ca() | |
394 | added some missing 'AUD' entries | |
395 | cosmetics | |
396 | cosmetics | |
397 | change due to change debug output | |
398 | spaces should not be sanitized | |
399 | fixed due to new logging concept | |
400 | some improvements in signaling code | |
401 | include only source NATD payloads really needed | |
402 | updated for NAT team | |
403 | improved signal handling and emitting | |
404 | support of ModeCfg Push mode | |
405 | support of mixed RSA/PSK static connections | |
406 | support of ipsec statusall in state output | |
407 | output of 'DPD active' in ISAKMP SAs | |
408 | support of ipsec statusall in state output | |
409 | added natip support | |
410 | added has_natip flag | |
411 | added ModeCfg push policy and states | |
412 | added ModeCfg push policy and states | |
413 | fixed typo in debug statement | |
414 | redesigned list output format | |
415 | added 'modeconfig=pull|push' and 'left|rightnatip' keywords | |
416 | added has_natip flag | |
417 | added has_natip flag | |
418 | added 'exit' statement in listcerts,.. case | |
419 | fixed two bugs in the time_t and chunk_ct print functions | |
420 | redesigned format of print function | |
421 | replaced 'times' by 'dates' | |
422 | added private flag to asn1_init | |
423 | added private flag to asn1_ctx_t | |
424 | removed DES-EDE3-CBC only comment | |
425 | removed deprecated iterator methods (has_next & current) | |
426 | added iterator hook to manipulate iterator the clean way | |
427 | linked list cleanups | |
428 | added list methods invoke(), destroy_offset(), destroy_function() | |
429 | simplified list destruction when destroying its items | |
430 | added verbosity level to stroke | |
431 | upgrade to new Gentoo root file system and tcpdump command | |
432 | added | |
433 | deleted | |
434 | renamed ikev1 scenario and added ikev2 scenario | |
435 | added new scenarios | |
436 | Version bumps of UML kernel, Gentoo root file system and strongSwan release | |
437 | code cleanups in printf handlers | |
438 | added eap authentication draft for ikev2 | |
439 | updated stroke to allow run-time manipulation of debug levels | |
440 | added charondebug config parameter to set debug level at startup | |
441 | introduced new logging subsystem using bus: | |
442 | passive listeners can register on the bus | |
443 | active listeners wait for signals actively | |
444 | multiplexing allows multiple listeners to receive debug signals | |
445 | a lot more... | |
446 | updated file filter for kdev project | |
447 | include CREDITS file in distribution | |
448 | moved various scripts in scripts/ dir | |
449 | add configure script wrappers | |
450 | removed txt files from doxygen | |
451 | removed module tests, outdated. We need something more system-test like | |
452 | added missing -DDEBUG compile option | |
453 | fixed auxillary message data parsing for IPV6 socket | |
454 | using SOL_* constants for socket level | |
455 | fixed IPV6_PKTINFO setsockopt() to work with most kernel headers | |
456 | replaced strerror(errno) with %m printf specifier | |
457 | added stronger certs for moon, carol, and dave | |
458 | added IPv6 hw and multicast addresses | |
459 | adapted to new tcpdump ipv6 output | |
460 | multi-level-ca scenarios use unencrypted private key | |
461 | added scenario | |
462 | fixed timing | |
463 | new gentoo root file system | |
464 | fixed bug with openldap 2.3 | |
465 | removed ipsec.conf version information | |
466 | carolKey.pem is now protected by 3DES passphrase | |
467 | updated net runlevel scripts | |
468 | updated net init scripts | |
469 | new net configuration format | |
470 | HW addresses must be predefined | |
471 | cosmetics | |
472 | added USE_LIBCURL | |
473 | cosmetics | |
474 | found libraries are not appended to LIBS anymore | |
475 | version bump to 4.0.5 | |
476 | fixed DPD to survive IKE_SA rekeying | |
477 | introduced printf() specifiers for: | |
478 | host_t (%H) | |
479 | identification_t (%D) | |
480 | chunk pointers (%B) | |
481 | memory pointer/length (%b) | |
482 | added a signaling bus: | |
483 | receives event and debug messages, sends them to its listeners | |
484 | stream_logger, sys_logger, file_logger added, listen to bus | |
485 | some other tweaks here and there | |
486 | added often used RFCs and drafts | |
487 | DES for private key encryption is not supported | |
488 | updated NEWS and ChangeLog for 4.0.4 release | |
489 | fixed retransmission policy for responder | |
490 | fixed dpd for responder | |
491 | added ID_ANY check to matches_binary() | |
492 | replaced 'missing value' warning by zero length chunk_t value | |
493 | defined maximum hash size | |
494 | support of AES-192-CBC private key encryption | |
495 | added hostaccess support | |
496 | added hostaccess support | |
497 | moved auth_method to policy | |
498 | added hostaccess support | |
499 | added hostaccess support | |
500 | more consistent authentication logging | |
501 | added hostaccess support | |
502 | moved auth_method to policy | |
503 | moved auth_method to policy | |
504 | added hostaccess support; moved auth_method to policy | |
505 | added hostaccess support | |
506 | added hostaccess support | |
507 | added new test scenarios | |
508 | fixed some compiler warnings | |
509 | ||
510 | ||
48dc3934 MW |
511 | strongswan-4.0.4 / R:1289 |
512 | =========================== | |
513 | ||
514 | fixed some compiler warnings | |
515 | extended statusall output | |
516 | added job/event-queue statistics | |
517 | added allocation statistics when using LEAK_DETECTIVE | |
518 | fixed include typo | |
519 | public declaration of all HASH_SIZEs in hasher.h | |
520 | support of encrypted private key files | |
521 | added copyright notice to sha2_hasher | |
522 | included SHA2 in build process | |
523 | implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512 | |
524 | added support for 3DES encryption algorithm in IKE | |
525 | fixed the ids parsing bug | |
526 | fixed the ids parsing bug | |
527 | updated TODOs | |
528 | fixed memleak | |
529 | fixed proper handling of id parsing errors | |
530 | proper return value when no PSK found | |
531 | added HOST_ACCESS for firewall script as default | |
532 | more debugging output for PSK authentication | |
533 | some cleanups here and there | |
534 | added auth_method field | |
535 | added auth_method field | |
536 | cosmetics | |
537 | verify_emsa_pkcs1_signature returns status_t | |
538 | cosmetics | |
539 | added PSK support | |
540 | enabled firewall support | |
541 | proper error handling for socket creation | |
542 | handle certificate parsing error more generous | |
543 | fixed certificate verification bug! | |
544 | fixed memleak when receiving invalid certificate | |
545 | version bump to 4.0.4 | |
546 | version bump to 4.0.4 | |
547 | two new test scenarios | |
548 | fixed path to images directory | |
549 | implemented updown script to handle firewalling | |
550 | add priority management for kernel policy | |
551 | let ROUTED policies installed, until manuall removed | |
552 | introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs | |
553 | ike_sa_manager cleanups | |
554 | implemented handling of dpdaction and dpddelay ipsec.conf parameters | |
555 | reuse reqid when a ROUTED child_sa gets INSTALLED | |
556 | fixed a bug in retransmission code | |
557 | added support for the "keyingtries" ipsec.conf parameter | |
558 | added support for the "dpddelay" ipsec.conf parameter | |
559 | done some work for "dpdaction" behavior | |
560 | some other cleanups and fixes | |
561 | fixed a at-least-one-year-old bug which caused crashed in the scheduler | |
562 | added raw socket filter for IPv6 | |
563 | implemented NAT detection for IPv6 | |
564 | removed unneeded constructor | |
565 | initial support for IPv6 (more testing needed) | |
566 | socket works (without v6 filter) | |
567 | traffic selector handle IPv4/v4 cleanly | |
568 | improvements in traffic selector code | |
569 | kernel interface accepts v6 traffic selectors and hosts | |
570 | host_t class has full IPv6 support | |
571 | added stddef.h include for compilers which do not support the offsetof() directive | |
572 | moved interface enumeration code to socket, where it belongs | |
573 | query interfaces every time we need it to respect changes in network config | |
574 | added address listing on startup and "ipsec statusall" | |
575 | version bump of UML kernel to 2.6.17.11 | |
576 | fixed crash bug when doing "ipsec down" with an unknown connection | |
577 | added name property in CHILD_SA, allows proper status output | |
578 | fixed bug which prevented port float when nat is detected | |
579 | version bumps | |
580 | 'sha' and 'sha1' are now treated as synonyms | |
581 | updated Changelog and other docs | |
582 | ||
583 | ||
a1310b6b MW |
584 | strongswan-4.0.3 / R:1235 |
585 | =========================== | |
586 | ||
587 | fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD) | |
588 | implement proper handling of most simultaneous IKE_SA rekeying cases | |
589 | version bump to 4.0.3 | |
590 | implemented proper refcounting using atomic operations | |
591 | implemented IKE_SA rekeying | |
592 | uses ikelifetime, rekeymargin and rekeyfuzz config settings | |
593 | no handling of simultaneus exchanges yet! | |
594 | added possibility to route CHILD_SAs, without to set them up | |
595 | support for auto=route parameter | |
596 | support for ipsec route and ipsec unroute | |
597 | initiating of CHILD and/or IKE_SAs based on kernel acquires | |
598 | reuse an existing IKE_SA to set up additional CHILD_SAs | |
599 | introduced refcounting on policy and connections | |
600 | aren't stored in the IKE_SA anymore, they are queried on the fly | |
601 | are immutable now, allows it to share them | |
602 | policy selection based on traffic selectors, leads to valid lookup results | |
603 | rekeying queries the policy based on its traffic selectors | |
604 | cleanups in kernel interface code | |
605 | added proper traffic selector to string conversion | |
606 | some cleanups here & there | |
607 | X.509 certificate trust path verification | |
608 | added | |
609 | fixed UDP decapsulation by adding inbound bypass policy for send socket | |
610 | updated mixed tests to new charon output | |
611 | corrected DPD entry | |
612 | reenabled module tests for charon | |
613 | fixed bug which erroneously detected KE payload when rekeying | |
614 | added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT | |
615 | improved logging on verify errors for some payloads | |
616 | enforcing IKE_SA shutdown, even when transactions are outstanding | |
617 | proper reject of CREATE_CHILD_SA message with KE payload | |
618 | added test cases from NAT team | |
619 | updated all IKEv2 tests to work with new status output | |
620 | added tcpdumpcount function from NATT guys | |
621 | added possibility to mount the strongswan tree into all UMLs | |
622 | added script for installing from shared tree in all UMLs | |
623 | added script to shut down all UMLs properly | |
624 | removed in favour of tests from NAT team | |
625 | fixed CREATE_CHILD_SA transaction dispatching | |
626 | added CHILD_SA states, which allows us to detect further simultaneous transactions | |
627 | reimplemented the buggy message id handling | |
628 | updated some inline docs | |
629 | fixed crypter/signer in/out to conform with standard | |
630 | fixed payload order | |
631 | added message id logging | |
632 | added all currently known notify payload types | |
633 | added policy cache to kernel interface | |
634 | allows refcounting of multiple installed policies | |
635 | finally brings us stable simultaneous rekeying | |
636 | leak detective blanks memory on free & alloc, allows further membug detection | |
637 | code cleanups | |
638 | identification_t.matches() supports multiple wildcard counts | |
639 | identification_t.matches() supports multiple wildcard counts | |
640 | further work done for simultaneous rekeying/delete | |
641 | still some cases which cause trouble | |
642 | fixed compiler warnings in parser when using -O2 | |
643 | reenabled check_expiry | |
644 | updated copyright information | |
645 | reimplemented CHILD_SA rekeying & delete | |
646 | no simultanous transaction with CHILD_SAs yet! | |
647 | removed NAT_TRAVERSAL and VIRTUAL_IP compile options | |
648 | removed NAT_TRAVERSAL compile option | |
649 | removed NAT_TRAVERSAL and VIRTUAL_IP compile options | |
650 | added | |
651 | updated NEWS | |
652 | added support for leftprotoport and rightprotoport | |
653 | improved CHILD_SA output for "ipsec statusall" | |
654 | updated whitelist (getprotobynumber) | |
655 | redesigned IKE_SA using a transaction mechanism: | |
656 | removed old state machine | |
657 | reimplemented IKE_SA setup and delete | |
658 | implemented dead peer detection | |
659 | implemented keep-alives | |
660 | a lot of fixes | |
661 | no rekeying yet | |
662 | fixed compiler warnings | |
663 | made thread ids unsigned again, to avoid negative thread ids on some systems | |
664 | fixed memleak when initiating a connection already up | |
665 | updated leak detective whitelist | |
666 | applied latest NATT patch with some fixes and cleanups | |
667 | test currently without firewall | |
668 | added | |
669 | added | |
670 | added | |
671 | removed | |
672 | removed version information from ipsec.conf | |
673 | log entries start with lowcercase character | |
674 | restored lost IKEv2 packet suppression | |
675 | added USE_LEAK_DETECTIVE option | |
676 | fixed natd_hash memory leak | |
677 | tests with subdirectory structure | |
678 | removed tests | |
679 | introduced subdirectory structure | |
680 | support of cert payloads | |
681 | lowercase log entries | |
682 | distributed by ITA | |
683 | added support of updown parameter | |
684 | generation of default key | |
685 | cosmetics | |
686 | added support of updown parameter | |
687 | version bump to 4.0.2 | |
688 | added X.509 trust chain verification | |
689 | version bump to 4.0.2 | |
690 | ESP packet size changed | |
691 | fixed bad_proposal_syntax bug | |
692 | updated ingorelist for stroke_keywords.c | |
693 | applied new changes from NATT team | |
694 | DPD only done when no IPsec and IKE traffic processed | |
695 | minor changes here and there | |
696 | some message code cleanups | |
697 | fixed identification_t clone to apply function pointers | |
698 | cleaner error handling on UDP encapsultion sockopt failure | |
699 | added mysterious UDP encapsulation socket option to get encapsulation working | |
700 | fixed BAD_PROPOSAL_SYNTAX vulnerability | |
701 | first merge of NATT code | |
702 | fixed testing build | |
703 | updated for 4.0.1 release | |
704 | updated news for 4.0.1 release | |
705 | fixed whitelist detection | |
706 | ||
707 | ||
e986c40b MW |
708 | strongswan-4.0.1 / R:1144 |
709 | =========================== | |
710 | ||
711 | fixed whitelist detection | |
712 | reworked function ignore mechanism to not-report whitelist | |
713 | rather than overriding functions | |
714 | fixed execv call args to work when using strictcrl and syslog | |
715 | fixed bug: usage of already freed mem | |
716 | readded local_credential_store | |
717 | added sendcert policy to connection | |
718 | some other cleanups | |
719 | implemented rereadcrls rereadcacerts | |
720 | implemented rereadcrls rereadcacerts | |
721 | implemented rereadcrls rereadcacerts | |
722 | removed local_credential_store | |
723 | fixed SPI when acting as initiator of rekeying | |
724 | fixed SPI when rekeying and deleting CHILD_SAs | |
725 | change key derivation order to fullfill RFC | |
726 | added crl support | |
727 | added listcrls | |
728 | added chunk_equals_or_null() | |
729 | added crl support | |
730 | changed tabs from 8 to 4 spaces | |
731 | added crl support | |
732 | cosmetics | |
733 | cosmetics (space) | |
734 | fixed compilation error | |
735 | updated for release | |
736 | fixed aes code, we support now aes128, aes192, aes256 in IKE | |
737 | added support for "ike" and "esp" keywords | |
738 | fixed bugs in proposal code | |
739 | algorithm selection for charon works now with ipsec.conf | |
740 | a lot of other fixes | |
741 | implemented clean spi allocation behavior when using multiple proposals | |
742 | fixed logleve(l) keyword typo | |
743 | handling of "rekey=no" parameter added | |
744 | changed default algorithms to: | |
745 | ike: aes128-sha-modp2048 | |
746 | esp: aes128-sha1, 3des-md5 | |
747 | added default CRL directory path | |
748 | added strictcrlpolicy command line argument | |
749 | added option parsing | |
750 | added local CRLs | |
751 | added rekeying parameters | |
752 | corrected some descriptions | |
753 | moved RSA key size constraints to definitions.h | |
754 | fixed down keyword | |
755 | debug and logging improvements | |
756 | support for stroke listcerts|listcacerts|listcrls|listall | |
757 | support for stroke listcerts|listcacerts|listall and left|rightca= | |
758 | gperf creates optimum hash table for stroke keywords | |
759 | using same reqid if a child sa rekeys an existing one | |
760 | NULL string argument is treated as %any | |
761 | add_certificate() now returns pointer to added cert | |
762 | cosmetics | |
763 | single tests now start up faster | |
764 | workaround for peers rekeying at the same time | |
765 | loading lifetime policies from ipsec.conf | |
766 | old child_sa gets deleted after rekeying | |
767 | rekeying almost complete, but: | |
768 | IKE_SA get in an invalid state when both initiate rekeying at the same time, | |
769 | corrected type | |
770 | improved kernel interface logging | |
771 | fixed clone/destroy behavior when not using CAs | |
772 | specifying keysize in bits, as it is required in IKEv2 | |
773 | added generic kernel SA algorithm handling, which brings us: | |
774 | aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs | |
775 | added support for leftsendcert= and left|rightca= parameters | |
776 | discard cert if CA basic constraints flag is not set and warn if cert is not valide | |
777 | added public methods is_ca() and is_valid() | |
778 | changed ASN.1 CONTROL log output to LEVEL2 | |
779 | cosmetics | |
780 | removed unused Makefile | |
781 | stroke.h requires libstrongswan/types.h | |
782 | fixed compile warnings when using -Wall | |
783 | further CHILD_SA rekeying work done: | |
784 | creation of a new CHILD_SA on a expire from a kernel works | |
785 | delete of old CHILD_SA still missing | |
786 | some issues when both initiate rekeing | |
787 | updated INSTALL to conform with autotools | |
788 | added a short HACKING introduction | |
789 | further work for rekeying: | |
790 | get liftimes from policy | |
791 | added new state | |
792 | initiation of rekeying done | |
793 | proposal redone: | |
794 | removed support for AH+ESP proposals | |
795 | proper leak detective hook for realloc | |
796 | excluded pthread_setspecific from leak detective | |
797 | fixed a memleak | |
798 | cosmetics | |
799 | ipv6-host2host scenario added | |
800 | created IPv6 environment | |
801 | job management: | |
802 | moved job code from thread_pool to job, jobs have an "execute" method now | |
803 | added two new jobs: delete_child_sa & rekey_child_sa | |
804 | kernel interface: | |
805 | listens now for ACQUIRE & EXPIRE | |
806 | supports hard and soft lifetimes | |
807 | fires jobs for delete and rekey child sa | |
808 | ike sa manager: | |
809 | can checkout IKE SAs by requid of owned CHILD SAs | |
810 | we have now the infrastructure to do the rekeying... :-) | |
811 | fixed some memleaks/freebugs | |
812 | leak detective works almost usable now (?!) | |
813 | added host2host test for ikev2 | |
814 | fixed host-host tunnel traffic selection, host-host works now | |
815 | bug fixed circumventing an assertion in delete_connection when ikev1 is not set | |
816 | minimized prefixed on stroke logger output | |
817 | charon outputs strongSwan version | |
818 | tests with subjectAltNames now | |
819 | fixed event queue for events >36min | |
820 | included charons module tests to build & dist | |
821 | full support of ikev1 and ikev2 connection flags | |
822 | cosmetics in log_status output | |
823 | use of streq | |
824 | added testing files to dist | |
825 | required the use of the "ustar" format to support | |
826 | filenames longer than 99 chars | |
827 | lookup of private key based on keyid of public key | |
828 | new functions to add certificates and retrieve private and public keys | |
829 | changed log level | |
830 | list ca certificates | |
831 | computation of SHA-1 hash over publicKeyInfo object | |
832 | moved abbreviated thread_id in front of brackets | |
833 | added has_key parameter to log_certificates() | |
834 | log_certificates() now shows keyid and availability of matching private key | |
835 | indented loaded file log entry | |
836 | moved TIMETOA_BUF definition to types.h | |
837 | moved TIMETOA_BUF definition from asn1.h | |
838 | define default CA_CERTIFICATE_DIR | |
839 | load all ca certificates | |
840 | fixed daemon destruction order to prevent | |
841 | crashes on termination | |
842 | fixed memleak when deleting a connection | |
843 | updated todo list | |
844 | policies contain a connections name now | |
845 | used for initiate and delete | |
846 | connections won't get initiated twice anymore | |
847 | deleting of connections is now possible, which allows us to use | |
848 | ipsec update and ipsec reload | |
849 | changed iterator->remove behavior | |
850 | ipsec up|down|route|delete require a connection name | |
851 | stroke now uses constant size string buffer | |
852 | changed to standard connection log output | |
853 | reworked parsing and matching of subjectAltNames | |
854 | added memeq() macro | |
855 | moved timetoa() from asn1.c to types.c | |
856 | corrected type | |
857 | some logging improvements and cosmetics | |
858 | handle IKE_SA setup without a piggy-packed CHILD_SA | |
859 | more IKEv2 conform | |
860 | initiate IKE_SA deletion befor manager destruction | |
861 | improved code of chunk_equals | |
862 | added streq() macro and defined default BUF_LEN | |
863 | typo | |
864 | build gets perl and gperf from configure now | |
865 | moved built sources to maintainer-clean | |
866 | show connection templates in status & statusall | |
867 | don't complain on termination of IKEv1 connections | |
868 | updated ipsec.conf manual to reflect actual state of | |
869 | keyexchange-parameter | |
870 | using hubs instead of switches, which allows us | |
871 | to sniff the traffic from the host system. | |
872 | changed config load strategy: | |
873 | starter loads both connections in charon & pluto, | |
874 | charon ignores anything with keyexchange!=ikev2. | |
875 | pluto needs the same behavior. | |
876 | changed build order to fix build error after distclean | |
877 | load_end_certificate() now loads certificates | |
878 | cosmetics | |
879 | moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber | |
880 | moved definition of generalNames_t to identification.h | |
881 | corrrected description | |
882 | reimplemented proper IKE SA deletion using a seperate state, | |
883 | should conform now to IKEv2 | |
884 | fixed build when using --enable-leak-detective | |
885 | added removed files to svn:ignore | |
886 | fixed bug in pluto/Makefile.am | |
887 | removed perl-generated oid.c/h from svn, | |
888 | added them to "dist" and "distclean" | |
889 | removed lex, yacc and gperf output from svn, | |
890 | added them to "dist" and "distclean" | |
891 | storing release revision in svn property "release-revision", because I forget it all the times | |
892 | fixed ignorelist, should work now | |
893 | added ingorelist for builded files | |
894 | re-added doxygen apidoc, buildable with "make apidoc" | |
895 | added missing ipsec.conf.5 to distribution :-/ | |
896 | fixed another typo | |
897 | added missing ipsec.conf ipsec.conf.5 | |
898 | existing ipsec.conf won't get overwritten anymore | |
899 | fixed typo in Makefile which corrupted the build | |
900 | applied patch from the NAT-T team fixing several typos | |
901 | applied patch from andreas, which allows certificate listing via stroke | |
902 | added ipsec.conf template and man page back | |
903 | removed old Makefiles | |
904 | added new strongswan KDevelop project & startup hack | |
905 | fixed Revision in changelog fo 4.0.0 | |
906 | started ChangeLog | |
907 | simple script for ChangeLog update via "svn log" | |
908 | fixed compliation error using --enable-smartcard | |
909 | added test for ikev1-ikev2 mixed mode | |
910 | added test ikev2 roadwarrior scenario | |
911 | applied andreas's patch | |
912 | logger output improvements | |
913 | testin gupdates | |
914 | and a lot more | |
915 | updated testsuite to autotools | |
916 | added random source ./configure options | |
917 | fixed default-pkcs11 option | |
918 | testcommit | |
919 | fixed errors when --enable-pkcs11 | |
920 | added autogen script | |
921 | introduced autotools | |
922 | first working version | |
923 | make dist should work | |
924 | things to do: | |
925 | UML testing! | |
926 | more cleanups | |
927 | fixed build | |
928 | started to rebuild source layout | |
929 | fixed stroke error output to starter | |
930 | using random SPIs now, but without collision checks | |
931 | applied some -W's from strongswan | |
932 | fixed that warnings | |
933 | removed IKEV2 ifdefs | |
934 | applied patch from andreas | |
935 | added charonstart option to config | |
936 | new ikev2 tests for UML | |
937 | ||
d7272314 MW |
938 | strongSwan-4.0.0 / R:967 |
939 | ========================== | |
8ba04040 | 940 | |
22ff6f57 MW |
941 | removed IKEV2 ifdefs |
942 | applied patch from andreas | |
943 | added charonstart option to config | |
944 | new ikev2 tests for UML | |
945 | applied patch from andreas | |
946 | pem loading | |
947 | secrets file parsing | |
948 | ikev2 testcase | |
949 | some other additions here and there | |
950 | connection termination is handled cleanly by name now | |
951 | fixed bad bug, certs load now cleanly again | |
952 | fixed make install (subdir order) | |
953 | fixed include path | |
954 | added missing script | |
955 | finished initial import of strongswan file tree | |
956 | removed a lot of old and unused stuff | |
957 | moved RFCs from ikev2 into doc dir | |
958 | added missing files for starter | |
959 | applied patch for charon (this time really) | |
960 | import of strongswan-2.7.0 | |
961 | applied patch for charon | |
962 | renamed get_block_size of hasher | |
963 | reworked usage of IDs in various states | |
964 | using ID_ANY for any, not NULL as before | |
965 | initiator sends IDr payload in IKE_AUTH when ID unique | |
966 | fixed charon checks | |
967 | using status & statusall | |
968 | patch for 2.7.0 | |
969 | add connection names to connections | |
970 | stroke status / ipsec status shows them | |
971 | added statusall for stroke | |
972 | added status by connection name | |
973 | some tests repaired, more to come | |
974 | fixed spi conversion | |
975 | improved "stroke status" output | |
976 | setup PID file after daemon initilization, to correctly inform | |
8ba04040 | 977 | starter about daemon startup |
22ff6f57 MW |
978 | added separate implementation for connection_store, credential_store, policy_store |
979 | added folder structure to config | |
980 | credentials are fetched solely on IDs now | |
981 | identification_t supports now almost all id types | |
982 | x509 certificates work with identification_t now | |
983 | fixes here, fixes there | |
984 | fixed doxygen build | |
985 | seperates now in lib and charon | |
986 | library initialization done at a central point (library.c) | |
987 | some leak_detective fixes | |
988 | updated Todos | |
989 | fixed log-to-syslog behavior | |
990 | added patch against strongswan-2.6.4 | |
991 | x509 certificate loading with pluto asn1 code | |
992 | x509 needs a lot more attention! | |
993 | renamed some files | |
994 | using asn1 pluto stuff now | |
995 | removed, since we use pluto asn1 stuff | |
996 | leak detective is usable, but does not show static function names | |
997 | a script which gets address via ldd and resolves address via addr2line would be nice | |
998 | fixed a leak in child_sa with new detective ;-) | |
999 | some improvements to new asn1 stuff | |
1000 | to be continued | |
1001 | fixed bad bugs in kernel interface | |
1002 | added some logging info | |
1003 | works now much more stable | |
1004 | startet importing pluto ASN1 stuff | |
1005 | der PKCS#1 key loading works (as it did with der_decoder) | |
1006 | split up in libstrong, charon, stroke, testing done | |
1007 | new leak detective with malloc hook in library | |
1008 | useable, but needs improvements | |
1009 | logger_manager has now a single instance per library | |
1010 | allows use of loggers from any linking prog | |
1011 | a LOT of other things | |
8ba04040 | 1012 | ../svn-commit.tmp |
22ff6f57 MW |
1013 | added misssing stroke.h |
1014 | improved strokeing | |
1015 | down connection | |
1016 | status | |
1017 | some other tweaks | |
1018 | rewrote a lot of RSA stuff | |
1019 | done major work for ASN1/decoder | |
1020 | allow loading of ASN1 der encoded private keys, public keys and certificates | |
1021 | extracting public key from certificates | |
1022 | passing certificates from stroke to charon | |
8ba04040 | 1023 | => basic authentication with RSA certificates works! |
22ff6f57 MW |
1024 | starter work on asn1 with der de/encoder |
1025 | RSA private and public key can load read key from ASN1 DER | |
1026 | some other fixes here and there | |
1027 | rewrite of logger_manager, uses now one instance per context | |
1028 | cleanups for logger here and there | |
1029 | removed critical flag check in payload verification (conformance to IKEv2) | |
1030 | so thats and theres everywere... ;-) | |
1031 | patch for strongswan-2.6.3 | |
1032 | added charon support for strongswan build process | |
1033 | ipsec starter supports charon startup and control | |
1034 | removed old diploma thesis scripts | |
1035 | some cleanups | |
1036 | compatibility to strongswan, Makefile can be called by "make programs" | |
8ba04040 | 1037 | and "make install" (ikev2 patch must be applied to strongswan) |
22ff6f57 MW |
1038 | first version of stroke control utility |
1039 | moved output to doc/api, since doc is used for other docs now | |
1040 | some first documentation in english | |
1041 | removed old eclipse project files | |
1042 | works quite well now with ipsec.conf & ipsec starter | |
1043 | belongs to previous commit ;-) | |
1044 | reworked configuration framework completly | |
1045 | configuration is now split up in: connections, policies, credentials and daemon config | |
1046 | further alloc/free fixes needed! | |
1047 | first attempt for connection loading and starting via "stroke" | |
1048 | some improvements here and there | |
1049 | configuration_manager replaced by configuration_t interface | |
1050 | current configuration_manager is now static_configuration (testing) | |
1051 | first draft of starter_configuration, which should once interact with ipsec starter (via whack?) | |
1052 | some cleanups | |
1053 | socket_t uses RAW socket, which allows parallel service of pluto/charon | |
1054 | comments and cleanups | |
1055 | working policy installation and removal | |
1056 | fixed policy setup bug | |
1057 | proposal setup implementation begun | |
1058 | fixed socket code, so we know on which address we receive traffic | |
1059 | AH/ESP setup in kernel is working now!!! :-))) | |
1060 | installing of child sa works | |
1061 | need correct IP adresses to actually use IPsec | |
1062 | new RFCs of IKEv2, IKEv2 algs and IPSec arch added | |
1063 | update of IKEv2 clarification document | |
1064 | refactored ike proposal | |
1065 | uses now proposal_t, wich is also used by child proposals | |
1066 | ike key derivation refactored | |
1067 | crypter_t api has get_key_size now | |
1068 | some other improvements here and there | |
1069 | config uses uml hosts alice and bob | |
1070 | key derivation for child_sa works | |
1071 | some fixes here and there | |
1072 | fixed memleaks | |
1073 | works with new proposal code | |
1074 | still some(!) memleaks | |
1075 | fixed alot of bugs in child_proposal | |
1076 | near to working state ;-) | |
1077 | dead end implementation | |
8ba04040 | 1078 | |
22ff6f57 | 1079 | ... there is a lot more of it, but nothing of interest |