fixed typos

[thirdparty/strongswan.git] / ChangeLog

 strongswan-4.0.4 / R:1289 
===========================

fixed some compiler warnings
extended statusall output
  added job/event-queue statistics
  added allocation statistics when using LEAK_DETECTIVE
fixed include typo
public declaration of all HASH_SIZEs in hasher.h
support of encrypted private key files
added copyright notice to sha2_hasher
included SHA2 in build process
implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512
added support for 3DES encryption algorithm in IKE
fixed the ids parsing bug
fixed the ids parsing bug
updated TODOs
fixed memleak
fixed proper handling of id parsing errors
proper return value when no PSK found
added HOST_ACCESS for firewall script as default
more debugging output for PSK authentication
some cleanups here and there
added auth_method field
added auth_method field
cosmetics
verify_emsa_pkcs1_signature returns status_t
cosmetics
added PSK support
enabled firewall support
proper error handling for socket creation
handle certificate parsing error more generous
fixed certificate verification bug!
fixed memleak when receiving invalid certificate
version bump to 4.0.4
version bump to 4.0.4
two new test scenarios
fixed path to images directory
implemented updown script to handle firewalling
add priority management for kernel policy
let ROUTED policies installed, until manuall removed
introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
ike_sa_manager cleanups
implemented handling of dpdaction and dpddelay ipsec.conf parameters
reuse reqid when a ROUTED child_sa gets INSTALLED
fixed a bug in retransmission code
added support for the "keyingtries" ipsec.conf parameter
added support for the "dpddelay" ipsec.conf parameter
done some work for "dpdaction" behavior
some other cleanups and fixes
fixed a at-least-one-year-old bug which caused crashed in the scheduler
added raw socket filter for IPv6
implemented NAT detection for IPv6
removed unneeded constructor
initial support for IPv6 (more testing needed)
  socket works (without v6 filter)
  traffic selector handle IPv4/v4 cleanly
    improvements in traffic selector code
  kernel interface accepts v6 traffic selectors and hosts
  host_t class has full IPv6 support
added stddef.h include for compilers which do not support the offsetof() directive
moved interface enumeration code to socket, where it belongs
query interfaces every time we need it to respect changes in network config
added address listing on startup and "ipsec statusall"
version bump of UML kernel to 2.6.17.11
fixed crash bug when doing "ipsec down" with an unknown connection
added name property in CHILD_SA, allows proper status output
fixed bug which prevented port float when nat is detected
version bumps
'sha' and 'sha1' are now treated as synonyms
updated Changelog and other docs


 strongswan-4.0.3 / R:1235 
===========================

fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
implement proper handling of most simultaneous IKE_SA rekeying cases
version bump to 4.0.3
implemented proper refcounting using atomic operations
implemented IKE_SA rekeying
	uses ikelifetime, rekeymargin and rekeyfuzz config settings
	no handling of simultaneus exchanges yet!
added possibility to route CHILD_SAs, without to set them up
	support for auto=route parameter
	support for ipsec route and ipsec unroute
	initiating of CHILD and/or IKE_SAs based on kernel acquires
reuse an existing IKE_SA to set up additional CHILD_SAs
introduced refcounting on policy and connections
	aren't stored in the IKE_SA anymore, they are queried on the fly
	are immutable now, allows it to share them
policy selection based on traffic selectors, leads to valid lookup results
	rekeying queries the policy based on its traffic selectors
cleanups in kernel interface code
added proper traffic selector to string conversion
some cleanups here & there
X.509 certificate trust path verification
added
fixed UDP decapsulation by adding inbound bypass policy for send socket
updated mixed tests to new charon output
corrected DPD entry
reenabled module tests for charon
fixed bug which erroneously detected KE payload when rekeying
added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
improved logging on verify errors for some payloads
enforcing IKE_SA shutdown, even when transactions are outstanding
proper reject of CREATE_CHILD_SA message with KE payload
added test cases from NAT team
updated all IKEv2 tests to work with new status output
added tcpdumpcount function from NATT guys
added possibility to mount the strongswan tree into all UMLs
added script for installing from shared tree in all UMLs
added script to shut down all UMLs properly
removed in favour of tests from NAT team
fixed CREATE_CHILD_SA transaction dispatching
added CHILD_SA states, which allows us to detect further simultaneous transactions
reimplemented the buggy message id handling
updated some inline docs
fixed crypter/signer in/out to conform with standard
fixed payload order
added message id logging
added all currently known notify payload types
added policy cache to kernel interface
	allows refcounting of multiple installed policies
	finally brings us stable simultaneous rekeying
leak detective blanks memory on free & alloc, allows further membug detection
code cleanups
identification_t.matches() supports multiple wildcard counts
identification_t.matches() supports multiple wildcard counts
further work done for simultaneous rekeying/delete
	still some cases which cause trouble
fixed compiler warnings in parser when using -O2
reenabled check_expiry
updated copyright information
reimplemented CHILD_SA rekeying & delete
	no simultanous transaction with CHILD_SAs yet!
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
removed NAT_TRAVERSAL compile option
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
added
updated NEWS
added support for leftprotoport and rightprotoport
improved CHILD_SA output for "ipsec statusall"
updated whitelist (getprotobynumber)
redesigned IKE_SA using a transaction mechanism:
	removed old state machine
	reimplemented IKE_SA setup and delete
	implemented dead peer detection
	implemented keep-alives
	a lot of fixes
	no rekeying yet		
fixed compiler warnings
made thread ids unsigned again, to avoid negative thread ids on some systems
fixed memleak when initiating a connection already up
updated leak detective whitelist
applied latest NATT patch with some fixes and cleanups
test currently without firewall
added
added
added
removed
removed version information from ipsec.conf
log entries start with lowcercase character
restored lost IKEv2 packet suppression
added USE_LEAK_DETECTIVE option
fixed natd_hash memory leak
tests with subdirectory structure
removed tests
introduced subdirectory structure
support of cert payloads
lowercase log entries
distributed by ITA
added support of updown parameter
generation of default key
cosmetics
added support of updown parameter
version bump to 4.0.2
added X.509 trust chain verification
version bump to 4.0.2
ESP packet size changed
fixed bad_proposal_syntax bug
updated ingorelist for stroke_keywords.c
applied new changes from NATT team
	DPD only done when no IPsec and IKE traffic processed
	minor changes here and there
some message code cleanups
fixed identification_t clone to apply function pointers
cleaner error handling on UDP encapsultion sockopt failure
added mysterious UDP encapsulation socket option to get encapsulation working
fixed BAD_PROPOSAL_SYNTAX vulnerability
first merge of NATT code
fixed testing build
updated for 4.0.1 release
updated news for 4.0.1 release
fixed whitelist detection


 strongswan-4.0.1 / R:1144 
===========================

fixed whitelist detection
reworked function ignore mechanism to not-report whitelist
  rather than overriding functions
fixed execv call args to work when using strictcrl and syslog
fixed bug: usage of already freed mem
readded local_credential_store
added sendcert policy to connection
some other cleanups
implemented rereadcrls rereadcacerts
implemented rereadcrls rereadcacerts
implemented rereadcrls rereadcacerts
removed local_credential_store
fixed SPI when acting as initiator of rekeying
fixed SPI when rekeying and deleting CHILD_SAs
change key derivation order to fullfill RFC
added crl support
added listcrls
added chunk_equals_or_null()
added crl support
changed tabs from 8 to 4 spaces
added crl support
cosmetics
cosmetics (space)
fixed compilation error
updated for release
fixed aes code, we support now aes128, aes192, aes256 in IKE
added support for "ike" and "esp" keywords
fixed bugs in proposal code
algorithm selection for charon works now with ipsec.conf
a lot of other fixes
implemented clean spi allocation behavior when using multiple proposals
fixed logleve(l) keyword typo
handling of "rekey=no" parameter added
changed default algorithms to:
  ike: aes128-sha-modp2048
  esp: aes128-sha1, 3des-md5
added default CRL directory path
added strictcrlpolicy command line argument
added option parsing
added local CRLs
added rekeying parameters
corrected some descriptions
moved RSA key size constraints to definitions.h
fixed down keyword
debug and logging improvements
support for stroke listcerts|listcacerts|listcrls|listall
support for stroke listcerts|listcacerts|listall and left|rightca=
gperf creates optimum hash table for stroke keywords
using same reqid if a child sa rekeys an existing one
NULL string argument is treated as %any
add_certificate() now returns pointer to added cert
cosmetics
single tests now start up faster
workaround for peers rekeying at the same time
loading lifetime policies from ipsec.conf
old child_sa gets deleted after rekeying
rekeying almost complete, but:
	IKE_SA get in an invalid state when both initiate rekeying at the same time,
corrected type
improved kernel interface logging
fixed clone/destroy behavior when not using CAs
specifying keysize in bits, as it is required in IKEv2
added generic kernel SA algorithm handling, which brings us:
        aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
added support for leftsendcert= and left|rightca= parameters
discard cert if CA basic constraints flag is not set and warn if cert is not valide
added public methods is_ca() and is_valid()
changed ASN.1 CONTROL log output to LEVEL2
cosmetics
removed unused Makefile
stroke.h requires libstrongswan/types.h
fixed compile warnings when using -Wall
further CHILD_SA rekeying work done:
	creation of a new CHILD_SA on a expire from a kernel works
	delete of old CHILD_SA still missing
	some issues when both initiate rekeing 
updated INSTALL to conform with autotools
added a short HACKING introduction
further work for rekeying:
  get liftimes from policy
  added new state
  initiation of rekeying done
proposal redone:
  removed support for AH+ESP proposals
proper leak detective hook for realloc
excluded pthread_setspecific from leak detective
fixed a memleak
cosmetics
ipv6-host2host scenario added
created IPv6 environment
job management:
  moved job code from thread_pool to job, jobs have an "execute" method now
  added two new jobs: delete_child_sa & rekey_child_sa
kernel interface:
  listens now for ACQUIRE & EXPIRE
  supports hard and soft lifetimes
  fires jobs for delete and rekey child sa
ike sa manager:
  can checkout IKE SAs by requid of owned CHILD SAs
we have now the infrastructure to do the rekeying... :-)
fixed some memleaks/freebugs
leak detective works almost usable now (?!)
added host2host test for ikev2
fixed host-host tunnel traffic selection, host-host works now
bug fixed circumventing an assertion in delete_connection when ikev1 is not set
minimized prefixed on stroke logger output
charon outputs strongSwan version
tests with subjectAltNames now
fixed event queue for events >36min
included charons module tests to build & dist
full support of ikev1 and ikev2 connection flags
cosmetics in log_status output
use of streq
added testing files to dist
  required the use of the "ustar" format to support 
  filenames longer than 99 chars
lookup of private key based on keyid of public key
new functions to add certificates and retrieve private and public keys
changed log level
list ca certificates
computation of SHA-1 hash over publicKeyInfo object
moved abbreviated thread_id in front of brackets
added has_key parameter to log_certificates()
log_certificates() now shows keyid and availability of matching private key
indented loaded file log entry
moved TIMETOA_BUF definition to types.h
moved TIMETOA_BUF definition from asn1.h
define default CA_CERTIFICATE_DIR
load all ca certificates
fixed daemon destruction order to prevent
  crashes on termination
fixed memleak when deleting a connection
updated todo list
policies contain a connections name now
  used for initiate and delete
connections won't get initiated twice anymore
deleting of connections is now possible, which allows us to use
  ipsec update and ipsec reload
changed iterator->remove behavior
ipsec up|down|route|delete require a connection name
stroke now uses constant size string buffer
changed to standard connection log output
reworked parsing and matching of subjectAltNames
added memeq() macro
moved timetoa() from asn1.c to types.c
corrected type
some logging improvements and cosmetics
handle IKE_SA setup without a piggy-packed CHILD_SA
  more IKEv2 conform
initiate IKE_SA deletion befor manager destruction
improved code of chunk_equals
added streq() macro and defined default BUF_LEN
typo
build gets perl and gperf from configure now
moved built sources to maintainer-clean
show connection templates in status & statusall
don't complain on termination of IKEv1 connections
updated ipsec.conf manual to reflect actual state of
  keyexchange-parameter
using hubs instead of switches, which allows us
  to sniff the traffic from the host system.
changed config load strategy:
  starter loads both connections in charon & pluto,
  charon ignores anything with keyexchange!=ikev2.
  pluto needs the same behavior.
 changed build order to fix build error after distclean
load_end_certificate() now loads certificates
cosmetics
moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber
moved definition of generalNames_t to identification.h
corrrected description
reimplemented proper IKE SA deletion using a seperate state,
  should conform now to IKEv2
fixed build when using --enable-leak-detective
added removed files to svn:ignore
fixed bug in pluto/Makefile.am
removed perl-generated oid.c/h from svn,
  added them to "dist" and "distclean"
removed lex, yacc and gperf output from svn,
  added them to "dist" and "distclean"
storing release revision in svn property "release-revision", because I forget it all the times
fixed ignorelist, should work now
added ingorelist for builded files
re-added doxygen apidoc, buildable with "make apidoc"
added missing ipsec.conf.5 to distribution :-/
fixed another typo
added missing ipsec.conf ipsec.conf.5
existing ipsec.conf won't get overwritten anymore
fixed typo in Makefile which corrupted the build
applied patch from the NAT-T team fixing several typos
applied patch from andreas, which allows certificate listing via stroke
added ipsec.conf template and man page back
removed old Makefiles
added new strongswan KDevelop project & startup hack
fixed Revision in changelog fo 4.0.0
started ChangeLog
simple script for ChangeLog update via "svn log"
fixed compliation error using --enable-smartcard
added test for ikev1-ikev2 mixed mode
added test ikev2 roadwarrior scenario
applied andreas's patch
  logger output improvements
  testin gupdates
  and a lot more
updated testsuite to autotools
added random source ./configure options
fixed default-pkcs11 option
testcommit
fixed errors when --enable-pkcs11
added autogen script
introduced autotools
  first working version
  make dist should work
  things to do:
    UML testing!
    more cleanups
fixed build
started to rebuild source layout
fixed stroke error output to starter
using random SPIs now, but without collision checks
applied some -W's from strongswan
fixed that warnings
removed IKEV2 ifdefs
applied patch from andreas
  added charonstart option to config
  new ikev2 tests for UML

 strongSwan-4.0.0 / R:967
==========================

removed IKEV2 ifdefs
applied patch from andreas
  added charonstart option to config
  new ikev2 tests for UML
applied patch from andreas
  pem loading
  secrets file parsing
  ikev2 testcase
  some other additions here and there
connection termination is handled cleanly by name now
fixed bad bug, certs load now cleanly again
fixed make install (subdir order)
fixed include path
added missing script
finished initial import of strongswan file tree
removed a lot of old and unused stuff
moved RFCs from ikev2 into doc dir
added missing files for starter
applied patch for charon (this time really)
import of strongswan-2.7.0
applied patch for charon
renamed get_block_size of hasher
reworked usage of IDs in various states
using ID_ANY for any, not NULL as before
initiator sends IDr payload in IKE_AUTH when ID unique
fixed charon checks
using status & statusall
patch for 2.7.0 
add connection names to connections
stroke status / ipsec status shows them
added statusall for stroke
added status by connection name
some tests repaired, more to come
fixed spi conversion
improved "stroke status" output
setup PID file after daemon initilization, to correctly inform
  starter about daemon startup
added separate implementation for connection_store, credential_store, policy_store
added folder structure to config
credentials are fetched solely on IDs now
identification_t supports now almost all id types
x509 certificates work with identification_t now
fixes here, fixes there
fixed doxygen build
seperates now in lib and charon
library initialization done at a central point (library.c)
some leak_detective fixes
updated Todos
fixed log-to-syslog behavior
added patch against strongswan-2.6.4
x509 certificate loading with pluto asn1 code
x509 needs a lot more attention!
renamed some files
using asn1 pluto stuff now
removed, since we use pluto asn1 stuff
leak detective is usable, but does not show static function names
  a script which gets address via ldd and resolves address via addr2line would be nice
fixed a leak in child_sa with new detective ;-)
some improvements to new asn1 stuff
to be continued
fixed bad bugs in kernel interface
added some logging info
works now much more stable
startet importing pluto ASN1 stuff
der PKCS#1 key loading works (as it did with der_decoder)
split up in libstrong, charon, stroke, testing done
new leak detective with malloc hook in library
  useable, but needs improvements
logger_manager has now a single instance per library
  allows use of loggers from any linking prog
a LOT of other things
../svn-commit.tmp
added misssing stroke.h
improved strokeing
  down connection
  status
some other tweaks
rewrote a lot of RSA stuff
done major work for ASN1/decoder
allow loading of ASN1 der encoded private keys, public keys and certificates
extracting public key from certificates
passing certificates from stroke to charon
=> basic authentication with RSA certificates works!
starter work on asn1 with der de/encoder
RSA private and public key can load read key from ASN1 DER
some other fixes here and there
rewrite of logger_manager, uses now one instance per context
cleanups for logger here and there
removed critical flag check in payload verification (conformance to IKEv2)
so thats and theres everywere... ;-)
patch for strongswan-2.6.3
added charon support for strongswan build process
ipsec starter supports charon startup and control
removed old diploma thesis scripts
some cleanups
compatibility to strongswan, Makefile can be called by "make programs"
  and "make install" (ikev2 patch must be applied to strongswan)
first version of stroke control utility
moved output to doc/api, since doc is used for other docs now
some first documentation in english
removed old eclipse project files
works quite well now with ipsec.conf & ipsec starter
belongs to previous commit ;-)
reworked configuration framework completly
configuration is now split up in: connections, policies, credentials and daemon config
further alloc/free fixes needed!
first attempt for connection loading and starting via "stroke"
some improvements here and there
configuration_manager replaced by configuration_t interface
current configuration_manager is now static_configuration (testing)
first draft of starter_configuration, which should once interact with ipsec starter (via whack?)
some cleanups
socket_t uses RAW socket, which allows parallel service of pluto/charon
comments and cleanups
working policy installation and removal
fixed policy setup bug
proposal setup implementation begun
fixed socket code, so we know on which address we receive traffic
AH/ESP setup in kernel is working now!!! :-)))
installing of child sa works
need correct IP adresses to actually use IPsec
new RFCs of IKEv2, IKEv2 algs and IPSec arch added
update of IKEv2 clarification document
refactored ike proposal
uses now proposal_t, wich is also used by child proposals
ike key derivation refactored
crypter_t api has get_key_size now
some other improvements here and there
config uses uml hosts alice and bob
key derivation for child_sa works
some fixes here and there
fixed memleaks
works with new proposal code
still some(!) memleaks
fixed alot of bugs in child_proposal
near to working state ;-)
dead end implementation

... there is a lot more of it, but nothing of interest