implemented NAT detection for IPv6

[strongswan.git] / ChangeLog

 strongswan-4.0.3 / R:1235 
===========================

fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
implement proper handling of most simultaneous IKE_SA rekeying cases
version bump to 4.0.3
implemented proper refcounting using atomic operations
implemented IKE_SA rekeying
        uses ikelifetime, rekeymargin and rekeyfuzz config settings
        no handling of simultaneus exchanges yet!
added possibility to route CHILD_SAs, without to set them up
        support for auto=route parameter
        support for ipsec route and ipsec unroute
        initiating of CHILD and/or IKE_SAs based on kernel acquires
reuse an existing IKE_SA to set up additional CHILD_SAs
introduced refcounting on policy and connections
        aren't stored in the IKE_SA anymore, they are queried on the fly
        are immutable now, allows it to share them
policy selection based on traffic selectors, leads to valid lookup results
        rekeying queries the policy based on its traffic selectors
cleanups in kernel interface code
added proper traffic selector to string conversion
some cleanups here & there
X.509 certificate trust path verification
added
fixed UDP decapsulation by adding inbound bypass policy for send socket
updated mixed tests to new charon output
corrected DPD entry
reenabled module tests for charon
fixed bug which erroneously detected KE payload when rekeying
added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
improved logging on verify errors for some payloads
enforcing IKE_SA shutdown, even when transactions are outstanding
proper reject of CREATE_CHILD_SA message with KE payload
added test cases from NAT team
updated all IKEv2 tests to work with new status output
added tcpdumpcount function from NATT guys
added possibility to mount the strongswan tree into all UMLs
added script for installing from shared tree in all UMLs
added script to shut down all UMLs properly
removed in favour of tests from NAT team
fixed CREATE_CHILD_SA transaction dispatching
added CHILD_SA states, which allows us to detect further simultaneous transactions
reimplemented the buggy message id handling
updated some inline docs
fixed crypter/signer in/out to conform with standard
fixed payload order
added message id logging
added all currently known notify payload types
added policy cache to kernel interface
        allows refcounting of multiple installed policies
        finally brings us stable simultaneous rekeying
leak detective blanks memory on free & alloc, allows further membug detection
code cleanups
identification_t.matches() supports multiple wildcard counts
identification_t.matches() supports multiple wildcard counts
further work done for simultaneous rekeying/delete
        still some cases which cause trouble
fixed compiler warnings in parser when using -O2
reenabled check_expiry
updated copyright information
reimplemented CHILD_SA rekeying & delete
        no simultanous transaction with CHILD_SAs yet!
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
removed NAT_TRAVERSAL compile option
removed NAT_TRAVERSAL and VIRTUAL_IP compile options
added
updated NEWS
added support for leftprotoport and rightprotoport
improved CHILD_SA output for "ipsec statusall"
updated whitelist (getprotobynumber)
redesigned IKE_SA using a transaction mechanism:
        removed old state machine
        reimplemented IKE_SA setup and delete
        implemented dead peer detection
        implemented keep-alives
        a lot of fixes
        no rekeying yet         
fixed compiler warnings
made thread ids unsigned again, to avoid negative thread ids on some systems
fixed memleak when initiating a connection already up
updated leak detective whitelist
applied latest NATT patch with some fixes and cleanups
test currently without firewall
added
added
added
removed
removed version information from ipsec.conf
log entries start with lowcercase character
restored lost IKEv2 packet suppression
added USE_LEAK_DETECTIVE option
fixed natd_hash memory leak
tests with subdirectory structure
removed tests
introduced subdirectory structure
support of cert payloads
lowercase log entries
distributed by ITA
added support of updown parameter
generation of default key
cosmetics
added support of updown parameter
version bump to 4.0.2
added X.509 trust chain verification
version bump to 4.0.2
ESP packet size changed
fixed bad_proposal_syntax bug
updated ingorelist for stroke_keywords.c
applied new changes from NATT team
        DPD only done when no IPsec and IKE traffic processed
        minor changes here and there
some message code cleanups
fixed identification_t clone to apply function pointers
cleaner error handling on UDP encapsultion sockopt failure
added mysterious UDP encapsulation socket option to get encapsulation working
fixed BAD_PROPOSAL_SYNTAX vulnerability
first merge of NATT code
fixed testing build
updated for 4.0.1 release
updated news for 4.0.1 release
fixed whitelist detection


 strongswan-4.0.1 / R:1144 
===========================

fixed whitelist detection
reworked function ignore mechanism to not-report whitelist
  rather than overriding functions
fixed execv call args to work when using strictcrl and syslog
fixed bug: usage of already freed mem
readded local_credential_store
added sendcert policy to connection
some other cleanups
implemented rereadcrls rereadcacerts
implemented rereadcrls rereadcacerts
implemented rereadcrls rereadcacerts
removed local_credential_store
fixed SPI when acting as initiator of rekeying
fixed SPI when rekeying and deleting CHILD_SAs
change key derivation order to fullfill RFC
added crl support
added listcrls
added chunk_equals_or_null()
added crl support
changed tabs from 8 to 4 spaces
added crl support
cosmetics
cosmetics (space)
fixed compilation error
updated for release
fixed aes code, we support now aes128, aes192, aes256 in IKE
added support for "ike" and "esp" keywords
fixed bugs in proposal code
algorithm selection for charon works now with ipsec.conf
a lot of other fixes
implemented clean spi allocation behavior when using multiple proposals
fixed logleve(l) keyword typo
handling of "rekey=no" parameter added
changed default algorithms to:
  ike: aes128-sha-modp2048
  esp: aes128-sha1, 3des-md5
added default CRL directory path
added strictcrlpolicy command line argument
added option parsing
added local CRLs
added rekeying parameters
corrected some descriptions
moved RSA key size constraints to definitions.h
fixed down keyword
debug and logging improvements
support for stroke listcerts|listcacerts|listcrls|listall
support for stroke listcerts|listcacerts|listall and left|rightca=
gperf creates optimum hash table for stroke keywords
using same reqid if a child sa rekeys an existing one
NULL string argument is treated as %any
add_certificate() now returns pointer to added cert
cosmetics
single tests now start up faster
workaround for peers rekeying at the same time
loading lifetime policies from ipsec.conf
old child_sa gets deleted after rekeying
rekeying almost complete, but:
        IKE_SA get in an invalid state when both initiate rekeying at the same time,
corrected type
improved kernel interface logging
fixed clone/destroy behavior when not using CAs
specifying keysize in bits, as it is required in IKEv2
added generic kernel SA algorithm handling, which brings us:
        aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
added support for leftsendcert= and left|rightca= parameters
discard cert if CA basic constraints flag is not set and warn if cert is not valide
added public methods is_ca() and is_valid()
changed ASN.1 CONTROL log output to LEVEL2
cosmetics
removed unused Makefile
stroke.h requires libstrongswan/types.h
fixed compile warnings when using -Wall
further CHILD_SA rekeying work done:
        creation of a new CHILD_SA on a expire from a kernel works
        delete of old CHILD_SA still missing
        some issues when both initiate rekeing 
updated INSTALL to conform with autotools
added a short HACKING introduction
further work for rekeying:
  get liftimes from policy
  added new state
  initiation of rekeying done
proposal redone:
  removed support for AH+ESP proposals
proper leak detective hook for realloc
excluded pthread_setspecific from leak detective
fixed a memleak
cosmetics
ipv6-host2host scenario added
created IPv6 environment
job management:
  moved job code from thread_pool to job, jobs have an "execute" method now
  added two new jobs: delete_child_sa & rekey_child_sa
kernel interface:
  listens now for ACQUIRE & EXPIRE
  supports hard and soft lifetimes
  fires jobs for delete and rekey child sa
ike sa manager:
  can checkout IKE SAs by requid of owned CHILD SAs
we have now the infrastructure to do the rekeying... :-)
fixed some memleaks/freebugs
leak detective works almost usable now (?!)
added host2host test for ikev2
fixed host-host tunnel traffic selection, host-host works now
bug fixed circumventing an assertion in delete_connection when ikev1 is not set
minimized prefixed on stroke logger output
charon outputs strongSwan version
tests with subjectAltNames now
fixed event queue for events >36min
included charons module tests to build & dist
full support of ikev1 and ikev2 connection flags
cosmetics in log_status output
use of streq
added testing files to dist
  required the use of the "ustar" format to support 
  filenames longer than 99 chars
lookup of private key based on keyid of public key
new functions to add certificates and retrieve private and public keys
changed log level
list ca certificates
computation of SHA-1 hash over publicKeyInfo object
moved abbreviated thread_id in front of brackets
added has_key parameter to log_certificates()
log_certificates() now shows keyid and availability of matching private key
indented loaded file log entry
moved TIMETOA_BUF definition to types.h
moved TIMETOA_BUF definition from asn1.h
define default CA_CERTIFICATE_DIR
load all ca certificates
fixed daemon destruction order to prevent
  crashes on termination
fixed memleak when deleting a connection
updated todo list
policies contain a connections name now
  used for initiate and delete
connections won't get initiated twice anymore
deleting of connections is now possible, which allows us to use
  ipsec update and ipsec reload
changed iterator->remove behavior
ipsec up|down|route|delete require a connection name
stroke now uses constant size string buffer
changed to standard connection log output
reworked parsing and matching of subjectAltNames
added memeq() macro
moved timetoa() from asn1.c to types.c
corrected type
some logging improvements and cosmetics
handle IKE_SA setup without a piggy-packed CHILD_SA
  more IKEv2 conform
initiate IKE_SA deletion befor manager destruction
improved code of chunk_equals
added streq() macro and defined default BUF_LEN
typo
build gets perl and gperf from configure now
moved built sources to maintainer-clean
show connection templates in status & statusall
don't complain on termination of IKEv1 connections
updated ipsec.conf manual to reflect actual state of
  keyexchange-parameter
using hubs instead of switches, which allows us
  to sniff the traffic from the host system.
changed config load strategy:
  starter loads both connections in charon & pluto,
  charon ignores anything with keyexchange!=ikev2.
  pluto needs the same behavior.
 changed build order to fix build error after distclean
load_end_certificate() now loads certificates
cosmetics
moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber
moved definition of generalNames_t to identification.h
corrrected description
reimplemented proper IKE SA deletion using a seperate state,
  should conform now to IKEv2
fixed build when using --enable-leak-detective
added removed files to svn:ignore
fixed bug in pluto/Makefile.am
removed perl-generated oid.c/h from svn,
  added them to "dist" and "distclean"
removed lex, yacc and gperf output from svn,
  added them to "dist" and "distclean"
storing release revision in svn property "release-revision", because I forget it all the times
fixed ignorelist, should work now
added ingorelist for builded files
re-added doxygen apidoc, buildable with "make apidoc"
added missing ipsec.conf.5 to distribution :-/
fixed another typo
added missing ipsec.conf ipsec.conf.5
existing ipsec.conf won't get overwritten anymore
fixed typo in Makefile which corrupted the build
applied patch from the NAT-T team fixing several typos
applied patch from andreas, which allows certificate listing via stroke
added ipsec.conf template and man page back
removed old Makefiles
added new strongswan KDevelop project & startup hack
fixed Revision in changelog fo 4.0.0
started ChangeLog
simple script for ChangeLog update via "svn log"
fixed compliation error using --enable-smartcard
added test for ikev1-ikev2 mixed mode
added test ikev2 roadwarrior scenario
applied andreas's patch
  logger output improvements
  testin gupdates
  and a lot more
updated testsuite to autotools
added random source ./configure options
fixed default-pkcs11 option
testcommit
fixed errors when --enable-pkcs11
added autogen script
introduced autotools
  first working version
  make dist should work
  things to do:
    UML testing!
    more cleanups
fixed build
started to rebuild source layout
fixed stroke error output to starter
using random SPIs now, but without collision checks
applied some -W's from strongswan
fixed that warnings
removed IKEV2 ifdefs
applied patch from andreas
  added charonstart option to config
  new ikev2 tests for UML

 strongSwan-4.0.0 / R:967
==========================

removed IKEV2 ifdefs
applied patch from andreas
  added charonstart option to config
  new ikev2 tests for UML
applied patch from andreas
  pem loading
  secrets file parsing
  ikev2 testcase
  some other additions here and there
connection termination is handled cleanly by name now
fixed bad bug, certs load now cleanly again
fixed make install (subdir order)
fixed include path
added missing script
finished initial import of strongswan file tree
removed a lot of old and unused stuff
moved RFCs from ikev2 into doc dir
added missing files for starter
applied patch for charon (this time really)
import of strongswan-2.7.0
applied patch for charon
renamed get_block_size of hasher
reworked usage of IDs in various states
using ID_ANY for any, not NULL as before
initiator sends IDr payload in IKE_AUTH when ID unique
fixed charon checks
using status & statusall
patch for 2.7.0 
add connection names to connections
stroke status / ipsec status shows them
added statusall for stroke
added status by connection name
some tests repaired, more to come
fixed spi conversion
improved "stroke status" output
setup PID file after daemon initilization, to correctly inform
  starter about daemon startup
added separate implementation for connection_store, credential_store, policy_store
added folder structure to config
credentials are fetched solely on IDs now
identification_t supports now almost all id types
x509 certificates work with identification_t now
fixes here, fixes there
fixed doxygen build
seperates now in lib and charon
library initialization done at a central point (library.c)
some leak_detective fixes
updated Todos
fixed log-to-syslog behavior
added patch against strongswan-2.6.4
x509 certificate loading with pluto asn1 code
x509 needs a lot more attention!
renamed some files
using asn1 pluto stuff now
removed, since we use pluto asn1 stuff
leak detective is usable, but does not show static function names
  a script which gets address via ldd and resolves address via addr2line would be nice
fixed a leak in child_sa with new detective ;-)
some improvements to new asn1 stuff
to be continued
fixed bad bugs in kernel interface
added some logging info
works now much more stable
startet importing pluto ASN1 stuff
der PKCS#1 key loading works (as it did with der_decoder)
split up in libstrong, charon, stroke, testing done
new leak detective with malloc hook in library
  useable, but needs improvements
logger_manager has now a single instance per library
  allows use of loggers from any linking prog
a LOT of other things
../svn-commit.tmp
added misssing stroke.h
improved strokeing
  down connection
  status
some other tweaks
rewrote a lot of RSA stuff
done major work for ASN1/decoder
allow loading of ASN1 der encoded private keys, public keys and certificates
extracting public key from certificates
passing certificates from stroke to charon
=> basic authentication with RSA certificates works!
starter work on asn1 with der de/encoder
RSA private and public key can load read key from ASN1 DER
some other fixes here and there
rewrite of logger_manager, uses now one instance per context
cleanups for logger here and there
removed critical flag check in payload verification (conformance to IKEv2)
so thats and theres everywere... ;-)
patch for strongswan-2.6.3
added charon support for strongswan build process
ipsec starter supports charon startup and control
removed old diploma thesis scripts
some cleanups
compatibility to strongswan, Makefile can be called by "make programs"
  and "make install" (ikev2 patch must be applied to strongswan)
first version of stroke control utility
moved output to doc/api, since doc is used for other docs now
some first documentation in english
removed old eclipse project files
works quite well now with ipsec.conf & ipsec starter
belongs to previous commit ;-)
reworked configuration framework completly
configuration is now split up in: connections, policies, credentials and daemon config
further alloc/free fixes needed!
first attempt for connection loading and starting via "stroke"
some improvements here and there
configuration_manager replaced by configuration_t interface
current configuration_manager is now static_configuration (testing)
first draft of starter_configuration, which should once interact with ipsec starter (via whack?)
some cleanups
socket_t uses RAW socket, which allows parallel service of pluto/charon
comments and cleanups
working policy installation and removal
fixed policy setup bug
proposal setup implementation begun
fixed socket code, so we know on which address we receive traffic
AH/ESP setup in kernel is working now!!! :-)))
installing of child sa works
need correct IP adresses to actually use IPsec
new RFCs of IKEv2, IKEv2 algs and IPSec arch added
update of IKEv2 clarification document
refactored ike proposal
uses now proposal_t, wich is also used by child proposals
ike key derivation refactored
crypter_t api has get_key_size now
some other improvements here and there
config uses uml hosts alice and bob
key derivation for child_sa works
some fixes here and there
fixed memleaks
works with new proposal code
still some(!) memleaks
fixed alot of bugs in child_proposal
near to working state ;-)
dead end implementation

... there is a lot more of it, but nothing of interest