forked from xelerance/Openswan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGES
2205 lines (2086 loc) · 122 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Note that listings are in chronological order of release times, not in order
of version numbers, so you will find 2.5.x and 2.6.x releases intersperced.
See also docs/KNOWN_BUGS.txt and https://github.com/xelerance/Openswan/issues
v2.6.48 (June 6, 2016)
Bug fix release.
* fix leak error found by travis [MCR]
* some minor fixes to unit test cases as a result of merge and travis testing [MCR]
* Fixing compile error when HAVE_STATSD=true is set. [Samir Hussain]
* ipsec eroute connections number kept increased. [freedai]
* Update ipsec_proc.c [freedai]
* Update pfkey_v2.c [freedai]
* Providing more meaningful name to variable that will get modified via sed [Samir Hussain]
* For debian packages, we need to have a tilda (~) between version and
rc/dr in order to do proper versioning [Samir Hussain]
* Minor spelling fixes [Samir Hussain]
* Fixing issue with missing OCF symbols when trying to modprobe KLIPS on
Trusty [Samir Hussain
* convince compiler that j is never too big [MCR]
* const-ify as many spd_eroute arguments as possible [MCR]
* update some dependancy headers [MCR]
* update test case to expect AUTHENTICATION_FAILURE, rather than NO_PROPOSAL_CHOSEN [MCR]
* reject connections that have a version mismatch using AUTHENTICATION_FAILED [MCR]
* test case to check that IKEv2 is reject with a message of AUTHENTICATION_FAILED [MCR]
* verify that correct IKEv1 notify is sent when IKEv1 is disabled [MCR]
* when looking for a connection, determine if a different connection would
be returned if IKEv1/IKEv2 policy was ignored [MCR]
* permit notifications to be sent from complete_v1_state_transition even
when no state was created [MCR]
* added mytunnel-no-ikev1 [MCR]
* log number of whack messages processed to aid in debug of new unit tests [MCR]
* complain if a conn can not be found [MCR]
* missed three changes to policy dump from adding policy_clear [MCR]
* additional debug of policy, output for lset_clear policy search [MCR]
* with changes to find_host_connections2, the ikev1 packet is now properly rejected [MCR]
* find_host_connections2 now takes an lset of policies that must be clear [MCR]
* include complete_v1_state_transition when not doing IKEv1 processing [MCR]
* initialize wire_chunk_t in crypto_req using macro [MCR]
* added appropriate seams for responding to ikev1 messages, when no ikev1 permitted [MCR]
* protect against smc might be null when processing ikev1 packet [MCR]
* support receiving ikev1 messages in ikev2 receive test [MCR]
* mark include paths for headers moved to include directory [MCR]
* no-ikev1 tunnel case [MCR]
* new test case for process IKEv1 packets when only IKEv2 are expected [MCR]
* confirm output is an IKEv1 main mode init [MCR]
* move some nat-t headers to include/pluto, and permit them to be link-seamed out [MCR]
* removed main_outI1 from seam so that lp43 can use it [MCR]
* added lp43 - generate IKEv1 first packet [MCR]
v2.6.47.1 (May 10, 2016)
* guard against multiple inclusion of pluto/log.h (in order to build on CentOS) [MCR]
v2.6.47 (March 28, 2016)
Added feature to allow DNS query for external IP address of a gateway.
* Make certificate directories in correct place [MCR]
* Order of addconn and pluto is non-deterministic, so stick addconn output elsewhere [MCR]
* As a result of change to orient with family=0, this test case now binds an interface [MCR]
* With revision to permit left=%any, right=%defaultroute, and orient by
private key it is permissible to have a conn that does not specify a host
IP for "our side" [MCR]
* When looking for a matching interface, and conn family is 0, and both ends
are zero, just pick the first interface that matches on ports [MCR]
* Initial test case for loading connection with right=%defaultroute [MCR]
* Exit if connection not found, rather than core dump later [MCR]
* Clean out .o files [MCR]
* Test case on why defaultroute is not a valid IP address: discovered in
DrTaylorPlumage with ikev1-double-nat [MCR]
* Created functional test case for loading a mixed v6 in v4 conn [MCR]
* Created new test case for loading and orientating a mixed v6 in v4 conn [MCR]
* Added new keyword: endaddrfamily. renamed connaddrfamily to clientaddrfamily [MCR]
* Always look for v6 and v4 addresses in left/right=, updating the end-family
only if it was not set [MCR]
* Refactor lp07 so that it can be used by lp41 [MCR]
* Adjust build-every-rev to exit smarter [MCR]
* Permit unit test cases to cause returned addresses to be sorted [MCR]
* alg_info_ike leak is unstable [MCR]
* Some missing leaks [MCR]
* With port numbers in play, the desired_port may not be set, in which case, look for plutos port [MCR]
* Change log to indicate a match on IP, going along with match on private key [MCR]
* The NO_KERNEL interface type was originally intended for pluto functional
testing, and so it has some cruft related to not matching port numbers
against 500. This presents problems when unit testing with (fake) ports
other than 500, and so really the ignoring of port numbers should be a
seperately enabled feature, as the unit testing really needs to use the
actual NO_KERNEL interface, since it has no kernel [MCR]
* Added additional interface for port 4500 [MCR]
* Try to pick matching port when picking an interface [MCR]
* When picking an appropriate interface, make sure that the port numbers match [MCR]
* Updated test cases for logging of IP address in orient test [MCR]
* Turn off IPv6 since mock output code does not speak IPv6. [MCR]
* Bit a bit more flexible in where the address family comes from, and log the
resulting interface better [MCR]
* Fixed order of htons() and init_iface_port, and added include for inet_pton [MCR]
* Provide for optional INIT_LOADED to be called. Used in lp18 for assert [MCR]
* More extensive debug of orient() --- log which private key was found, and
also if the pick_interface was able to find an interface. Also change the
family searched for to be the (derived) value for the connection, rather
than the end [MCR]
* Provide example of how to translate enum to string for keyword_host [MCR]
* Updates to lp18 for revised debugging of orient [MCR]
* Use preformatted interface address [MCR]
* Pick an interface that matches the right family [MCR]
* Reformat comments [MCR]
* Added ip_oriented flag to indicate if orientation was bound to IP [MCR]
* Added init_iface_port to include setting of q->socktypename [MCR]
* lp31 discovered that addrtypeof, addrbytesptr and samaddr should be tolerant
of receiving a NULL [MCR]
* Changes to fmt_connection means that the nexthop for right=%any is no longer
guess/assumed or logged [MCR]
* The changes to the conn load verification for IKEv1 PSK right=%any should use
a left=%any, rather than an explicit address. [MCR]
* Change update_host_pair to return indicate of whether orient worked; as if
it did not then a different address might be in order. [MCR]
* Updates to unit test cases for socktypename addition [MCR]
* Added socknametype to iface_port structure so that socket family can easily be logged [MCR]
* Make it clear that IPHOSTNAME types are not v4 or v6, and should not
initialize the nexthop in any specific way, and should fit into the
right=%any checks for IKEv1 as well [MCR]
* Try to guess what kind of family the conn is, if the conn has a this or that
with a family set the host for the side that does not have a family to
that family [MCR]
* Try to set the address family from left or from right, if set. [MCR]
* Only diagnose an address-type mis-match if both sides are specified by a literal address [MCR]
* Check for core dumps. Write test case 2b into gdbinit file [MCR]
* Arbitrarily decide to use IPv6 ANY address when right is default route [MCR]
* Set the address type based upon which kind of address was parsed [MCR]
* Also validate that the conn is properly loaded into pluto [MCR]
* Correctly parse a site local (e.g. fec0::1) address [MCR]
* New test case to validate IPv6 site local addresses in left/right= [MCR]
* Log the string value involved in the debug of the looseenum [MCR]
* IPv6 address of cassidy.sandelman.ca actually did change [MCR]
* lp40 updated for DNS delayed rebase [MCR]
* find_ID_host_pair debug now includes dump of exact parameter [MCR]
* Check the orientations after the secrets are loaded, as
possession-of-private-key test needs private keys [MCR]
* Removed confusing comment [MCR]
* Changes to conn to be really h2h [MCR]
* Orient test which loads keys after conns [MCR]
* h2h should use host to host items [MCR]
* Added h2h and brokenspace as possible test cases for readwriteconf crash [MCR]
* Change connection list as per DNS changes to show IP address discovered [MCR]
* gcc 5.0 fixes [MCR]
* Reconciled leak of ID to fact that IDhost_pair is never freed [MCR]
* Update lp08 with proper CHILDSA_DEL name for state, after state_names added [MCR]
* Updated description to explain three unit subtests [MCR]
* There was a IDhost_pair leak, which was located, as one list was never
properly emptied as the clear_host_pair routine was incorrectly calling
the host_pair free routine when it meant to remove a connection from a list [MCR]
* Updated Makefile and explanation of how to get updated pcap file [MCR]
* Unit tests do not speak 3des-md5, modp1024 [MCR]
* Make sure the installed_time for a public key is set from regression controlled time [MCR]
* Updated parameters for test case to match files named after tests [MCR]
* A half-open, prospective_parent_sa that is in progress only gets priority
over new DNS answers, if the DNS query had an error [MCR]
* If no addresses are available from DNS yet, but there is a hint, then the
hint should be attempted [MCR]
* Protect connection_check_ddns1 against corrupt IPhp_next loops [MCR]
* Try to be smarter about when a connection is stuck: consider connections
which have never come up as well [MCR]
* Blacklist a bunch of replies for DNS lookups [MCR]
* In order to avoid DNS errors causing more DNS lookups, only do new DNS
lookups when there is a timeout --- other attempts will use additional
addresses only [MCR]
* Have adns return getaddrinfo()-style EAI errors, even for old nquery work [MCR]
* Be careful not to remove connections which were not yet added to host_pair [MCR]
* Output sanifier now removes kernel state numbers from output [MCR]
* Updated to reflect changes to debugging [MCR]
* Slight tweak to comment [MCR]
* Make sure to set the DNS list pointer upon receiving new answers [MCR]
* Guard against no connections in search routine [MCR]
* Added additional debugging to delayed DNS lookup continuation [MCR]
* Init generic CR before filling in DNS name so that qtid gets logged sanely [MCR]
* Keep track of states that are created to potentially bring up a parent SA.
This is needed to tell if there is an ongoing initiation for a delayed-DNS
effort, or if one should be made. Do not make an attempt to bring up the
conn unless the policy is set to UP. Use returned state number from the
initiate process to always get correct state in test harness [MCR]
* Make test validate that handle_adns_answer() does not cause conn to be set to UP [MCR]
* Make clean would clean up whackfile, so on reffile use, cp it to OUTPUT [MCR]
* Use return serial number to pull up correct serial number [MCR]
* Return state number for newly created states, as there is no way to
track them until they are authenticated [MCR]
* Fix lp33,lp34,lp35 to include seam_initiate, and show DNS name in status [MCR]
* Added missing test cases [MCR]
* Show ccache statistics [MCR]
* Try to do straight build first [MCR]
* Try to use ccache when building [MCR]
* Add make clean target [MCR]
* Slight adjustment to list of leaks [MCR]
* When doing DNS lookups, use the connaddr family as the hint as to what kind
of records to lookup (A vs AAAA) [MCR]
* Added seam_initiate and seam_adns appropriate to fix up tests [MCR]
* Do DNS lookup and then initiate connection [MCR]
* Whitespace changes [MCR]
* Split up sendI1 so continuation part can be called again [MCR]
* Move kick_adns_connection from dnskey to initiate [MCR]
* Reworked lp33 to include actual initiate and dns continuation code [MCR]
* Create kick_adns_connection routine so that DNS replies kick new
connections immediately [MCR]
* Copy parentI1 main code into lp33 and add aDNS steps [MCR]
* Added A and AAAA records to rr_typename [MCR]
* Remember if an end has a valid address when DNS lookups are delayed so
that we do not initiate until DNS lookups have had a chance [MCR]
* Rearranged a bunch of seam so that lp33 can import real adns code properly [MCR]
* Removed include of connections.c, use connections.o: add set of includes [MCR]
* Include seam_dnskey explicitly, as test case 33 will use real code [MCR]
* Updates after rebase [MCR]
* Add test case lp33 for dns delayed, when there is no hint [MCR]
* For unclear reasons the lookup of cassidy.sandelman.ca/KEY RR fails. Could
be due to obsolete RR? [MCR]
* Rename lp28-parentR2anychoice to lp32 to keep sequence [MCR]
* Rename lp27-IDhostpair to lp31 to keep sequence [MCR]
* Tweak lp30-dnskick [MCR]
* Tweak seam_log [MCR]
* Test pcap output now uses TESTNAME, so set it correctly [MCR]
* Clean up PID file, and create .gdbinit with arguments [MCR]
* Deal with some leaks; use stop_adns() properly to clear up children.
Make sure that ipanswers list, after sorting, is restored so that all
items get freed (affects regression testing) [MCR]
* Process each dns request before making a new one to keep order the same [MCR]
* Use sort_addr_info to canonicalize the output to deal with differences in gai.conf [MCR]
* Added make explicitly to package list [MCR]
* Use DBG_log to get consistent output [MCR]
* As structure is used as temporary, and copied, make sure to zero it first [MCR]
* Output results if failure [MCR]
* Adjust unit test cases for update_host_pair() seam. Rename lp28-dns to
lp30-dnskick, add needed canonicalization. Adjust output from moving
dump_addr_info() into pluto as it uses DBG_log() rather than printf(),
and outputs to stderr [MCR]
* Removed last vestiges of DYNAMICDNS and processing converted to IPHOSTNAME [MCR]
* Tweak adnstest [MCR]
* Process DNS getaddrinfo() replies, and attach them to continuation [MCR]
* Refactor dump_addr_info debug into seperate file [MCR]
* Cleanup leaks of addrinfo structures [MCR]
* Added test case for serialization/deserialization of addrinfo [MCR]
* Basic test case for looking up KEY RR; one success, one failure [MCR]
* Use standard openswan_log() for messages rather than syslog() [MCR]
* Make it easy to generate cpp processed files for inspection [MCR]
* Added new utility strtochunk() [MCR]
* Created adnstest case to validate operation of dnskey.c and adns.c [MCR]
* Small refactor of start_adns_query so that it can accept things other than struct id [MCR]
* Initial test case for dnslookups [MCR]
* Adjust comments on functions [MCR]
* Updated trace with IP address in hint [MCR]
* Do not include EF unless defined [MCR]
* Added seam for kick_adns_connection_lookup [MCR]
* Include gdb instructions for testing pluto [MCR]
* _pluto_adns is no longer seperate executable [MCR]
* Change definition of progname to const [MCR]
* Moved init_adns() call earlier, and make sure it exits properly [MCR]
* Make certificate directories; removed --adns path argument from help [MCR]
* Move test for SAref and SAbind into kernel.c [MCR]
* Added setproctitle() [from BSD licensed sendmail via pppd] and use it rather
than global_argv hack. Use setproctitle() in adns sub-process [MCR]
* Create dummy kick_adns_connection [MCR]
* _pluto_adns is no longer a seperate program, but is part of the pluto
executable, forked out for use. This makes it much easier for embedded
systems to have a sane (if simple) async DNS resolver. Future work will
switch to c-ares This patch also includes changing progname to a const
globally [MCR]
* Move whack out of pluto directory [MCR]
* Removed DYNAMIC DNS from whack client [MCR]
* Added lp27 to test list [MCR]
* Do not show hostname string if the host_type is IP address [MCR]
* Comment out I9 [MCR]
* Switch update order to make it run update1 first [MCR]
* Fix up lp06 test case to work [MCR]
* Remove LWRES support --- it broke awhile ago [MCR]
* Force ikev2 [MCR]
* If nexthop is invalid, then do not show it [MCR]
* Ipsecconf already included the hostname into a string, but now it needs
to include the hint as well. This code plus test cases probably produces
a whack file with the correct hint [MCR]
* Fix emacs variables [MCR]
* Gdb init for test case [MCR]
* Refactor lp02-parentI1, so it can be reused by lp27 [MCR]
* Obsolete is a qualifier for a keyword, not a type of keyword [MCR]
* Add functional/06 test case [MCR]
* Removed redundant kw_list->string member [MCR]
* Added processing of new loose_enum_arg type, added %dns and test it out
in a functional test [MCR]
* Figure out left/right-ness of keyword so that it can be logged better in errors [MCR]
* Added loose_enumarg processing [MCR]
* When setup properly, the h2hR2 test case works fine: just needs to have actual keys [MCR]
* Use parker end-point and parker secrets [MCR]
* h2h R2 packet processing - broken [MCR]
* Make output file parameterized by testname [MCR]
* h2h I2 packet processing [MCR]
* Make lp10 a template test case [MCR]
* Make output file parameterized by testname [MCR]
* h2h R1 packet processing [MCR]
* Process arguments more carefully [MCR]
* Added test case for h2h I1 [MCR]
v2.6.46 (January 22, 2016)
* Properly add IKESA_DEL state: added to state_names,
and create new event to delete the state after a timeout with no reply [MCR]
* When finding ID match with wildcard, bind tighter to exact matches [MCR]
* Split up same_id into same_id(wildcards) and same_exact_id(no wildcards) [MCR]
* When checking orientation, log result, and also reconnect to IDhostpair [MCR]
* Fix IP/ID free functions to clear a connection from the pairs
and then properly free the HP structure themselves [MCR]
* Log IDhost pair header values, not ones from the first connection [MCR]
* Some formatting tweaks to hostpair_list to make it easier to understand [MCR]
* Added listhostpairs option, fixed listevents description [MCR]
* The clear_IDhost_pair routine was complaining in list_rm()
as a result of an instance being created/copied from the parent, without
clearing the IDhost_pair link [MCR]
* Use SHA1_DIGEST_SIZE rather than incorrect sizeof() [MCR]
* Protected ietf_constants.h against multiple inclusion [MCR]
* Some code was duplicated due to refactoring that was backported: list_rm moved to hostpair.h [MCR]
* TIME_UTC is also defined in /usr/include/time.h, so pick a better name [MCR]
* GCC 5.0 complains about use of !same_chunk() because expansion of macro leaves it confused. Add () [MCR]
* Protect list_rm against ehead being null [MCR]
* Remove cleanup of IDhostpair links to hostpair.c,
and protect against the connection having never been on an ID hostpair [MCR]
* Fixed problem in check_connection_end where wrong end was tested for [MCR]
* As SPD Route may be manipulated before being erouted, the resulting eroute_owner setting is no longer propogated back into the connection
this patch sets all SPD routes which do not have other owners to this eroute [MCR]
* Log eroute operations more concisely, do it after they succeed/fail [MCR]
* Better logging of eroute_owner [MCR]
* Refactor show_connection_status so that it can use loglog or whacklog for output
moved log.h to pluto/log.h as unit test cases will need it [MCR]
* Log current date when processing events [MCR]
* Looks like a copy and paste error has lingered in the sourceip processing, causing the parser
to whomp on the nexthop if the sourceip is set [MCR]
* Log address inconsistencies with names rather than numbers [MCR]
* The address family determined by the outer addresses (right/left/nexthop) should not override address family
for inner items (rightsubnet/sourceip) [MCR]
* Fixed find_host_pair so that it finds right=%any matches correctly [MCR]
* Change listing to give IP/ID type on every bucket [MCR]
* Added option to readwriteconf to load all conns marked add/route/up [MCR]
* Document --listhostpairs debug option [MCR]
* Possible fix for IKEv2 issues when built with libnss [MCR]
* Return proper IKEv2 Notify when authentication fails due to wrong ID [MCR]
* Make sure that host_type is initialized [MCR]
* Take care of deleting IDhostpair when connection is deleted [MCR]
* Use IDhost_pair list to find appropriate conn by ID [MCR]
* Added IDhostpair support [MCR]
* Initial work on creating a hostpair list by ID [MCR]
* Added listing of hostpairs to available whack debugs [MCR]
* INVALID_MSGID becomes -1 on 32-bit, but not on 64, so translate it better [MCR]
* Rename host_pair to IPhost_pair in preperation to adding IDhost_pair [MCR]
* Remove file that was accidentally committed [Simon Deziel]
* Debian: update patch list file [Simon Deziel]
* Debian: bump standards version to 3.9.6 (no change required) [Simon Deziel]
* Debian: drop dpatch (obsolete) [Simon Deziel]
* Split up IKEv2 RSA verification into nss and non-nss versions [MCR]
* Move try_RSA_signature_v1 to seperate file [MCR]
* When loading conn, process alsoflip= as well [MCR]
* Refactor also processing so it can be applied to alsoflip [MCR]
* Fixing minor typo and spelling mistakes. [Samir Hussain]
* Refactor whack_listen processing to seperate function for unit testing
Added called to check_orientations() after discovery of new interfaces [MCR]
* Log the connection name for each IPhostpair that is being compared to [MCR]
* lp24-certreply dave discovered that find_host_pair was still wrong.
Rewrote find_host_pair again to with bestpair mechanism to get it right [MCR]
* Updating man page in order to remove manual option from auto keyword
(it is no longer supported) [Samir Hussain]
v2.6.45 (August 27, 2015)
This release fixes CVE-2015-3240 (IKE DoS)
* Minor compile tweaks that were missed at cottage [MCR]
* Possible fix for CVE-2015-3240: if KE payload is 0, then
exponentiation fails, tripping a passert for nss [MCR]
v2.6.44 (August 13, 2015)
Massive bug patch and IKEv2 processing fixes by MCR
* Potential fix for #4285 - make sure kernel.c uses correct destination for outgoing SPD when responding to an initiator/32 [MCR]
* Change negotiated tunnel message to be clearer with IPv6 addresses [MCR]
* Using short notation, using GNUmakefile notdir, and making sure that $< will
reference the right file by making explicit %.c->%.o rule. [Jason]
* Show the connection name when the state is found, provide a way to nicely dump a single state to debug log [MCR]
* Change find_host_pair so that it knows if it is creating a new host pair, as host pairs that have right=%any will always match [MCR]
* Tweak CA business so that correct CA is loaded, it is referenced correctly, the correct ID is used to lookup the CA [MCR]
* Make sure that certificate file name is properly terminated [MCR]
* Use a mcro to set SIN_LEN [MCR]
* Added st_peer_id to store decode ID from inside I2 message [MCR]
* Added fmt_connection_inst_name [MCR]
* Add additional way to orient: me defaultroute with other end not having private key [MCR]
* Make passing pass_prompt_t into key loading function officially optional [MCR]
* Cope with a NULL prompt_pass, make something up to store passphrase if necessary [MCR]
* Adopted some kernel_netkey.c fixes from libreswan, and added some debug of port numbers [MCR]
* Reset the remote port number to 0, as lack of client should indicate lack of port numbers (XXX maybe not) [MCR]
* rw_instantiate needs to take remote address from state [MCR]
* Simplify evaluation of when we need to instantiate templates: all conns that
are templates should be instantiated [MCR]
* Log why connection was marked as a template [MCR]
* Added explicit struct end that to ipsec installation to deal with rightsubnet=%self situation [MCR]
* find_client_connection can use endclient too [MCR]
* Note better when find_host_pair() is done [MCR]
* Replace series of our_net/peer_net + protocol/port arguments with struct end. [MCR]
* Use endclienttot() to format things in more places [MCR]
* Use endclienttot() to print fc_try debug [MCR]
* Added enddclienttot() function to format end->client, taking into account that the host_type might be %any [MCR]
* Need to set send_whack_msg to a value even if ctlbase is going to default [MCR]
* Log when there is no send_whack_msg function [MCR]
* Do not even try to use libnss for certain non-critical PEM related 3DES operations [MCR]
* Make sure that st_localaddr and st_localport is setup based upon where we observe traffic to flow
this information is used when has_client=0, and we are really proposing a conn for self. [MCR]
* If end has no client, then set end to appropriate value from state [MCR]
* Correctly return no proposal chosen when the initiator suggests 0.0.0.0->0.0.0.0,
which previously matched encoding for %any [MCR]
* When IKEv2 has right=%any, the remote address and port needs to be recorded into the state [MCR]
* Use macro for -lefence so that it can be globablly turned off [MCR]
* Write record number in debug output from readwriteconf [MCR]
* Send public keys before policy [MCR]
* Eliminate some testing specific code in readwriteconf that duplicated code from starterwhack.c [MCR]
* Orient should be able to consider an end local if a private key is present for the public key indicated [MCR]
* Orientation now takes into account which end has a private key (if no interface IP
address could determine orientation) [MCR]
* Split nss and non-nss signature routines [MCR]
* Explain liboswkeys library [MCR]
* Explain libpluto [MCR]
* Make connection loading description a bit prettier [MCR]
* Module mis-named, got an i in front of af_key [MCR]
* Clean up orient info -- debug only [MCR]
* Warn about FIPS mode only once [MCR]
* libnss brings in some additional libraries that reveals that rsasigkey does not have exit_tool() defined [MCR]
* Use NSS_LIBS and FIPS_LIBS defines properly [MCR]
* Split off nss function to make files simpler to read [MCR]
* Sort out LIBNSS nonsense in rsasigkey [MCR]
* Mark rhel builds as using LIBNSS.
remove build_klips parts -- they are unmaintained on rhel7 [MCR]
* Make ikeping diagnostics saner, and show help rather than aborting [MCR]
* Update IPSECBASEVERSION in Makefile.ver for packagingprep target (simon)
* Make ikeping diagnostics saner, and show help rather than aborting [MCR]
* Clarify that whack_magic mismatch has nothing to do with klips [MCR]
* Permit debug-netkey to be alias for debug-klips as well debug-xfrm [MCR]
* Log the version that is placed into the version file [MCR]
* Mark some SPD/SA creation code as debug [MCR]
* Remove extensive but useless satype processing from netlink_raw_eroute [MCR]
* Added state to eroute_connection so that peer address can be taken from there [MCR]
* Just because right=%any, does not mean that it is a template [MCR]
* Simplify the kernel SA add code to use src/dst where appropriate, and src_client/dst_client properly [MCR]
* Updated natt port handling to pull from parent_st. [MCR]
* Found potentially dead code in update_ipsec_sa() [MCR]
* Log src/dst after it is inbound/outbound set [MCR]
* Take IPsec SA end points from state rather than from policy [MCR]
* Pass parent state down in IPsec SA creation routines so that an accurate st_localaddr/st_remoteaddr is available.
Note should also add port numbers --- IKEv2 NAT work is probably still open [MCR]
* Some debug of setup_half_ipsec_sa [MCR]
* SA src/dst is not a subnet, but an address, so use appropriate structure [MCR]
* Log algorithm lookup in KLIPS debug, and also IP address pairs of endpoint [MCR]
* When responding in an error condition, keep the state around awhile
in case there is a retransmit; but eventually remove it [MCR]
* Always collect other peers SPI value, we need it. With this change, the spi=0000000 problem goes away [MCR]
* Moved detection that responder has sent multiple proposals outside of block that matches them [MCR]
* Role can never change in ikev2parent_inR2, it is always the initiator [MCR]
* Added progress debug to setup_half_ipsec_sa so errors from kernel make more sense [MCR]
* Removed role parameter from emit_ts, and move next_payload calculation to parent [MCR]
* Removed note about duplicate_state --- state duplication occurs in ike_child_sa_respond [MCR]
* Defend ikev2_encrypt_msg against possible bad inputs; might come from ikev2_delete_out [MCR]
* Make code associated with being a responder not optional [MCR]
* Removed role parameter from ike_child_sa_respond, as it never is called by initiator [MCR]
* Set crypto importance once SA has been validated [MCR]
* Log state numbers better, and log SPI# in network order [MCR]
* Do not log a NAT change on first packet [MCR]
* Log the msgid for parent and child IKEv2 SAs [MCR]
* Added some notes about when parent state is relevant and when child is needed [MCR]
* Try to log better in setup_half_ipsec_sa() so that errors are more easily associated [MCR]
* R2 message was not being accepted because msgid replay counter
was being compared on child SA, rather than parent [MCR]
* Do not log NAT port changes if original address is 0.0.0.0 [MCR]
* Import libreswan (2bc8abe3) netlink fixes [MCR]
* Make sigusr1 handler static [MCR]
* Added DEBUG_WITH_PAUSE to keep pluto from running away with retransmits
when developer is thinking after a failure [MCR]
* Adopt a bunch of IKE algorithm definitions, and attempt to
find and quiet source of duplicate algorithm entries [MCR]
* Refactor ESP creation into new function for readability [MCR]
* Pluto now accepts SIGUSR1: this presently does nothing (crypto subprocesses ignore it)
it can be used with DEBUG_WITH_PAUSE to "single step" pluto interactions which are going
too fast to figure manually inspect.
In particular, one can do "ipsec whack --status" on the peer before letting the processing
proceed. [MCR]
* Note in logs when parentSA is considered good [MCR]
* Disentangle LIBNSS and non-LIBNSS code [MCR]
* Convert some uses of whack_log to loglog() so that they go into system log too! [MCR]
* Log the IKE version in state, and if v2-parent, log the msgid counters [MCR]
* State_hash now returns the bucket number, which can aid in certain kinds of debugging [MCR]
* Some minor comments about msgid processing
make sure that if the msgid is too large or cookies do not match, that no further processing occurs [MCR]
* Gave all the IKEv2 state microcodes a human readable name [MCR]
* Found problems with mis-initialized st_msgid_nextuse, created new routing to allocate them from parent [MCR]
* Added record of IKE maj/min version to state structure.
Collect it in into the msgdigest, and insert into stats on receive/create-state, and initialize
it when initiating. [MCR]
* Found error in starter_whack_add_pubkey that resulted in public keys not loaded. This was
introduced in commit: 0783e455 by mcr (me!) [MCR]
* Improve documentation of starter_whack_build_pkmsg [MCR]
* Set LOOSE_ENUM_OTHER values appropriate, and debug the result if desired [MCR]
* Parser_loose_enum used to return explicit "255", which matches LOOSE_ENUM_OTHER
as a value. But instead put the appropriate value into the keyword_def structure.
* Not only is this more flexible, but it is much easier to understand [MCR]
* Mark keyword_name() arg0 as const [MCR]
* Adjust ikev1 for new find_host_connection ANY that takes histype [MCR]
* Added KH_IPADDR to list of host type keywords [MCR]
* Added histype to find_connection functions [MCR]
* Some initial changes to put %any processing into host_pair code [MCR]
* Log host type of remote side of conn in host_pair [MCR]
* Changes to link order cause liboswlog to be properly linked in; this requires exit_tool
and progname to be setup properly [MCR]
* Import TS checking/narrowing code from libreswan into ikev2parent_inR2 [MCR]
* Changed SEND_NOTIFICATION to SEND_V2_NOTIFICATION, from libreswan [MCR]
* Ikev2_log_parentSA should be used on initiator and responder.
It is a good candidate for a function that could be omitted when memory is tight [MCR]
* Ikev2_process_payloads is wrong for processing and encrypted payload, do it inline [MCR]
* Make sure that event is always deleted on free_state [MCR]
* Added counter for number of retransmissions from responder seen [MCR]
* Repeated payload problem fixed [MCR]
* Notification should go to whack log, with appropriate value
make sure to set the current state, and remove debugging of payloads seen [MCR]
* Create a way to run parentI1 with calculations so that they can be saved (does not work yet) [MCR]
* Always include RFC5144 groups, no more ifdef [MCR]
* Split libnss code from non-libnss for better clarity [MCR]
outR1 could well assign the header msgID from the initiator's messageID,
but since the I1 messageID is defined to be zero, it should all be the same.
The messageID is sequence in IKEv2, but in IKEv1, it's opaque, so handle htonl() here. [MCR]
* Processing of v2N_INVALID_KE_PAYLOAD notify [MCR]
* Now picks correct state when notify is seen [MCR]
* ikeI1 state to deal with respondering sending a notify [MCR]
* Add target to make assembly for examining underlying causes [MCR]
* Do not delete state immediately, mark it as waiting to delete [MCR]
* Permit the RHEL7 spec file to also build on RHEL6.5. xmlto otherwise can not resolve dependancy
for lynx vs elinks. RHEL7 does not seem to have lynx [MCR]
* Change log of state deletion to not be a debug, log state name too (idea from libreswan) [MCR]
* Move spd formatting routines to library [MCR]
* Split orient() function into new file so it can be tested [MCR]
* When processing conf files, a missing right=/left= should cause an error and the conn should not be loaded [MCR]
* Move orient function to libpluto.
Pass it the pluto_port number to use, rather than reference a global [MCR]
* Change pluto_port -> pluto_port500,
introduce pluto_port4500. Make setting the pluto_port also set the NAT traversal port to +4000 of it.
Do not hard code the port 4500, use IETF name for port 4500 [MCR]
* New function: ikev2parent_outI1_withstate permits IKEv2 to start with some state [MCR]
* Refactor pubkey addition process, add this to whack write [MCR]
* Include option to create whack files from loaded conns [MCR]
* Refactor serialization of whack message to reuse in readwriteconf [MCR]
* Return count of messages read so that failures can more easily be diagnosed [MCR]
* Move whack msg write functions to libpluto [MCR]
* Make sure that the --secctx_attr_value is always accepted, and if appropriate, ignored [MCR]
* Permit an explicit nhelpers=-1 [MCR]
* Added family2str to decode AF_INET/AF_INET6 nicely [MCR]
* Moved defs.h to include/pluto/defs.h, so change the include slightly [MCR]
* Change some more variables to LIBFOO from FOOLIB [MCR]
* A batch of libreswan configuration code was ported as it was noticed that there was some
mix of strdup/clone_str already.
Some keywords were imported, many were not yet imported. The code is formatted vastly differently [MCR]
* Refactor key building whack message processing [MCR]
v2.6.43 (March 13, 2015)
Bugfixes and Certificate handling improvements
* Sign_hash was not being compiled when libnss was unset [MCR]
* Modifications to sign_hash_nss [MCR]
* Change order of functions to avoid forward declaration [MCR]
* Silence some warnings when building with LIBNSS [MCR]
* Modifications to decrypt_sig to help with nsscert test case [MCR]
* Added dhr-style shortcuts to constants.h [MCR]
* Added IOD for SHA224_WITH_RSA, renegerated oid.h and oid.c [MCR]
* Be more careful about examining dsig when digest is not successfully extracted [MCR]
* Tweaks to get LIBNSS defines into the right place [MCR]
* Allow unit tests to set a fake time [MCR]
* Added V=1 flag to turn off concise builds [MCR]
* Move ocsp.c into liboswkeys [MCR]
* Move rnd.h header so that ocsp.c will compile [MCR]
* Move list_ocsp routines to x509.c, as those routines are tied too closely to pluto [MCR]
* Fix GCC->CC macro so that make depend works [MCR]
* Whitespace changes in Makefiles [MCR]
* Create new liboswkeys and move liboswlog to separate directory [MCR]
* Rename FOOLIB variables -> LIBFOO [MCR]
* Be less verbose when building; especially do not emit paths that would screw up regression builds. [MCR]
* Added NULL argument for labelled IPsec support [MCR]
* Remove build dependancy upon bind-devel, as USE_LWRES= is not true anymore [MCR]
* RHEL7 spec file [MCR]
* Tweak IP_SELECT_IDENT_NEW for kernel 3.2: must have gotten lost [MCR]
* Ubuntu has backported some code to 3.13, so use correct select code [MCR]
* KLIPS patches for kernel 3.18 [MCR]
* Use a more KLIPS-y way to detect if KLIPS is loaded; not ancient pfkey interface [MCR]
* While the uid and pid types changes for namespace support since 3.12,
rather than fix that, KLIPS really does not need to know the PID at all. [MCR]
* Compile out the pfkey /proc interfaces; they provide no value [MCR]
* Use IP_SELECT_IDENT_NEW for kernel 3.12 series [MCR]
* Replace the ipsec_proc interface with seq based interfaces [MCR]
* Patch to work with Linux 3.11,3.15 [MCR]
* Ripped out --show and --showonly, and awk processing of ipsec auto --up [MCR]
* Cleaned up much ugliness (ifdefed argument lists) due to HAVE_LABELED_IPSEC [MCR]
* When a connection is deleted, log if the whack is open for the state [MCR]
* Get rid of compiler/printf warning on size of pointer [MCR]
* Append .ctl to socket name as whack does [MCR]
* Tweaks to whack message format: make it more resistant to 32/64-bit differences [MCR]
* Make whack magic values more clearly 32-bit [MCR]
* Removed kernel 24 build code [MCR]
* Clarify whack magic to be dependant upon size of pointer [MCR]
* Flush whackrecord on each write [MCR]
* Whackstoprecord option should not require an argument [MCR]
* When whack record is on, output debugging [MCR]
* Tweaks to whack message format: make it more resistant to 32/64-bit differences [MCR]
* Do not make whack message depend upon an ifdef [MCR]
* Move resolv_myid from pluto into libopenswan, but remove it from liboswlog, which is for non-pluto pieces only [MCR]
* If nexthop is not set, then it ddefaults to %defaultroute, otherwise left=%defaultroute does not work [MCR]
* Add check for bison/flex [MCR]
* Some minor enhancements to newhostkey to use /dev/urandom by default, and fill in the
debian place for ipsec.secrets.inc if it exists, but is zero [MCR]
* Do not install development man pages on target system by default [MCR]
* Re-organize, and enable obsolete keywords to be processed [MCR]
* Change USER* for USER*EXTRA [MCR]
* Removed unused tsc variable [MCR]
* Change //-comments that change code flow into #if 0 instead [MCR]
* More changes to addrbytesptr() rework [MCR]
* Removed dead function: ikev2_narrow_instantiate [MCR]
* 32-bit,64-bit issues with printf [MCR]
* Try to deal with -Wqual-cast/-Werror issues: addrbytesptr() should perhaps not be promising const-ness on ptr [MCR]
* NAT-T: new style uses setsockopt and old (KLIPS-only) uses ioctl [Simon Deziel]
* Use pidof instead of ps -C in _realsetup as the former is guarantied to
be available even on minimal installs. Closes Debian bug #719126. [Simon Deziel]
* Update README to include dependencies for RH-based distros [Simon Deziel]
* Added SSL roadwarrior configuration [Renzo Dani]
v2.6.42 (October 20, 2014)
Bugfixes
* Update two minor copyright statements [MCR]
* Make -lgmp into a variable [MCR]
* Clarify use of Makefile.vendor, and clean it out. [MCR]
* buildlin should warn if WERROR set, and look for missing gmp.h [MCR]
* Target build for Trusty by instead of Precise [Simon Deziel]
* Improve wording of leftsubnets' explanation in the man page [Simon Deziel]
* Bring back NAT traversal that got mistakenly pulled out by CVE-2014-2037 patch. [Thomas Geulig]
v2.6.41 (February 21, 2014)
This version specifically addresses CVE 2014-2037
This CVE is a continuation of CVE 2013-6466. We missed some cases.
* SAREF: kernel patches updated to linux 3.11.0 (Simon Deziel)
* Fix for CVE-2014-2037 (Paul Wouters, Hugh Redelmeier)
v2.6.40 (February 14, 2014)
This version specifically addresses CVE 2013-6466.
Big changes are coming for the testing subsystem.
From this version on, we are disengaging the testing subsystem from
the Openswan source tree. You can still get a copy at
[email protected]:xelerance/old-openswan-testing.git
Some parts of an RFC4306/5996 patch were removed due to it
introducing a few IKEv2 specific crashers.
We will introduce a greater IKEv2 functionality upgrade in
the next version.
* CVE-2013-6466 fix: Integrated fix from Steve Lanser [Patrick Naubert]
* KLIPS: Fix for crashes in ipsec_xmit_ipip() for 3.4.65+ kernels [Thomas Geulig]
* Revert "relpath changes" [Brenda J. Butler]
* Add xmlto as Debian build dependency to have fresh man pages. [Simon Deziel]
* Avoid dns(sec) lookups for numerical sourceip= values [Paul Wouters]
* Updated FSF address on the GPLv2 COPYING file [Paul Wouters]
* Removed some obsoleted files in docs/ [Paul Wouters]
* Added "ipsec initnss" command [Paul Wouters]
* XAUTH: Use incoming XAUTH VID when picking best connection [Andrey Alexandrenko]
* XAUTH: fix pam race condition and contrib/pam.d file [Paul Wouters]
* Do not perform XAUTH/ModeCfg during rekey when using Cisco compatibility [Avesh Agarwal]
* v1phase2tov2child_integ() addition [Avesh Agarwal]
* Changed related to bz#703985 for Secure Labeling [Avesh Agarwal]
* Added Avesh's additional labeled ipsec logging to starterwhack [Paul Wouters]
* Support reading NSS password from file [Paul Wouters]
* Restore postpluto functionaliy which was missing [Tuomo Soini]
* Don't refer to NETKEY as "2.6" or "experimental code" [Paul Wouters]
* Added AH_SHA2_256_TRUNC to ah_transform_name_private_use [Paul Wouters]
* helper: helper_passert_fail no longer used. Fix two string format warnings [Paul Wouters]
* Put rpmbuild values used to compile in Makefile.inc as commented examples [Paul Wouters]
* X509: fetch_ocsp should return void, not void * [Paul Wouters]
* gen_reqid() can call exit_log() but confuses compiler [Paul Wouters]
* XAUTH: fixup previous maxlength fix. mova hardcoded to defines [Paul Wouters]
* Support /etc/sysconfig/ipsec and /etc/default/ipsec (rhbz#789917) [Paul Wouters]
* Backporting proc_subdir_remove with Al Viro's code.
There must a better way than me backporting something... [Patrick Naubert]
* Added package to load dependancy for developers [Michael Richardson]
* Make ls command explicitely avoid columns, and search both regular
directory and execdir [Michael Richardson]
* When logging ESP keys, be clear about which direction is which [Michael Richardson]
* inet6 protocol does not have netns_ok flag [Michael Richardson]
* Added netns_ok lie to get regression tests to pass [Michael Richardson]
* Changes to work with linux 3.9 [Michael Richardson]
* Fix a typo reported by someone to the [email protected] (https://lists.openswan.org/pipermail/dev/2013-September/003104.html) [Simon Deziel]
* Update links in the README and mention that Python is a dependancy
for ipsec verify now [Patrick Naubert]
* Log if we send non-default PLUTO_*_RETRANSMIT_* values via env variables [Paul Wouters]
* NETKEY: linux_pfkey_add_aead() left alg.sadb_alg_reserved uninitialised [Paul Wouters]
* starter: remove prototypes for static functions [Paul Wouters]
* Remove duplicate include of oswlog.h in x509dn.c [Paul Wouters]
* Merge virtif.c header change [Paul Wouters]
* _updown.netkey: fix route to be inserted on correct interface when
nexthop is used [Tuomo Soini]
* Added new option plutostderrlogtime= (default=no) [Paul Wouters]
* Cap xauthpasslen and xauthnamelen at 128 (their buffer size) [Paul Wouters]
* fmt_log() fix similar to previous strncat() use [Paul Wouters]
* xauth: in theory, in xauth_inI0() it could attempt to memcpy NULL [Paul Wouters]
* Ensure not to call same_chunk on a null pointer [Paul Wouters]
* Simplified functions around strncat/snprintf [Paul Wouters]
* Fixup format_end(), do not use strncat but snprintf [Paul Wouters]
* Move the close() call for the sock to the function that created it. [Paul Wouters]
* Undo the close on whack_sock, as it is placed in the state. [Paul Wouters]
* Close dup()ed whack_sock in ipsecdoi_replace() to avoid leaking fd [Paul Wouters]
* Remove other half of ipsec_copyright_notice() [Paul Wouters]
* Include "sysdep.h" in udpfromto.c [Paul Wouters]
* Close socket fd of the interface in _iface_down() [Paul Wouters]
* Fix potential strncat() failure in format_end() [Paul Wouters]
* More strnat() safety checks [Paul Wouters]
* Additional safety checks to alg_info_snprint_esp() and
alg_info_snprint_ah() [Paul Wouters]
* Additional safety checks to addrtot(), inet_addrtot() and sin_addrtot() [Paul Wouters]
* Block rules created by openswan remain even after tunnel establishment [Panagiotis Tamtamis]
* Remove KLIPS define in initiate.c [Paul Wouters]
* DNSSEC: added root and DLV (dlv.isc.org) key for dnssec validation [Paul Wouters]
* ipsec-tools 0.8.0 mistakenly sets some NAT-OA fields that are defined
in RFC1374 as "always zero". We define these as "ft_mbz" (Must Be Zero) [Paul Wouters]
* Fixup some credits. Remove merged contrib code for selinux [Brenda J. Butler]
* Redone and simplified functions around strncat/snprintf for addrtot.c [Paul Wouters]
* Fix addrtot() with a passert and off-by-one [Paul Wouters]
* Move the close() call for the sock to the function that created it. [Paul Wouters]
* Close socket fd of the interface in _iface_down() [Paul Wouters]
* Change name from libreswan.h to openswan.h [Brenda J. Butler]
* Fixup IPSECKEY support with ipv4/ipv6 family and support --precedence [Paul Wouters]
* Updated vendorID to be Openswan specific. Print it with --version [Michael Richardson]
* Remove support for kernels without snprintf [Paul Wouters]
* Remove support for kernels not supporting MALLOC_SLAB [Paul Wouters]
* Remove remaining pre 2.4.4 kernel support [Paul Wouters]
* Remove pre 2.4.4 IP_FRAGMENT_LINEARIZE compat code [Paul Wouters]
* Remove pre 2.4.4 kernel compat for PROTO_HANDLER_SINGLE_PARM [Paul Wouters]
* Remove compat code for SKB_COW_NEW for < 2.4.4. kernels [Paul Wouters]
* Remove compat old/broken IP_SELECT_IDENT for < 2.4.2 kernels [Paul Wouters]
* Remove SKB_COPY_EXPAND for < 2.3 kernels [Paul Wouters]
* Remove /proc dummy code for old kernels (PROC_NO_DUMMY) [Paul Wouters]
* Always add support for alias capability (CONFIG_IP_ALIAS) [Paul Wouters]
* Remove support for NET_23 (kernels before 2.3) [Paul Wouters]
* Remove kernel support predating NETLINK [Paul Wouters]
* Remove /proc support pre-2.4 kernels (PROC_FS_2325/PROC_FS_21) [Paul Wouters]
* Remove more old 2.1 and 2.3 kernel code [Paul Wouters]
* Remove support for kernels without SPINLOCK and SPINLOCK_23 [Paul Wouters]
* Remove support for Linux kernels < 2.1.0 via NET_21 define [Paul Wouters]
* Fixup IPSECKEY support with ipv4/ipv6 family and support --precedence [Paul Wouters]
* Updated ipsec showhostkey to support IPSECKEY [Paul Wouters]
* Fix generating libreswan versions based of git [Paul Wouters]
* Typo fix in man 5 ipsec.conf [Simon Deziel]
* Handle NULL returns from glibc 2.17+ crypt(). [mancha]
* Only use -Wno-error=cpp when GCC's version is >= 4.6 [Simon Deziel]
* Remove debug code [Simon Deziel]
* Call "ss" without using the fully qualified path as this binary is installed in different place depending on the distro [Simon Deziel]
* Removed some /testing links in Makefile.top [Patrick Naubert]
* DPD typo fix: Dectection -> Detection [Simon Deziel]
* Redone and simplified functions around strncat/snprintf for addrtot.c [Paul Wouters]
* Fix addrtot() with a passert and off-by-one [Paul Wouters]
* Move the close() call for the sock to the function that created it. [Paul Wouters]
* Close socket fd of the interface in _iface_down() [Paul Wouters]
* Additional safety checks to addrtot(), inet_addrtot() and sin_addrtot() [Paul Wouters]
* Sync patches with variables names [Paul Wouters]
* Log a warning for NETKEY/XFRM breaking RFC 4301, Section 5.2 [Paul Wouters]
* Always assume UDPFROMTO works on Linux and BSD [Paul Wouters]
* Only set MODP768_MODULUS with USE_VERYWEAK_DH1 [Paul Wouters]
* updown: Delete the source ip addres on down only for Cisco peer [Paul Wouters]
v2.6.39 (May 31, 2013)
* Hardening patches from Florian Weimer
* Created .in files for distro packages [Patrick]
* Target deb builds for Precise instead of Lucid [Simon]
* Enable hardened builds by default [Simon]
* Bring 'ipsec policy' back form the dead [Simon]
* Drop the builddep on htmldoc and man2html as those are not needed anymore [Simon]
* CVE-2013-2053 fix: Integrated fix from Andreas Steffan
* Refactor x509dn to seperate out atodn from other functions [MCR]
* Fixed regression test to be 64-bit and IPv6 aware [MCR]
* Patches for kernel 3.9 and changes to work with Linux 3.9 [MCR]
* Nighly builds fixes and whitespace fixes [MCR]
* Fix for three AES-GCM issues with key lengths 128, 192, 256 bits and IV
of 8, 12, 16 bytes as per RFC 4106 [Avesh]
* SAREF: kernel patches updated to linux 3.2.0 [Simon]
* Refresh debian/control files to point to the right git URL [Simon]
* KLIPS: startklips-ip_route patch [Harald]
* MAST: updown.mast-scriptfix patch [Harald]
* Refresh debian/po from Debian [Simon]
* Fixed ipsec verify to avoid perl and use python instead. It helps during minimum install so that openswan does not have to pull perl packages, and it keeps minimal install really minimum. Also Removed compilation of ipsec policy subprogram as it is not needed with NETKEY. [Paul]
* NATT: rhbz #834400 NAT-OA reserved field issue. [Avesh]
* rhbz #834396 Coverity scan fixes, warnings, dead code. [Avesh]
* rhbz #785180 openswan uses ifconfig which is deprecated. [Avesh]
* barf: ipsec barf should not grep sparse file. [Paul]
* XAUTH: Phase15 as xauth and modecfg is called in openswan is not handled properly when only xauth (without modecfg) is used. [Avesh]
* Interop: Fixes to interop issues (related to updating/removing local interface with remote ip address and removing local routes) between cisco ASA and openswan. [Avesh]
* XAUTH: Fixes to interop issues between cisco ASA and openswan in main mode. These fixes prevents xauth/modecfg negotiation during IKE rekey in main mode. [Avesh]
* rhbz #831676 [Avesh]
* IKE: ikev1 aes-gcm esp fixes [Avesh]
* IKE: ikev1/ikev2 sha2-256 related changes [Avesh]
* rhbz#609343: pluto crashes when removing logical interface [Avesh]
* Reading password from a file when creating keys. [Avesh]
* IKEv2: IKEv2 RFC4306/5996 related changes [Avesh]
* Interop: Fixes to solve interop issues between cisco ASA and openswan in aggressive mode.[Avesh]
* Fix for the issue where ipsec help shows the list twice (rhbz 524146, 509318) [Avesh]
* relpath changes [Avesh]
* Bugtracker bugs fixed:
#1308 forceencaps= setting does now show up in "ipsec auto --status"
[Matt Rogers]
#1329 IKEv2 core dumps on 2.6.32 with changes backported from the 2.6.38
tree [Steve Lanser]
#1349 pluto logging no subjectAltName matches ID '%fromcert', replaced
by subject DN [Tuomo]
#1371 SAref patches 3.2.0 [Simon]
* Fix url to bugs system. [Tuomo]
v2.6.38 (March 23, 2012)
* DPD: seq_no logged after hton() call [Shinichi Furuso]
* DPD: With multiple phase 2 SAs, we sent too many [Shinichi Furuso]
R_U_THERE's
* barf: iptables-save on suse is in /usr/sbin, not /sbin [Paul/Shinichi]
* SUSE: Package compliant with Kernel Module Package Manual [Shinichi Furuso]
* verify: fix false positive on IP forwarding (perl dependant) [Steve Delaney]
* IKEv2: Introduced new keyword narrowing=yes|no [Paul]
* IKEv2: Send TS_UNACCEPTABLE when narrowing would violate local policy [Paul]
* IKEv2: Fix for multiple SAs to the same peer with different ports [Avesh]
* IKEv2: IKE-SA_INIT with INVALID_KE_PAYLOAD Notify Payload should
continue [Avesh]
* IKEv2: incorrecty sent PAYLOAD_MALFORMED on unknown minor version [Avesh]
* IKEv2 should ignore unknown RESERVED bits in payload [Avesh]
* IKEv2: Implement sending higher IKEv2 major and minor versions [Paul]
* IKEv2: Delete SA states added to state machine [Avesh]
* IKEv2: Informational Exchange added [Avesh]
* hostpair: initial_connection_sent was never set to not FALSE [Avesh]
* Crypto: handle leading zeroes in DH keys [Avesh]
* Add PLUTO_IS_PEER_CISCO= to updown scripts [Avesh]
* XFRM: update userland copies of xfrm.h netlink.h rtnetlink.h [Paul/Avesh]
* SHA2 fix when pluto is compiled without USE_EXTRACRYPTO [Paul/Tuomo]
* SHA2: Fix for Linux kernel using bad sha2_256 truncation (96 instead of 128)
(to get the old behaviour for interop, specify sha2_truncbug=yes) [Paul]
* Fix two format string buglets [Moritz Muehlenhoff]
* XAUTH: Support unbound as local resolver in remote_peer_type=cisco [Paul]
* NATT: Fix iphone/iOS by removing outdated OSX NAT-T workarounds [Paul]
* SAREF: kernel patches updated to linux 3.0.0 [Jonathon Padfield]
* SAREF: fix all patch versions to use new numbers for SAREF [Paul]
* Fix various compiler warnings in lib, pluto and ikeping [dhr]
* Various ESP_* and AH_* fixes/updates from IANA [Paul]
* Fix authalg in esp_info to be u_int16_t, not u_int8_t [Paul]
* Debian: Various debiacn packaging fixes [Simon]
* KLIPS: Fix crasher on returning -ENODEV from ppp devices [David]
* XAUTH: Support dynamic config update for unbound DNSSEC resolver [Paul/Tuomo]
* Remove non-iproute2 version of _updown.klips and its USE_IPROUTE2 [Paul]
* Bugracker bugs fixed:
#1263 /usr/lib/ipsec/_startnetkey selects wrong default gateway if there
are multiple [Petr Tichy]
#1314 update the updateresolvconf routines to be able to reconfigure
locally running unbound [Paul]
#1322 get rid of unused bucketno argument in state_hash [Paul]
#1326 0001-SAREF patch not compiling on 3.0.0 [Jonathon Padfield]
v2.6.37 (October 28th, 2011)
* Fix for CVE-2011-4073 crypto helper crash [Paul/dhr]
* KLIPS: Fixes to run on Linux 3.1 [David McCullough / Greg Ungerer]
* KLIPS: Fix sending icmpv6 packets in an ipv6 ipsec tunnel [David McCullough]
* Fix for ike_alg_get_encrypter() possibly returning NULL [Steve Grubb]
(this is rhbz#747852)
* Bugtracker bugs fixed:
#1241 vhost allows connections with subnets proposed and ignores
virtual_privat [Wolfgang Nothdurft]
v2.6.36 (October 5th, 2011)
* CVE-2011-3380 Openswan IKE invalid key length fix [Paul/Hugh]
* auto: Add --checkpubkeys option for checking expiry of X.509 certs
[Mika Ilmaranta]
* Update building (with SAref) on SLES10 / SLES11 / Opensuse [Shinichi Furuso]
* KLIPS: backported 2.6.19 CryptoAPI for SuSe kernels [Shinichi Furuso]
* KLIPS: ipsecdevices index overflow [Shinichi Furuso]
* KLIPS: cleanup off by one interface,prevented module unload [Shinichi Furuso]
* tncfg called incorrectly for adding more ipsecX interfaces [Shinichi Furuso]
* KLIPS: ipsec_sa_getbyid() did not work properly on IPv6 [Shinichi Furuso]
* NAT-T: Fix delete for port floating case [Shinichi Furuso]
* IKEv2: We always sent the openswan VID instead of using #ifdef [Avesh/Paul]
* IKEv2: ikev2_get_dcookie used SHA1Update() with pointer size [Avesh]
* TESTING: Added some more consistent logging in prerunsetup() [Paul]
* pcr_init() should memset the request helper size, not pointer size [Avesh]
* Prevent deferencing ctx->trans_cur in db_trans_add() [Avesh/Paul]
* XAUTH: whack_get_value() never decremeanted "tries" [Avesh]
* Fix closing fd in lib/libopenswan/oswconf.c [Avesh]
* rsasigkey: configdir is always set in the NSS #ifdef part [Avesh]
* examples: clarify hub-spoke netkey design [Tuomo]
* NAT-T: Fixed logging for broken NAT-T keepalives [Tobias Brunner]
* Use iptables-save instead of iptables -L if possible (rhbz#737973) [Avesh]
* ipsec verify: New kernels use nf_conntrack instead of ip_conntrack [Avesh]
* LDAP/CRL needs liblber (rhbz#737975 [Avesh]
* SAREF: kernel patch added for Linux 2.6.36 and 2.6.38 [Paul]
* SAREF: Remap IP_IPSEC_REFINFO/BINDREF from 22/23 to 30/31 [Sony Japan]
* Disable USE_IPSECPOLICY per default, was only proof of concept code [Paul]
(local user could cause pluto to stop responding if /var/run is a tmpfs
mount and /var/run/pluto was manually deleted, Found by Sony Japan)
* Bugtracker bugs fixed:
#1270 malloc is being used which does not use alloc_bytes/pfree [Paul]
v2.6.35 (July 23, 2011)
* OCF: Fix accidental 'always' setting of large resources [Sony Japan]
* OCF: Give a hard #error in ipsec_ocf.h without proper CONFIG_KLIPS_OCF [Paul]
* OCF: Only include ipsec_ocf.h when using CONFIG_KLIPS_OCF
* MAST: Add ipsec_xmit_sanity_check_dev() in the mast path [Paul]
* MAST: Be more careful about {mast,ipsec}priv structure [Bart]
* MAST: Fix host-host connections, bug introduced in v2.6.34 [David]
* SAREF: Fix crasher in ipsec.ko unload with saref kernel [Sony Japan]
* SAREF: ip_cmsg_recv_ipsec_refinfo() doesn't initialize refs array [Sony Japan]
* SAREF: Added null check of secpath_dup(NULL) [Sony Japan]
* KLIPS: Fix possible double skb free [Sony Japan]
* KLIPS: Fix MTU on interface - bug introduced in 2.6.33 [Wolfgang Nothdurft]
* KLIPS: debug messages often had pre-refactor names in prefix [Paul]
* DPD: Do not ignore failure in dpd_init() but return STF_FAIL [Paul]
* pluto: Fix IPcomp pull-up from 2.4 introduced in 2.6.20 [Paul]
(malloc <-> pfree caused assertion with LEAK_DETECTIVE set)
* pluto: st_peeridentity_port missed ntohs() causing interop
failure between big/little-endian machines [Magnus Öberg]
* pluto: Fix for Tuomo's (rare) crasher where globals were not reset [dhr]
v2.6.34 (June 8, 2011))
* Fix build without USE_EXTRACRYPTO introduced in 2.6.33 [Tuomo]
* Fix new leftmtu= option to pass correctly to _updown [Mattias Walstrom]
* Add Apple iOS work-around to l2tp example configs [Tuomo]
* KLIPS: Support to compile on Linux 2.6.38 and 2.6.39 [David]
* KLIPS: Make sin_family setting in delflow the same as addflow [David]
* KLIPS: IPv6 and SLES10 compile fixes [Sony Japan]
* KLIPS: IPv6 outbound policy check used wrong index [Sony Japan]
* KLIPS: Enable CryptoAPI per default [Paul]
* KLIPS: Module unload fixes [David]
* KLIPS: Routing cache corruption due to ip_select_ident [David]
* KLIPS: Only fixup the ethernet header it might be on [David]
* KLIPS: Fix for ixs->skb->dev is null at the top of ipsec_xmit_send [David]
* MAST: refcount bug in transport mode prevented ipsec.ko unload [Sony Japan]
* MAST: Don't autopick mast [David]
* NETKEY: Fix AH mode [Avesh]
- rh #704548
* DYNDNS: using hostnames could lead to loss of ports in SA [Avesh]
- rh #703473
* Many uml testing harness fixes and updates, mostly IPv6 related [Paul/Hugh]
* "ipsec look" now shows NETKEY/XFRM and IPv6 routing table [Paul]
* "ipsec look" now shows iptables NEW_IPSEC_CONN mangle table [Paul]
* "ipsec look" and "ipsec barf" now shows ip6tables like iptables [Paul]
* Fix inbound policy --addin, and added --replacein [David]
* KLIPS: Fix family check when policies are not set [David]
* MAST: Fix family check when policies are not set [Sony Japan]
* Improve build speed (don't recalculate build version all the time [David]
* XAUTH: Fix rekey with Cisco when remote_peer_type=cisco [Avesh]
* Openswan (IKEv2/IKEv1) icmp issue (redhat bz 681974) [Avesh]
* IKEv2: port range was hardcoded to 0-65535, not local policy [Avesh]
* MAST: Fix oops on module unload [David]
* Improve build speed, calculate version once [David]
* Import OpenWRT packaging updates [Simon]
* contrib: added openswan patch for 2.4.37.9 [Yannick Koehler]
* KLIPS: Fix for compiling on 2.6.22 (Fedora Core 6 based) kernels [Paul]
* KLIPS IPV6: Fix packet fragmentation [Paul]
* Added PLUTO_CONN_ADDRFAMILY= to updown.* (to disable SAref on v6) [Paul]
* KLIPS: cleanup packaging/*/config-* files [Paul]
* Fix a bunch of gcc unused-but-set-variable warnings [Paul]
* Fix some WERROR warnings [mcr]
* Various file descriptor leaks and mimor memleaks [Avesh/dhr]
* Removed reference to http://www.freeswan.org from ipsec --help [Tuomo]
* Bugtracker bugs fixed:
#1233 WARNING: at net/ipv4/af_inet.c:151 inet_sock_destruct on stop [David]
v2.6.33 (February 18, 2011)
* Merge in the klips-ipv6 branch [David]
* modprobe more crypto modules on startup (gcm, camelia, sha2* etc) [Paul]
* Added %v4:26/8 to virtual_private ("thanks" to T-Mobile/Rogers/FIDO) [Paul]
* Pluto did not start nhelpers due to --nofork, bug introduced in 2.6.32 [Paul]
* OCF: Set the OCF queues to 10000 when 256MB+ RAM and 1000+ bogomips [Paul]
* Improved NetworkManager support [Avesh]
- This is Red Hat bugzilla 642722, 658253, 659709 and 641068
* ipsec verify now also shows parse errors in ipsec.conf [Paul]
* Always build SHA2 family support for IKE [Paul]
* KLIPS: Add a new option to override the replay window via /sys [David]
(echo 0 > /sys/module/ipsec/parameters/ipsec_replaywin_override)
* Add aesni_intel to the list of crypto modules we attempt to load [Paul]
* enable dumpdir= in stock ipsec.conf for use with abrtd [Paul]
* New per-conn keyword mtu= allows setting the mtu per tunnel [Paul]
* per-conn keyword metric= did not export to userland or updown [Paul/Tuomo]
* Cleaned up and moved some old docs [Paul]
* KLIPS: arp_broken_ops is no longer exported in 2.6.37+ [Paul]
* KLIPS: Fix crasher in ipsec_xmit_state_delete [David]
* KLIPS: Fix oops if packet is received on detached tunnel [David]
* Bugtracker bugs fixed:
# 601 KLIPS: NAT-OA UDP checksum bad in transport mode when both sides are
NATted [Wolfgang]
# 645 hundreds of replacements [...]: 000 #3: pending Phase 2 [Anthony Tong]
#1182 Verification of X509 certificate signed by SHA2 [[email protected]]
#1183 Fix documentation typo (in ipsec.conf) [Tuomo]
#1190 nat-t broke on transport mode for klips between 2.6.31 and 2.6.32
[Paul]
#1199 when leftsubnet has a different netmask than the localnet, a route
is added for the localnet to the ipsec device [Tuomo]
#1201 dpd + ddns does not work [Mattias Walström]