forked from xelerance/Openswan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGES
2576 lines (2439 loc) · 144 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Note that listings are in chronological order of release times, not in order
of version numbers, so you will find 2.5.x and 2.6.x releases intersperced.
See also docs/KNOWN_BUGS.txt and https://github.com/xelerance/Openswan/issues
v2.6.51 (September 14, 2018)
Bug fixes for various issues. Improving interopability with strongSwan.
Additional work to enable NAT-Traversal in IKEv2.
* s/libgmp3-dev/libgmp-dev/ as the former has been a dummy virtual package for a long time [Simon Deziel]
* Specify compatibility issues with strongSwan & Openswan. Provided work-around to the issues. [Samir Hussain]
* wo#7417 . prevent ikev2_validate_key_lengths() from accessing NULL pointers [Bart Trojanowski]
* wo#5532 . non-PFS policy overrides getting a KE exchange when processing CHILD_SA rekey [Bart Trojanowski]
* wo#5579 . use incoming exchange type when generating notifications in R2 [Bart Trojanowski]
* wo#7094 . move state hasing algorithm to .h so that it can be used in unit tests [Bart Trojanowski]
* wo#7093 . Extra debug in find_phase1_states() and extract-statetable.py
uses gdb to dump state and connection structures [Bart Trojanowski]
* wo#7092 . unit tests for deriving child keys needed to use IKEv2
parent SA negotiation hash algorithm [Bart Trojanowski]
* wo#7091 . unit tests for handling bad messages and responding with
appropriate notifications [Bart Trojanowski]
* wo#7089 . be more explicit when logging encryption role [Bart Trojanowski]
* wo#7089 . unit tets for receiving child SA rekeys from initial
responder as msgid 0 [Bart Trojanowski]
* wo#7089 . clean out unit test *~ backup and *.o object files [Bart Trojanowski]
* Use https URL [Samuel Thibault]
* wo#7011 . shipping v2KE with a zero sized g^x will fail [Bart Trojanowski]
* fix priority: extra is being replaced [Samuel Thibault]
* fix spelling [Samuel Thibault]
* Drop rule installing removed NEWS file [Samuel Thibault]
* Revert "lp28-addrinfoserialize: IP address for moon changed to 192.139.46.82" [Samuel Thibault]
* Updating debian/copyright to ensure proper attribute [Samir Hussain]
* Updating debian/copyright to simplify years and remove file that doesn't exist [Samir Hussain]
* Updating debian/copyright to reflect the difference licenses/copyrights [Samir Hussain]
* wo#7003 - add delete_state_family() to handle deleting a parent SA w/ children SAs [Bart Trojanowski]
* wo#7003 - correctly identify if informational message is a request or response in logs [Bart Trojanowski]
* unit: update expected output of ikev2crypto unit tests [Bart Trojanowski]
* contrib: pluto-log-merge.pl [Bart Trojanowski]
* make ikev2_out_sa() and print_sa-*() functions resilient to NULL pointers [Bart Trojanowski]
* wo#6874 - explicitly log when state object is freed [Bart Trojanowski]
* wo#6874 - do not attempt to send notification with st==NULL [Bart Trojanowski]
* aggr_not_present() match initiator_function type [Bart Trojanowski]
* No longer ship with <= 3.2.0 kernel patches for Debian [Samir Hussain]
* Drop useless file [Samuel Thibault]
* changelog is not generated any more [Samuel Thibault]
* Fix changelog for upload [Samuel Thibault]
* No need for a NEWS file giving no useful information [Samuel Thibault]
* wo#6532 - select the correct newest parent SA for EVENT_SA_REPLACE [Bart Trojanowski]
* wo#6532 - avoid leaking PSK text if it is malformed [Bart Trojanowski]
* wo#6760 . when reusing a connection state, we are only interested in
parent SAs. Also, check the subnets[Bart Trojanowski]
* wo#6453 . return and propagate errors from ikev2_derive_child_keys() when hash alg is unknown [Bart Trojanowski]
* wo#6453 . when generating key material, use phase 1 negotiated hash algorithm [Bart Trojanowski]
* wo#6589 . using send_v2_notification_enc() to send encrypted notifications [Bart Trojanowski]
* wo#6589 . add new notification enum types and names [Bart Trojanowski]
* wo#6589 . better string expansion for error codes, which can be out of range [Bart Trojanowski]
* wo#6606 . force a new nonce each time we respond to a child SA rekey [Bart Trojanowski]
* wo#6364 . Cleanup expired/replacedchild SA after a rekey[Bart Trojanowski]
* wo#6634 . add delete-child-SA-ack state transition [Bart Trojanowski]
* consistently set timeout-event for rekey initiator [MCR]
* set the timeout_event for responding to peer requesting child rekey [MCR]
* when deriving keys, show the nonce as CRYPT debug [Bart Trojanowski]
* extra debug in ikev2_derive_child_keys() [Bart Trojanowski]
* macros for helping with INITIATOR/RESPONDER states [Bart Trojanowski]
* added debug option to usage summary [MCR]
* update payload_descs[] comments to map them to ISAKMP_NEXT_* namespace. [Bart Trojanowski]
* make sure that header files are included in tags [Bart Trojanowski]
* Add info on "aggressive" keyword in ipsec.conf's man page [Samir Hussain]
* Update path to gmp.h for buildlin.sh (Thanks to jejayhe) [Samir Hussain]
* Fix bug where "no connection named foo" appears when downing a subnet [Samir Hussain]
* Add python-minimal to travis.yml so that helper scripts can work properly [Samir Hussain]
* Update commercial support section for OSW [Samir Hussain]
* do not install pluto_next_hop if address families do not match [MCR]
* Add an 'ipsec status' command that gives the same output as: ipsec auto --status and ipsec whack --status [Samir Hussain]
* Update 'ipsec status' command to give per connection status (also deals with subnet) [Samir Hussain]
* wo#6211 . the check on the peers reply should also use localaddr when checking [MCR]
* wo#6211 . ikev1 proposal from self=%any should use localaddr in proposal [MCR]
* added new PLUTO_CONN_CLIENTFAMILY and PLUTO_CONN_ENDFAMILY for updown scripts [MCR]
* update local port numbers/interfaces on receiver, after authenticating packet [MCR]
* added ikev2_parent_R2 and I3 to dependancies [MCR]
* wo#4822 . Enhancing IKEv2 NATT support
* switch to figlet and add message about what file is being processed [MCR]
* process the NAT-payloads in I2 [MCR]
* make sure that all makefiles have a pcapupdate, and update all the pcap files [MCR]
* updated input pcap files to include nat notify [MCR]
* revise Makefiles to be table driven [MCR]
* added shell script to run all the unit tests, stopping for make update and git add [MCR]
* added pcapupdate to update pcap input from lp02 [MCR]
* fake interface was not in network byte order for fake ipsec0 [MCR]
* copyright additions [MCR]
* whitespace changes [MCR]
* basic natt responder test case [MCR]
* added pcapupdate to update pcap input from lp02 [MCR]
v2.6.51rc1 (2018)
Additional work to enable NAT-Traversal in IKEv2.
v2.6.50.1 (August 24, 2018)
This release fixes CVE-2018-15836 (a Bleichenbacher-style signature
forgery which involves RSA padding attack)
* wo#7449 . test case for Bleichenbacher-style signature forgery [Bart Trojanowski]
* wo#7449 . verify padding contents for IKEv2 RSA sig check [Bart Trojanowski]
* wo#7449 . added lo06-verifybadsigs test case [Bart Trojanowski]
* b01-install test case will no longer spam with the environment
variables [Bart Trojanowski]
* lp28-addrinfoserialize: IP address for moon changed to
192.139.46.82 [Bart Trojanowski]
v2.6.50 (August 3, 2017)
Bug fixes for RSA key size and other issues
* IKEv1 proposal from self=%any should use localaddr in proposal [MCR]
* The check on the peers reply should also use localaddr when checking [MCR]
* Protect kernel_command_verb_suffix against NULL st, which occurs during
unroute operations [MCR]
* Log source of unknown address family [MCR]
* Straighten out eroute_connection logging with fake "tun" entries [MCR]
* Rework where/how the decision as to whether to create or update an IPsec SA is done. [MCR]
* Always use the remote target address to determine family type of outer IP [MCR]
* Updated the seam_kernel with new get_ipsec_spi/get_my_cpi function signature [MCR]
* Change cert and cert-encoding field to be loose_enum, as IETF may define new values [MCR]
* Test case that shows how addconn core dumps [MCR]
* Removed errant comment about installing AH SA [MCR]
* Ensure orient picks loopback interface properly [MCR]
* Minor comment and copyright changes [MCR]
* updated for changes in orient debugging [MCR]
* Move creation of interfaces into data structures so that it can be permuted better [MCR]
* Enable debug output from orient [MCR]
* Added and updated test cases to include debug of orient interface picking [MCR]
* Changed pick_matching_interfacebyfamily to pick best interface, rather than first [MCR]
* Test case for looking up best interface to match an endpoint [MCR]
* Added new ok01-parsepubkey to validate str2pubkey function [MCR]
* Added ckaidhex2ckaid to parse ckaid in hex form [MCR]
* Added test case for IGNORESPACE on hex data [MCR]
* Capture all test output (stderr too) and compare it all [MCR]
* Sanitize out calls to unreference key, as they have core address in them [MCR]
* Send printed form of ckaid, rather than binary [MCR]
* Added build-nss script to permit manual builds with libnsa [MCR]
* rereadsecret will output a copy of the whack log, asynchronously the pluto
to the same debug file, which confuses the order at times [MCR]
* Extra debugging enabled to track certificate loading [MCR]
* Make sure to (re)read secrets before looking at orientation [MCR]
* Point at moon ipsec.d for certificates, and load the secrets [MCR]
* Link the public key from the configuration file, directly to the key via
the calculated ckaid. Use the cert/ca fields in the whack message [MCR]
* Added str2pubkey, and added liboswkeys to some programs that needed it, as
well as test case for it [MCR]
* Move calculate_rsa_ckaid from secrets.c to rsapub.c [MCR]
* Added new oswkeys header file [MCR]
* Make clone_str tolerant of unsigned and signed char [MCR]
* Add buffer to keep formatted ckaid in, since it is used in many places [MCR]
* libnss specific changes to changes in the change of public/private key referencing [MCR]
* Movement of public key to be pointer causes a new leak [MCR]
* Bigpubkey test needs to point correctly at secrets file for debugging, and
cleanup of PID file needs to be done correctly [MCR]
* Re-create routine to dump private parts of key for debugging purposes [MCR]
* Restructure the secrets structure so that the public key is referenced from
the "private_key_stuff" structure, and the keys are not so tied to RSA anymore [MCR]
* Test case for using correct private key, renamed from libopenswan to liboswkeys [MCR]
* Move rfc3110->rsa key decoding to new file [MCR]
* Create new test case for parsing of RSA keys from base64 encoded rfc3110 [MCR]
* Added test case to pick signing key by public key match [MCR]
* Fix a typo in dpdaction=clear's description [Simon Deziel]
* Test case for cycles of ipsec.conf includes [MCR]
* Fixing minor typo in CHANGES [Samir Hussain
* Mark IKEv1 as disabled at compile time [MCR]
* Always build whack with debug options [MCR]
* Debian: stop depending on iproute that's just a virtual package [Simon Deziel]
* Turn off sending cert req in IKEv2 [MCR]
* Added alias aggressive= as alias for aggrmode= [MCR]
* uClibc-ng is compatible to glibc [Waldemar Brodkorb]
* when rekeying a child SA, there might be a whack_sock that needs to be tracked. [MCR]
* Update README.nss [Simon Deziel]
* More updates to unit tests for CA update [MCR]
* Make sure to use @carol, rather than just carol [MCR]
* Updated various certificates [MCR]
* Script to generate new root CA key [MCR]
* Fix the inconsistency check so that it skips the case where the address
family has not been set at all [MCR]
* Refactor the conf readwrite tests to use common driver that captures the stderr as well [MCR]
* Log the state chosen when processing received packets [MCR]
* When running make update, make sure files have been created [MCR]
* Extra trusted_ca message to be removed [MCR]
* Possible test case for rightid=%cert not working correctly [MCR]
* Added dns auth level names, print them in list of keys [MCR]
* Enable davecert test cases for rightid= vs rightcert= [MCR]
* Rename pcap output file to be consistent [MCR]
* Refactor location of pcap output file [MCR]
* Debug logging when the parent and child and rekeyed child are transitioned to a new state [MCR]
* Removed some old logic from parent SA keying, where the child looked for replaced SAs to key [MCR]
* Added argument to ipsecdoi_initiate for old parent state, distinguished from old child state [MCR]
* Use CONNNAME consistently [MCR]
* Added ct10-parent10, which generates a signature using real RSA routines [MCR]
* Record which key was used for making signatures, and which key successfully verified them [MCR]
* Update test cases for log of loading key and logging Openswan ckid [MCR]
* Added additional 4096bit key [MCR]
* Functional test case that large keys are loaded correctly through the various steps [MCR]
* Functional test case that large keys are loaded correctly through the various steps [MCR]
* Silence debugging of key load handling, but leave code in place for another day [MCR]
* Clone the keyspace to a chunk, rather than use automatic allocated keyspace [MCR]
* Log size of key received [MCR]
* Log key after it is converted from base64 [MCR]
* Use log_ckaid() to debug lowest level of whack processing [MCR]
* Create log_ckaid(), put it into oswid.c for general use [MCR]
* Mark sha2 routines as taking a const input [MCR]
* Attempt to protect pack_whack_msg against public key values which exceed the string size [MCR]
* Log key when it comes out of whack [MCR]
* Log the ckaid of the public keys being loaded [MCR]
* Add argument to change name of keyfile for additional testing [MCR]
* Loading the private key now loads the public key, and calculates the ckaid
of it, so it will be in the output [MCR]
* When testing if the public keys work, also calculate the ckaid of the key,
and display it just to be sure it was loaded correctly [MCR]
* Refactor the ckaid calculation from raw public key info, and print it as
part of loading the private key list [MCR]
* Include sha2 fingerprint of public key, show it as groups of 4 hex digits like GPG [MCR]
* Added test case for datatot / ttodata, aliases and leftsubnets [MCR]
* Added new test case to run historic ttodata regress test [MCR]
* Remove preproc check for KLIPS_MAST in order to include saref header file. [Samir Hussain]
* Add make check [Pablo Hinojosa]
* Fix bug with include mechanism for ipsec.secrets [MCR]
* Change text around debug messages to clarify intent [MCR]
* Updated with explicite endaddrfamily and clientaddrfamily [MCR]
* Move initialization of *aDd_family above end_validation, and have
end_validation use these variables properly [MCR]
* Keep track of line no of each keyword, and when logging duplicated,
print the location of values [MCR]
* Fix bug where conn address family is not filled in leading to test failure [MCR]
* Fix minor typo in the ipsec.conf template [Samir Hussain] [MCR]
* Fix pluto segfault [Roel van Meer]
* Sometimes the state gets deleted before the event fires [MCR]
* Use getline() rather than fgets() to read ipsec.secrets, so that arbitrarily
long lines can be loaded [MCR]
* Do not assume MAX_TOK_LEN can be used for filename size for ipsec.secrets
include directive [MCR]
* Added local variables for indent [MCR]
* Test with various key sizes [MCR]
* Move signature creation and verification to liboswkeys [MCR]
* Move structure to new file, consider moving selection of crypto to init too [MCR]
* Whitespace change [MCR]
* Zero the secret structure before it is used [MCR]
* Initialize keys of various sizes [MCR]
* Fixed state of child state on initiator. Fixed output to have correct child
state, and thus delete messages [MCR]
* Changed formatting of msgid in state transitions in addition: found that
st_policy in child state was not initialized properly [MCR]
* Return to putting parent SA state transitions in microcode, but explicitely
manage the parent state through the state transition code. Log both parent
and child state transitions [MCR]
* Comment about usage of libosw [MCR]
* Deal with different 'ip xfrm' output on CentOS. [Samir Hussain]
* Fix the order of some of the comments in the pluto man page. [Samir Hussain]
* Use qsort() instead of qsort_r() [Samir Hussain]
* Undefine FORTIFY_SOURCE in order to be able to compile in gentoo [Samir Hussain]
* Display # of tunnel when running 'ipsec setup --status' with IKEv2 [Samir Hussain]
* Update unit tests to deal with ipsec_setup.8 being copied over [Samir Hussain]
* Copy ipsec_setup man page into the proper man directory [Samir Hussain]
Bug fixes.
v.2.6.49.1 (February 28, 2017)
Always build whack with debug options and define IKEv1 as on
* mark IKEv1 as disabled at compile time [mcr]
* define IKEV1 as on, as we can not remove IKEv1 yet, but one piece of code anticipated it [mcr]
* always build whack with debug options [mcr]
* debian: stop depending on iproute that's just a virtual package [Simon Deziel]
v2.6.49 (August 8, 2016)
Implements the IKEv2 child rekey facility in IKEv2.
* revert "have R2 keep parent SA as md->st, and manipulate the child
SA state directly" [MCR]
* have R2 keep parent SA as md->st, and manipulate the child SA state
directly [MCR]
* use shunt_eroute, rather than eroute() to protect against attempting to
replace tunnels with shunts when deleting [MCR]
* change child final state by adjusting microcode [MCR]
* initialize the IKE version maj/min when creating state [MCR]
* explicitely set child state on responder [MCR]
* clean out some dead comments [MCR]
* added additional debug for rekey event. Delete processing now increment
message ID properly, so the numbers are higher. When no parent exists, the
child can not be deleted, so message about scanning does not occur [MCR]
* use allocate_msgid_from_parent properly when sending delete messages [MCR]
* have process_informational_ikev2 return STF_IGNORE to avoid confusing parent
state I3->I3 message, clean up some debug messages and comments [MCR]
* clear up small comment [MCR]
* log current time when indicating when next event is [MCR]
* removed stack of #if0/PATRICKXXX blocks, and reformat to fit screen [MCR]
* log reason for creating new CHILD SA (rekey) [MCR]
* do not reset PARENT SA replace timer [MCR]
* accept reply from responder, do calculations and install new IPsec SA.
No further reply is needed [MCR]
* lp47 test now validates that Nonce and KE are in fact sent [MCR]
* note that it was decryption that failed [MCR]
* the first payload in reply should always be Nonce, send it. If PFS is
enabled, then send KE. Finally, send SA and Traffic Selectors [MCR]
* if PFS is enabled, then tell tail() function so that it can send KE [MCR]
* refactor nonce sending into justship_v2Nonce [MCR]
* added additional constraints on required encrypted payloads: mistyped
Nonce (Initiator/Responder) as Notify! [MCR]
* mark failure to decrypt as such [MCR]
* take care to diagnose when a continuation is not found [MCR]
* refactor out child_notify_process, and child_validate_responder_proposal.
Complete inCR1 processing, calculating g^xy if PFS is enabled [MCR]
* in responder from child, make sure to mark packet as having a reply [MCR]
* put packet input/output debug into middle of pluto log [MCR]
* added missing description for C1_REKEY state [MCR]
* added explicit initial state microsoft code child rekey state [MCR]
* deal with compiler warnings due to new bounds checker [MCR]
* move pcap_recv_packet to per-test .c file, as per lp13, and update for
reduced debugging in setup portion [MCR]
* move pcap_recv_packet to per-test .c file, out of common code [MCR]
* transform lp13-parentI3 like lp10, such that it can take an arbitrary
number of pcap files as input; refactored for creating lp48 [MCR]
* added test case lp47 [MCR]
* added missing "in hash X" to test case [MCR]
* added run_one_continuation for use by lp47, which has to run multiple
continuations [MCR]
* run continuations, one at a time [MCR]
* updated CI1 packet [MCR]
* run two continuations in test case: one for g^y calculation, one for
g^xy calculation [MCR]
* inCI1_tail routine takes request and replies to it using child_sa_respond [MCR]
* permit child_sa_respond to be provided with the child state object [MCR]
* get rid of dead code that tried to kill empty notifications [MCR]
* accept_v2_KE and accept_v2_nonce do not return the same type, check each
properly [MCR]
* lookup state 3 for rekey debugging [MCR]
* decrypt incoming packet, having recorded the correct state [MCR]
* allow compile time directive to expand size of state table [MCR]
* make ikev2_decrypt_msg available to ikev2_child [MCR]
* guard against st still being NULL when dealing with initial handshake [MCR]
* make sure to clear list of seen payloads [MCR]
* fix ikev2_child I1 packet to have correct np for first encrypted payload [MCR]
* minor reformat [MCR]
* change silly message about IKEv2_ROOF [MCR]
* when receiving a package on responder, look up with the messageid first,
and find parent to do retransmission logic. [MCR]
* added microcode and initial processing for receiviving the CI1 packet [MCR]
* refactor accept_v2_KE from ikev2_parent [MCR]
* move SEND_*NOTIFICATION macros to ikev2.h [MCR]
* added prototypes for child CI1 states on responder [MCR]
* added forward declaration for recv_pcap [MCR]
* new test case for receiving IKEv2 CHILD rekey [MCR]
* actually send the packet once it is formed [MCR]
* rename test case, open pcap file and make sure it is closed [MCR]
* add send_packet_close() [MCR]
* renamed test case [MCR]
* IKEv2 rekey child calls the right KE, auth, encrypt and nonce functions
which have been marked as non-static from ikev2_parent [MCR]
* minor reformat and addition of positional argument names [MCR]
* use enum_name rather than explicit reference to array to find state_stories
--- english description of current state [MCR]
* t5: do rekey work [MCR]
* enable ikev2child_outC1_continue and ikev2child_outC1 and kev2child_outC1_tail [MCR]
* when deleting SAs, make sure to delete child SAs first, then parent SAs [MCR]
* added state_stories and state_name for STATE_CHILD_C1 states. Change
microcode to take CHILD SA from I3 to C1 [MCR]
* include IKEv2 states in IS_ISAKMP_SA_ESTABLISHED [MCR]
* adjustments to seams for change to ipsecdoi_initiate API [MCR]
* start duplication of ike2 child negotiation into ikev2 child rekey code [MCR]
* initial test case base for rekey experiment [MCR]
* added AFTER_CONN() call to do things after conn is established [MCR]
* split up parentI3 so that it can be reused [MCR]
* added name for new SA_DELETE event [MCR]
* move some headers to include/pluto so that they can be used in unit test seams [MCR]
v2.6.48 (June 6, 2016)
Bug fix release.
* fix leak error found by travis [MCR]
* some minor fixes to unit test cases as a result of merge and travis testing [MCR]
* Fixing compile error when HAVE_STATSD=true is set. [Samir Hussain]
* ipsec eroute connections number kept increased. [freedai]
* Update ipsec_proc.c [freedai]
* Update pfkey_v2.c [freedai]
* Providing more meaningful name to variable that will get modified via sed [Samir Hussain]
* For debian packages, we need to have a tilda (~) between version and
rc/dr in order to do proper versioning [Samir Hussain]
* Minor spelling fixes [Samir Hussain]
* Fixing issue with missing OCF symbols when trying to modprobe KLIPS on
Trusty [Samir Hussain
* convince compiler that j is never too big [MCR]
* const-ify as many spd_eroute arguments as possible [MCR]
* update some dependancy headers [MCR]
* update test case to expect AUTHENTICATION_FAILURE, rather than NO_PROPOSAL_CHOSEN [MCR]
* reject connections that have a version mismatch using AUTHENTICATION_FAILED [MCR]
* test case to check that IKEv2 is reject with a message of AUTHENTICATION_FAILED [MCR]
* verify that correct IKEv1 notify is sent when IKEv1 is disabled [MCR]
* when looking for a connection, determine if a different connection would
be returned if IKEv1/IKEv2 policy was ignored [MCR]
* permit notifications to be sent from complete_v1_state_transition even
when no state was created [MCR]
* added mytunnel-no-ikev1 [MCR]
* log number of whack messages processed to aid in debug of new unit tests [MCR]
* complain if a conn can not be found [MCR]
* missed three changes to policy dump from adding policy_clear [MCR]
* additional debug of policy, output for lset_clear policy search [MCR]
* with changes to find_host_connections2, the ikev1 packet is now properly rejected [MCR]
* find_host_connections2 now takes an lset of policies that must be clear [MCR]
* include complete_v1_state_transition when not doing IKEv1 processing [MCR]
* initialize wire_chunk_t in crypto_req using macro [MCR]
* added appropriate seams for responding to ikev1 messages, when no ikev1 permitted [MCR]
* protect against smc might be null when processing ikev1 packet [MCR]
* support receiving ikev1 messages in ikev2 receive test [MCR]
* mark include paths for headers moved to include directory [MCR]
* no-ikev1 tunnel case [MCR]
* new test case for process IKEv1 packets when only IKEv2 are expected [MCR]
* confirm output is an IKEv1 main mode init [MCR]
* move some nat-t headers to include/pluto, and permit them to be link-seamed out [MCR]
* removed main_outI1 from seam so that lp43 can use it [MCR]
* added lp43 - generate IKEv1 first packet [MCR]
v2.6.47.1 (May 10, 2016)
* guard against multiple inclusion of pluto/log.h (in order to build on CentOS) [MCR]
v2.6.47 (March 28, 2016)
Added feature to allow DNS query for external IP address of a gateway.
* Make certificate directories in correct place [MCR]
* Order of addconn and pluto is non-deterministic, so stick addconn output elsewhere [MCR]
* As a result of change to orient with family=0, this test case now binds an interface [MCR]
* With revision to permit left=%any, right=%defaultroute, and orient by
private key it is permissible to have a conn that does not specify a host
IP for "our side" [MCR]
* When looking for a matching interface, and conn family is 0, and both ends
are zero, just pick the first interface that matches on ports [MCR]
* Initial test case for loading connection with right=%defaultroute [MCR]
* Exit if connection not found, rather than core dump later [MCR]
* Clean out .o files [MCR]
* Test case on why defaultroute is not a valid IP address: discovered in
DrTaylorPlumage with ikev1-double-nat [MCR]
* Created functional test case for loading a mixed v6 in v4 conn [MCR]
* Created new test case for loading and orientating a mixed v6 in v4 conn [MCR]
* Added new keyword: endaddrfamily. renamed connaddrfamily to clientaddrfamily [MCR]
* Always look for v6 and v4 addresses in left/right=, updating the end-family
only if it was not set [MCR]
* Refactor lp07 so that it can be used by lp41 [MCR]
* Adjust build-every-rev to exit smarter [MCR]
* Permit unit test cases to cause returned addresses to be sorted [MCR]
* alg_info_ike leak is unstable [MCR]
* Some missing leaks [MCR]
* With port numbers in play, the desired_port may not be set, in which case, look for plutos port [MCR]
* Change log to indicate a match on IP, going along with match on private key [MCR]
* The NO_KERNEL interface type was originally intended for pluto functional
testing, and so it has some cruft related to not matching port numbers
against 500. This presents problems when unit testing with (fake) ports
other than 500, and so really the ignoring of port numbers should be a
seperately enabled feature, as the unit testing really needs to use the
actual NO_KERNEL interface, since it has no kernel [MCR]
* Added additional interface for port 4500 [MCR]
* Try to pick matching port when picking an interface [MCR]
* When picking an appropriate interface, make sure that the port numbers match [MCR]
* Updated test cases for logging of IP address in orient test [MCR]
* Turn off IPv6 since mock output code does not speak IPv6. [MCR]
* Bit a bit more flexible in where the address family comes from, and log the
resulting interface better [MCR]
* Fixed order of htons() and init_iface_port, and added include for inet_pton [MCR]
* Provide for optional INIT_LOADED to be called. Used in lp18 for assert [MCR]
* More extensive debug of orient() --- log which private key was found, and
also if the pick_interface was able to find an interface. Also change the
family searched for to be the (derived) value for the connection, rather
than the end [MCR]
* Provide example of how to translate enum to string for keyword_host [MCR]
* Updates to lp18 for revised debugging of orient [MCR]
* Use preformatted interface address [MCR]
* Pick an interface that matches the right family [MCR]
* Reformat comments [MCR]
* Added ip_oriented flag to indicate if orientation was bound to IP [MCR]
* Added init_iface_port to include setting of q->socktypename [MCR]
* lp31 discovered that addrtypeof, addrbytesptr and samaddr should be tolerant
of receiving a NULL [MCR]
* Changes to fmt_connection means that the nexthop for right=%any is no longer
guess/assumed or logged [MCR]
* The changes to the conn load verification for IKEv1 PSK right=%any should use
a left=%any, rather than an explicit address. [MCR]
* Change update_host_pair to return indicate of whether orient worked; as if
it did not then a different address might be in order. [MCR]
* Updates to unit test cases for socktypename addition [MCR]
* Added socknametype to iface_port structure so that socket family can easily be logged [MCR]
* Make it clear that IPHOSTNAME types are not v4 or v6, and should not
initialize the nexthop in any specific way, and should fit into the
right=%any checks for IKEv1 as well [MCR]
* Try to guess what kind of family the conn is, if the conn has a this or that
with a family set the host for the side that does not have a family to
that family [MCR]
* Try to set the address family from left or from right, if set. [MCR]
* Only diagnose an address-type mis-match if both sides are specified by a literal address [MCR]
* Check for core dumps. Write test case 2b into gdbinit file [MCR]
* Arbitrarily decide to use IPv6 ANY address when right is default route [MCR]
* Set the address type based upon which kind of address was parsed [MCR]
* Also validate that the conn is properly loaded into pluto [MCR]
* Correctly parse a site local (e.g. fec0::1) address [MCR]
* New test case to validate IPv6 site local addresses in left/right= [MCR]
* Log the string value involved in the debug of the looseenum [MCR]
* IPv6 address of cassidy.sandelman.ca actually did change [MCR]
* lp40 updated for DNS delayed rebase [MCR]
* find_ID_host_pair debug now includes dump of exact parameter [MCR]
* Check the orientations after the secrets are loaded, as
possession-of-private-key test needs private keys [MCR]
* Removed confusing comment [MCR]
* Changes to conn to be really h2h [MCR]
* Orient test which loads keys after conns [MCR]
* h2h should use host to host items [MCR]
* Added h2h and brokenspace as possible test cases for readwriteconf crash [MCR]
* Change connection list as per DNS changes to show IP address discovered [MCR]
* gcc 5.0 fixes [MCR]
* Reconciled leak of ID to fact that IDhost_pair is never freed [MCR]
* Update lp08 with proper CHILDSA_DEL name for state, after state_names added [MCR]
* Updated description to explain three unit subtests [MCR]
* There was a IDhost_pair leak, which was located, as one list was never
properly emptied as the clear_host_pair routine was incorrectly calling
the host_pair free routine when it meant to remove a connection from a list [MCR]
* Updated Makefile and explanation of how to get updated pcap file [MCR]
* Unit tests do not speak 3des-md5, modp1024 [MCR]
* Make sure the installed_time for a public key is set from regression controlled time [MCR]
* Updated parameters for test case to match files named after tests [MCR]
* A half-open, prospective_parent_sa that is in progress only gets priority
over new DNS answers, if the DNS query had an error [MCR]
* If no addresses are available from DNS yet, but there is a hint, then the
hint should be attempted [MCR]
* Protect connection_check_ddns1 against corrupt IPhp_next loops [MCR]
* Try to be smarter about when a connection is stuck: consider connections
which have never come up as well [MCR]
* Blacklist a bunch of replies for DNS lookups [MCR]
* In order to avoid DNS errors causing more DNS lookups, only do new DNS
lookups when there is a timeout --- other attempts will use additional
addresses only [MCR]
* Have adns return getaddrinfo()-style EAI errors, even for old nquery work [MCR]
* Be careful not to remove connections which were not yet added to host_pair [MCR]
* Output sanifier now removes kernel state numbers from output [MCR]
* Updated to reflect changes to debugging [MCR]
* Slight tweak to comment [MCR]
* Make sure to set the DNS list pointer upon receiving new answers [MCR]
* Guard against no connections in search routine [MCR]
* Added additional debugging to delayed DNS lookup continuation [MCR]
* Init generic CR before filling in DNS name so that qtid gets logged sanely [MCR]
* Keep track of states that are created to potentially bring up a parent SA.
This is needed to tell if there is an ongoing initiation for a delayed-DNS
effort, or if one should be made. Do not make an attempt to bring up the
conn unless the policy is set to UP. Use returned state number from the
initiate process to always get correct state in test harness [MCR]
* Make test validate that handle_adns_answer() does not cause conn to be set to UP [MCR]
* Make clean would clean up whackfile, so on reffile use, cp it to OUTPUT [MCR]
* Use return serial number to pull up correct serial number [MCR]
* Return state number for newly created states, as there is no way to
track them until they are authenticated [MCR]
* Fix lp33,lp34,lp35 to include seam_initiate, and show DNS name in status [MCR]
* Added missing test cases [MCR]
* Show ccache statistics [MCR]
* Try to do straight build first [MCR]
* Try to use ccache when building [MCR]
* Add make clean target [MCR]
* Slight adjustment to list of leaks [MCR]
* When doing DNS lookups, use the connaddr family as the hint as to what kind
of records to lookup (A vs AAAA) [MCR]
* Added seam_initiate and seam_adns appropriate to fix up tests [MCR]
* Do DNS lookup and then initiate connection [MCR]
* Whitespace changes [MCR]
* Split up sendI1 so continuation part can be called again [MCR]
* Move kick_adns_connection from dnskey to initiate [MCR]
* Reworked lp33 to include actual initiate and dns continuation code [MCR]
* Create kick_adns_connection routine so that DNS replies kick new
connections immediately [MCR]
* Copy parentI1 main code into lp33 and add aDNS steps [MCR]
* Added A and AAAA records to rr_typename [MCR]
* Remember if an end has a valid address when DNS lookups are delayed so
that we do not initiate until DNS lookups have had a chance [MCR]
* Rearranged a bunch of seam so that lp33 can import real adns code properly [MCR]
* Removed include of connections.c, use connections.o: add set of includes [MCR]
* Include seam_dnskey explicitly, as test case 33 will use real code [MCR]
* Updates after rebase [MCR]
* Add test case lp33 for dns delayed, when there is no hint [MCR]
* For unclear reasons the lookup of cassidy.sandelman.ca/KEY RR fails. Could
be due to obsolete RR? [MCR]
* Rename lp28-parentR2anychoice to lp32 to keep sequence [MCR]
* Rename lp27-IDhostpair to lp31 to keep sequence [MCR]
* Tweak lp30-dnskick [MCR]
* Tweak seam_log [MCR]
* Test pcap output now uses TESTNAME, so set it correctly [MCR]
* Clean up PID file, and create .gdbinit with arguments [MCR]
* Deal with some leaks; use stop_adns() properly to clear up children.
Make sure that ipanswers list, after sorting, is restored so that all
items get freed (affects regression testing) [MCR]
* Process each dns request before making a new one to keep order the same [MCR]
* Use sort_addr_info to canonicalize the output to deal with differences in gai.conf [MCR]
* Added make explicitly to package list [MCR]
* Use DBG_log to get consistent output [MCR]
* As structure is used as temporary, and copied, make sure to zero it first [MCR]
* Output results if failure [MCR]
* Adjust unit test cases for update_host_pair() seam. Rename lp28-dns to
lp30-dnskick, add needed canonicalization. Adjust output from moving
dump_addr_info() into pluto as it uses DBG_log() rather than printf(),
and outputs to stderr [MCR]
* Removed last vestiges of DYNAMICDNS and processing converted to IPHOSTNAME [MCR]
* Tweak adnstest [MCR]
* Process DNS getaddrinfo() replies, and attach them to continuation [MCR]
* Refactor dump_addr_info debug into seperate file [MCR]
* Cleanup leaks of addrinfo structures [MCR]
* Added test case for serialization/deserialization of addrinfo [MCR]
* Basic test case for looking up KEY RR; one success, one failure [MCR]
* Use standard openswan_log() for messages rather than syslog() [MCR]
* Make it easy to generate cpp processed files for inspection [MCR]
* Added new utility strtochunk() [MCR]
* Created adnstest case to validate operation of dnskey.c and adns.c [MCR]
* Small refactor of start_adns_query so that it can accept things other than struct id [MCR]
* Initial test case for dnslookups [MCR]
* Adjust comments on functions [MCR]
* Updated trace with IP address in hint [MCR]
* Do not include EF unless defined [MCR]
* Added seam for kick_adns_connection_lookup [MCR]
* Include gdb instructions for testing pluto [MCR]
* _pluto_adns is no longer seperate executable [MCR]
* Change definition of progname to const [MCR]
* Moved init_adns() call earlier, and make sure it exits properly [MCR]
* Make certificate directories; removed --adns path argument from help [MCR]
* Move test for SAref and SAbind into kernel.c [MCR]
* Added setproctitle() [from BSD licensed sendmail via pppd] and use it rather
than global_argv hack. Use setproctitle() in adns sub-process [MCR]
* Create dummy kick_adns_connection [MCR]
* _pluto_adns is no longer a seperate program, but is part of the pluto
executable, forked out for use. This makes it much easier for embedded
systems to have a sane (if simple) async DNS resolver. Future work will
switch to c-ares This patch also includes changing progname to a const
globally [MCR]
* Move whack out of pluto directory [MCR]
* Removed DYNAMIC DNS from whack client [MCR]
* Added lp27 to test list [MCR]
* Do not show hostname string if the host_type is IP address [MCR]
* Comment out I9 [MCR]
* Switch update order to make it run update1 first [MCR]
* Fix up lp06 test case to work [MCR]
* Remove LWRES support --- it broke awhile ago [MCR]
* Force ikev2 [MCR]
* If nexthop is invalid, then do not show it [MCR]
* Ipsecconf already included the hostname into a string, but now it needs
to include the hint as well. This code plus test cases probably produces
a whack file with the correct hint [MCR]
* Fix emacs variables [MCR]
* Gdb init for test case [MCR]
* Refactor lp02-parentI1, so it can be reused by lp27 [MCR]
* Obsolete is a qualifier for a keyword, not a type of keyword [MCR]
* Add functional/06 test case [MCR]
* Removed redundant kw_list->string member [MCR]
* Added processing of new loose_enum_arg type, added %dns and test it out
in a functional test [MCR]
* Figure out left/right-ness of keyword so that it can be logged better in errors [MCR]
* Added loose_enumarg processing [MCR]
* When setup properly, the h2hR2 test case works fine: just needs to have actual keys [MCR]
* Use parker end-point and parker secrets [MCR]
* h2h R2 packet processing - broken [MCR]
* Make output file parameterized by testname [MCR]
* h2h I2 packet processing [MCR]
* Make lp10 a template test case [MCR]
* Make output file parameterized by testname [MCR]
* h2h R1 packet processing [MCR]
* Process arguments more carefully [MCR]
* Added test case for h2h I1 [MCR]
v2.6.46 (January 22, 2016)
* Properly add IKESA_DEL state: added to state_names,
and create new event to delete the state after a timeout with no reply [MCR]
* When finding ID match with wildcard, bind tighter to exact matches [MCR]
* Split up same_id into same_id(wildcards) and same_exact_id(no wildcards) [MCR]
* When checking orientation, log result, and also reconnect to IDhostpair [MCR]
* Fix IP/ID free functions to clear a connection from the pairs
and then properly free the HP structure themselves [MCR]
* Log IDhost pair header values, not ones from the first connection [MCR]
* Some formatting tweaks to hostpair_list to make it easier to understand [MCR]
* Added listhostpairs option, fixed listevents description [MCR]
* The clear_IDhost_pair routine was complaining in list_rm()
as a result of an instance being created/copied from the parent, without
clearing the IDhost_pair link [MCR]
* Use SHA1_DIGEST_SIZE rather than incorrect sizeof() [MCR]
* Protected ietf_constants.h against multiple inclusion [MCR]
* Some code was duplicated due to refactoring that was backported: list_rm moved to hostpair.h [MCR]
* TIME_UTC is also defined in /usr/include/time.h, so pick a better name [MCR]
* GCC 5.0 complains about use of !same_chunk() because expansion of macro leaves it confused. Add () [MCR]
* Protect list_rm against ehead being null [MCR]
* Remove cleanup of IDhostpair links to hostpair.c,
and protect against the connection having never been on an ID hostpair [MCR]
* Fixed problem in check_connection_end where wrong end was tested for [MCR]
* As SPD Route may be manipulated before being erouted, the resulting eroute_owner setting is no longer propogated back into the connection
this patch sets all SPD routes which do not have other owners to this eroute [MCR]
* Log eroute operations more concisely, do it after they succeed/fail [MCR]
* Better logging of eroute_owner [MCR]
* Refactor show_connection_status so that it can use loglog or whacklog for output
moved log.h to pluto/log.h as unit test cases will need it [MCR]
* Log current date when processing events [MCR]
* Looks like a copy and paste error has lingered in the sourceip processing, causing the parser
to whomp on the nexthop if the sourceip is set [MCR]
* Log address inconsistencies with names rather than numbers [MCR]
* The address family determined by the outer addresses (right/left/nexthop) should not override address family
for inner items (rightsubnet/sourceip) [MCR]
* Fixed find_host_pair so that it finds right=%any matches correctly [MCR]
* Change listing to give IP/ID type on every bucket [MCR]
* Added option to readwriteconf to load all conns marked add/route/up [MCR]
* Document --listhostpairs debug option [MCR]
* Possible fix for IKEv2 issues when built with libnss [MCR]
* Return proper IKEv2 Notify when authentication fails due to wrong ID [MCR]
* Make sure that host_type is initialized [MCR]
* Take care of deleting IDhostpair when connection is deleted [MCR]
* Use IDhost_pair list to find appropriate conn by ID [MCR]
* Added IDhostpair support [MCR]
* Initial work on creating a hostpair list by ID [MCR]
* Added listing of hostpairs to available whack debugs [MCR]
* INVALID_MSGID becomes -1 on 32-bit, but not on 64, so translate it better [MCR]
* Rename host_pair to IPhost_pair in preperation to adding IDhost_pair [MCR]
* Remove file that was accidentally committed [Simon Deziel]
* Debian: update patch list file [Simon Deziel]
* Debian: bump standards version to 3.9.6 (no change required) [Simon Deziel]
* Debian: drop dpatch (obsolete) [Simon Deziel]
* Split up IKEv2 RSA verification into nss and non-nss versions [MCR]
* Move try_RSA_signature_v1 to seperate file [MCR]
* When loading conn, process alsoflip= as well [MCR]
* Refactor also processing so it can be applied to alsoflip [MCR]
* Fixing minor typo and spelling mistakes. [Samir Hussain]
* Refactor whack_listen processing to seperate function for unit testing
Added called to check_orientations() after discovery of new interfaces [MCR]
* Log the connection name for each IPhostpair that is being compared to [MCR]
* lp24-certreply dave discovered that find_host_pair was still wrong.
Rewrote find_host_pair again to with bestpair mechanism to get it right [MCR]
* Updating man page in order to remove manual option from auto keyword
(it is no longer supported) [Samir Hussain]
v2.6.45 (August 27, 2015)
This release fixes CVE-2015-3240 (IKE DoS)
* Minor compile tweaks that were missed at cottage [MCR]
* Possible fix for CVE-2015-3240: if KE payload is 0, then
exponentiation fails, tripping a passert for nss [MCR]
v2.6.44 (August 13, 2015)
Massive bug patch and IKEv2 processing fixes by MCR
* Potential fix for #4285 - make sure kernel.c uses correct destination for outgoing SPD when responding to an initiator/32 [MCR]
* Change negotiated tunnel message to be clearer with IPv6 addresses [MCR]
* Using short notation, using GNUmakefile notdir, and making sure that $< will
reference the right file by making explicit %.c->%.o rule. [Jason]
* Show the connection name when the state is found, provide a way to nicely dump a single state to debug log [MCR]
* Change find_host_pair so that it knows if it is creating a new host pair, as host pairs that have right=%any will always match [MCR]
* Tweak CA business so that correct CA is loaded, it is referenced correctly, the correct ID is used to lookup the CA [MCR]
* Make sure that certificate file name is properly terminated [MCR]
* Use a mcro to set SIN_LEN [MCR]
* Added st_peer_id to store decode ID from inside I2 message [MCR]
* Added fmt_connection_inst_name [MCR]
* Add additional way to orient: me defaultroute with other end not having private key [MCR]
* Make passing pass_prompt_t into key loading function officially optional [MCR]
* Cope with a NULL prompt_pass, make something up to store passphrase if necessary [MCR]
* Adopted some kernel_netkey.c fixes from libreswan, and added some debug of port numbers [MCR]
* Reset the remote port number to 0, as lack of client should indicate lack of port numbers (XXX maybe not) [MCR]
* rw_instantiate needs to take remote address from state [MCR]
* Simplify evaluation of when we need to instantiate templates: all conns that
are templates should be instantiated [MCR]
* Log why connection was marked as a template [MCR]
* Added explicit struct end that to ipsec installation to deal with rightsubnet=%self situation [MCR]
* find_client_connection can use endclient too [MCR]
* Note better when find_host_pair() is done [MCR]
* Replace series of our_net/peer_net + protocol/port arguments with struct end. [MCR]
* Use endclienttot() to format things in more places [MCR]
* Use endclienttot() to print fc_try debug [MCR]
* Added enddclienttot() function to format end->client, taking into account that the host_type might be %any [MCR]
* Need to set send_whack_msg to a value even if ctlbase is going to default [MCR]
* Log when there is no send_whack_msg function [MCR]
* Do not even try to use libnss for certain non-critical PEM related 3DES operations [MCR]
* Make sure that st_localaddr and st_localport is setup based upon where we observe traffic to flow
this information is used when has_client=0, and we are really proposing a conn for self. [MCR]
* If end has no client, then set end to appropriate value from state [MCR]
* Correctly return no proposal chosen when the initiator suggests 0.0.0.0->0.0.0.0,
which previously matched encoding for %any [MCR]
* When IKEv2 has right=%any, the remote address and port needs to be recorded into the state [MCR]
* Use macro for -lefence so that it can be globablly turned off [MCR]
* Write record number in debug output from readwriteconf [MCR]
* Send public keys before policy [MCR]
* Eliminate some testing specific code in readwriteconf that duplicated code from starterwhack.c [MCR]
* Orient should be able to consider an end local if a private key is present for the public key indicated [MCR]
* Orientation now takes into account which end has a private key (if no interface IP
address could determine orientation) [MCR]
* Split nss and non-nss signature routines [MCR]
* Explain liboswkeys library [MCR]
* Explain libpluto [MCR]
* Make connection loading description a bit prettier [MCR]
* Module mis-named, got an i in front of af_key [MCR]
* Clean up orient info -- debug only [MCR]
* Warn about FIPS mode only once [MCR]
* libnss brings in some additional libraries that reveals that rsasigkey does not have exit_tool() defined [MCR]
* Use NSS_LIBS and FIPS_LIBS defines properly [MCR]
* Split off nss function to make files simpler to read [MCR]
* Sort out LIBNSS nonsense in rsasigkey [MCR]
* Mark rhel builds as using LIBNSS.
remove build_klips parts -- they are unmaintained on rhel7 [MCR]
* Make ikeping diagnostics saner, and show help rather than aborting [MCR]
* Update IPSECBASEVERSION in Makefile.ver for packagingprep target (simon)
* Make ikeping diagnostics saner, and show help rather than aborting [MCR]
* Clarify that whack_magic mismatch has nothing to do with klips [MCR]
* Permit debug-netkey to be alias for debug-klips as well debug-xfrm [MCR]
* Log the version that is placed into the version file [MCR]
* Mark some SPD/SA creation code as debug [MCR]
* Remove extensive but useless satype processing from netlink_raw_eroute [MCR]
* Added state to eroute_connection so that peer address can be taken from there [MCR]
* Just because right=%any, does not mean that it is a template [MCR]
* Simplify the kernel SA add code to use src/dst where appropriate, and src_client/dst_client properly [MCR]
* Updated natt port handling to pull from parent_st. [MCR]
* Found potentially dead code in update_ipsec_sa() [MCR]
* Log src/dst after it is inbound/outbound set [MCR]
* Take IPsec SA end points from state rather than from policy [MCR]
* Pass parent state down in IPsec SA creation routines so that an accurate st_localaddr/st_remoteaddr is available.
Note should also add port numbers --- IKEv2 NAT work is probably still open [MCR]
* Some debug of setup_half_ipsec_sa [MCR]
* SA src/dst is not a subnet, but an address, so use appropriate structure [MCR]
* Log algorithm lookup in KLIPS debug, and also IP address pairs of endpoint [MCR]
* When responding in an error condition, keep the state around awhile
in case there is a retransmit; but eventually remove it [MCR]
* Always collect other peers SPI value, we need it. With this change, the spi=0000000 problem goes away [MCR]
* Moved detection that responder has sent multiple proposals outside of block that matches them [MCR]
* Role can never change in ikev2parent_inR2, it is always the initiator [MCR]
* Added progress debug to setup_half_ipsec_sa so errors from kernel make more sense [MCR]
* Removed role parameter from emit_ts, and move next_payload calculation to parent [MCR]
* Removed note about duplicate_state --- state duplication occurs in ike_child_sa_respond [MCR]
* Defend ikev2_encrypt_msg against possible bad inputs; might come from ikev2_delete_out [MCR]
* Make code associated with being a responder not optional [MCR]
* Removed role parameter from ike_child_sa_respond, as it never is called by initiator [MCR]
* Set crypto importance once SA has been validated [MCR]
* Log state numbers better, and log SPI# in network order [MCR]
* Do not log a NAT change on first packet [MCR]
* Log the msgid for parent and child IKEv2 SAs [MCR]
* Added some notes about when parent state is relevant and when child is needed [MCR]
* Try to log better in setup_half_ipsec_sa() so that errors are more easily associated [MCR]
* R2 message was not being accepted because msgid replay counter
was being compared on child SA, rather than parent [MCR]
* Do not log NAT port changes if original address is 0.0.0.0 [MCR]
* Import libreswan (2bc8abe3) netlink fixes [MCR]
* Make sigusr1 handler static [MCR]
* Added DEBUG_WITH_PAUSE to keep pluto from running away with retransmits
when developer is thinking after a failure [MCR]
* Adopt a bunch of IKE algorithm definitions, and attempt to
find and quiet source of duplicate algorithm entries [MCR]
* Refactor ESP creation into new function for readability [MCR]
* Pluto now accepts SIGUSR1: this presently does nothing (crypto subprocesses ignore it)
it can be used with DEBUG_WITH_PAUSE to "single step" pluto interactions which are going
too fast to figure manually inspect.
In particular, one can do "ipsec whack --status" on the peer before letting the processing
proceed. [MCR]
* Note in logs when parentSA is considered good [MCR]
* Disentangle LIBNSS and non-LIBNSS code [MCR]
* Convert some uses of whack_log to loglog() so that they go into system log too! [MCR]
* Log the IKE version in state, and if v2-parent, log the msgid counters [MCR]
* State_hash now returns the bucket number, which can aid in certain kinds of debugging [MCR]
* Some minor comments about msgid processing
make sure that if the msgid is too large or cookies do not match, that no further processing occurs [MCR]
* Gave all the IKEv2 state microcodes a human readable name [MCR]
* Found problems with mis-initialized st_msgid_nextuse, created new routing to allocate them from parent [MCR]
* Added record of IKE maj/min version to state structure.
Collect it in into the msgdigest, and insert into stats on receive/create-state, and initialize
it when initiating. [MCR]
* Found error in starter_whack_add_pubkey that resulted in public keys not loaded. This was
introduced in commit: 0783e455 by mcr (me!) [MCR]
* Improve documentation of starter_whack_build_pkmsg [MCR]
* Set LOOSE_ENUM_OTHER values appropriate, and debug the result if desired [MCR]
* Parser_loose_enum used to return explicit "255", which matches LOOSE_ENUM_OTHER
as a value. But instead put the appropriate value into the keyword_def structure.
* Not only is this more flexible, but it is much easier to understand [MCR]
* Mark keyword_name() arg0 as const [MCR]
* Adjust ikev1 for new find_host_connection ANY that takes histype [MCR]
* Added KH_IPADDR to list of host type keywords [MCR]
* Added histype to find_connection functions [MCR]
* Some initial changes to put %any processing into host_pair code [MCR]
* Log host type of remote side of conn in host_pair [MCR]
* Changes to link order cause liboswlog to be properly linked in; this requires exit_tool
and progname to be setup properly [MCR]
* Import TS checking/narrowing code from libreswan into ikev2parent_inR2 [MCR]
* Changed SEND_NOTIFICATION to SEND_V2_NOTIFICATION, from libreswan [MCR]
* Ikev2_log_parentSA should be used on initiator and responder.
It is a good candidate for a function that could be omitted when memory is tight [MCR]
* Ikev2_process_payloads is wrong for processing and encrypted payload, do it inline [MCR]
* Make sure that event is always deleted on free_state [MCR]
* Added counter for number of retransmissions from responder seen [MCR]
* Repeated payload problem fixed [MCR]
* Notification should go to whack log, with appropriate value
make sure to set the current state, and remove debugging of payloads seen [MCR]
* Create a way to run parentI1 with calculations so that they can be saved (does not work yet) [MCR]
* Always include RFC5144 groups, no more ifdef [MCR]
* Split libnss code from non-libnss for better clarity [MCR]
outR1 could well assign the header msgID from the initiator's messageID,
but since the I1 messageID is defined to be zero, it should all be the same.
The messageID is sequence in IKEv2, but in IKEv1, it's opaque, so handle htonl() here. [MCR]
* Processing of v2N_INVALID_KE_PAYLOAD notify [MCR]
* Now picks correct state when notify is seen [MCR]
* ikeI1 state to deal with respondering sending a notify [MCR]
* Add target to make assembly for examining underlying causes [MCR]
* Do not delete state immediately, mark it as waiting to delete [MCR]
* Permit the RHEL7 spec file to also build on RHEL6.5. xmlto otherwise can not resolve dependancy
for lynx vs elinks. RHEL7 does not seem to have lynx [MCR]
* Change log of state deletion to not be a debug, log state name too (idea from libreswan) [MCR]
* Move spd formatting routines to library [MCR]
* Split orient() function into new file so it can be tested [MCR]
* When processing conf files, a missing right=/left= should cause an error and the conn should not be loaded [MCR]
* Move orient function to libpluto.
Pass it the pluto_port number to use, rather than reference a global [MCR]
* Change pluto_port -> pluto_port500,
introduce pluto_port4500. Make setting the pluto_port also set the NAT traversal port to +4000 of it.
Do not hard code the port 4500, use IETF name for port 4500 [MCR]
* New function: ikev2parent_outI1_withstate permits IKEv2 to start with some state [MCR]
* Refactor pubkey addition process, add this to whack write [MCR]
* Include option to create whack files from loaded conns [MCR]
* Refactor serialization of whack message to reuse in readwriteconf [MCR]
* Return count of messages read so that failures can more easily be diagnosed [MCR]
* Move whack msg write functions to libpluto [MCR]
* Make sure that the --secctx_attr_value is always accepted, and if appropriate, ignored [MCR]
* Permit an explicit nhelpers=-1 [MCR]
* Added family2str to decode AF_INET/AF_INET6 nicely [MCR]
* Moved defs.h to include/pluto/defs.h, so change the include slightly [MCR]
* Change some more variables to LIBFOO from FOOLIB [MCR]
* A batch of libreswan configuration code was ported as it was noticed that there was some
mix of strdup/clone_str already.
Some keywords were imported, many were not yet imported. The code is formatted vastly differently [MCR]
* Refactor key building whack message processing [MCR]
v2.6.43 (March 13, 2015)
Bugfixes and Certificate handling improvements
* Sign_hash was not being compiled when libnss was unset [MCR]
* Modifications to sign_hash_nss [MCR]
* Change order of functions to avoid forward declaration [MCR]
* Silence some warnings when building with LIBNSS [MCR]
* Modifications to decrypt_sig to help with nsscert test case [MCR]
* Added dhr-style shortcuts to constants.h [MCR]
* Added IOD for SHA224_WITH_RSA, renegerated oid.h and oid.c [MCR]
* Be more careful about examining dsig when digest is not successfully extracted [MCR]
* Tweaks to get LIBNSS defines into the right place [MCR]
* Allow unit tests to set a fake time [MCR]
* Added V=1 flag to turn off concise builds [MCR]
* Move ocsp.c into liboswkeys [MCR]
* Move rnd.h header so that ocsp.c will compile [MCR]
* Move list_ocsp routines to x509.c, as those routines are tied too closely to pluto [MCR]
* Fix GCC->CC macro so that make depend works [MCR]
* Whitespace changes in Makefiles [MCR]
* Create new liboswkeys and move liboswlog to separate directory [MCR]
* Rename FOOLIB variables -> LIBFOO [MCR]
* Be less verbose when building; especially do not emit paths that would screw up regression builds. [MCR]
* Added NULL argument for labelled IPsec support [MCR]
* Remove build dependancy upon bind-devel, as USE_LWRES= is not true anymore [MCR]
* RHEL7 spec file [MCR]
* Tweak IP_SELECT_IDENT_NEW for kernel 3.2: must have gotten lost [MCR]
* Ubuntu has backported some code to 3.13, so use correct select code [MCR]
* KLIPS patches for kernel 3.18 [MCR]
* Use a more KLIPS-y way to detect if KLIPS is loaded; not ancient pfkey interface [MCR]
* While the uid and pid types changes for namespace support since 3.12,
rather than fix that, KLIPS really does not need to know the PID at all. [MCR]
* Compile out the pfkey /proc interfaces; they provide no value [MCR]
* Use IP_SELECT_IDENT_NEW for kernel 3.12 series [MCR]
* Replace the ipsec_proc interface with seq based interfaces [MCR]
* Patch to work with Linux 3.11,3.15 [MCR]
* Ripped out --show and --showonly, and awk processing of ipsec auto --up [MCR]
* Cleaned up much ugliness (ifdefed argument lists) due to HAVE_LABELED_IPSEC [MCR]
* When a connection is deleted, log if the whack is open for the state [MCR]
* Get rid of compiler/printf warning on size of pointer [MCR]
* Append .ctl to socket name as whack does [MCR]
* Tweaks to whack message format: make it more resistant to 32/64-bit differences [MCR]
* Make whack magic values more clearly 32-bit [MCR]
* Removed kernel 24 build code [MCR]
* Clarify whack magic to be dependant upon size of pointer [MCR]
* Flush whackrecord on each write [MCR]
* Whackstoprecord option should not require an argument [MCR]
* When whack record is on, output debugging [MCR]
* Tweaks to whack message format: make it more resistant to 32/64-bit differences [MCR]
* Do not make whack message depend upon an ifdef [MCR]
* Move resolv_myid from pluto into libopenswan, but remove it from liboswlog, which is for non-pluto pieces only [MCR]
* If nexthop is not set, then it ddefaults to %defaultroute, otherwise left=%defaultroute does not work [MCR]
* Add check for bison/flex [MCR]
* Some minor enhancements to newhostkey to use /dev/urandom by default, and fill in the
debian place for ipsec.secrets.inc if it exists, but is zero [MCR]
* Do not install development man pages on target system by default [MCR]
* Re-organize, and enable obsolete keywords to be processed [MCR]
* Change USER* for USER*EXTRA [MCR]
* Removed unused tsc variable [MCR]
* Change //-comments that change code flow into #if 0 instead [MCR]
* More changes to addrbytesptr() rework [MCR]
* Removed dead function: ikev2_narrow_instantiate [MCR]
* 32-bit,64-bit issues with printf [MCR]
* Try to deal with -Wqual-cast/-Werror issues: addrbytesptr() should perhaps not be promising const-ness on ptr [MCR]
* NAT-T: new style uses setsockopt and old (KLIPS-only) uses ioctl [Simon Deziel]
* Use pidof instead of ps -C in _realsetup as the former is guarantied to
be available even on minimal installs. Closes Debian bug #719126. [Simon Deziel]
* Update README to include dependencies for RH-based distros [Simon Deziel]
* Added SSL roadwarrior configuration [Renzo Dani]