Releases: xelerance/Openswan
Releases · xelerance/Openswan
v3.0.0 (January 22, 2021)
Crypto modernization
* Update ipsec.conf.5 man page [Samir Hussain]
* wo#11022: extrapolate_v1_from_v2 wasn't sending all transforms [Martin Hicks]
* Fix mapping PRF to hasher in the pluto helper [Martin Hicks]
* Add v2tov1_prf() to convert IKEv2 prf functions into OAKLEY_* hash identifiers [Martin Hicks]
* Update lp177 due to changes in parentM1.pcap and parentM3.pcap [Martin Hicks]
* wo#10966: Update lp178 to fail with NO_PROPOSAL_CHOSEN [Martin Hicks]
* wo#10966: ikev1: Enforce local policy for selection of ESP proposal [Martin Hicks]
* rework IKEv1 w/NAT test cases with MODP2048 policy for IKE= [MCR]
* SAMPLEDIR always has trailing slash [MCR]
* wo#10966: ikev1: Enforce local policy for selection of IKE proposal [Martin Hicks]
* set default phase1 proposal if none set [MCR]
* Print keylength in child proposal debug messages [Martin Hicks]
* wo#10964: Fix printing of IKE algorithm info in `ipsec status` [Martin Hicks]
* Fix printing of IKEv2 Integ names in ipsec status [Martin Hicks]
* restrict the memcpy length to size of target, redundant with passert(), but
compiler does not know that [MCR]
* rename some duplicate test numbers [MCR]
* wo#10850: Add NULL cipher to the ikev2 to ikev1 ESP encryption mapping [Martin Hicks]
* Don't attempt to convert proposals to IKEv1 if disabled for this connection [Martin Hicks]
* Allow 'make pcapupdate update' in tests/unit/libalgoparse [Martin Hicks]
* wo#10844: Fix mapping ESP auth identifiers from ikev1 to ikev2 [Martin Hicks]
* wo#10876: Properly translate key length attributes into ikev1 proposals [Martin Hicks]
* github#541: Fix segfault when rekeying child SA with no parent [Martin Hicks]
* pluto: add ALLOW_MICROSOFT_BAD_PROPOSAL for self-proposals [Emil Velikov]
* wo#10594: Fix printing of spdb AUTH attribute string [Martin Hicks]
* wo#10594: ikev1: Fix ESP proposal AUTH identifier [Martin Hicks]
* wo#10625: ikev2: Properly close pbs after processing child SA proposal [Martin Hicks]
* wo#10625: Use default keysize if none is specified in the default phase2alg [Martin Hicks]
* wo#10537: ikev2: Loop through multiple local proposal options [Martin Hicks]
* wo#10631: ikev2: Set default ESP ealg keylen if not provided [Martin Hicks]
* wo#10596: Propose disabled Extended Sequence Numbers for ESP [Martin Hicks]
* wo#10596: Do not send Key Length proposal attribute for aalgs [Martin Hicks]
* wo#10596: Add default IKE encryption alg key sizes [Martin Hicks]
* Fix spelling in log messages and related QA test output changes [Martin Hicks]
* Fix looping comments [Martin Hicks]
* wo#10527: Use cert issuer CA if none is specified [Martin Hicks]
* wo#10508: ikev2_decode_cert(): Attach keys to parent state [Martin Hicks]
* wo#10507: Use the IKEv2 algorithm ID to look up the hasher [Martin Hicks]
* Make V=1 work for more directories during 'make programs' [Martin Hicks]
* Fix too small buffer for algorithm name information [Martin Hicks]
* Fix up XML for new ike section of ipsec.conf manual [Martin Hicks]
* Unit test updates to deal with 2.6.52dev merge [Martin Hicks]
* Fix unresolved symbols in cr01-aes128 [Martin Hicks]
* 01-confread: Update to ipv6-inconsistent test [Martin Hicks]
* wo#7566 . update man page for ike= and phase2alg= [MCR]
* make fallthrough markings work with pre and post gcc-7 [MCR]
* for IKEv1 operations, translate IKEv2 policy values. For IKEv2, use them directly [MCR]
* ask for IKEv2 hash/integ routines [MCR]
* split up IKEv1 and IKEv2 hash/prf number space when talking to helpers [MCR]
* clear up labels for memory leak tracker, and update unit test cases results
for memory leaks [MCR]
* always build with efence and leak detective [MCR]
* provide for detailed tracing of allocation/free in case of extreme debug need [MCR]
* clear pc->props when it is freed [MCR]
* mark fall throughs in switch statment to get rid of compiler warning [MCR]
* document how valueaux is used by AES keyword-enum parser [MCR]
* added copyright and protection ifdef for ikev1.h and ikev2.h [MCR]
* free oakley_sa if out_sa() failed [MCR]
* guard against failing call to allocate_RSA_public_key [MCR]
* ignore output of failed steps [MCR]
* shorten fakecheck to deal with compiler warning [MCR]
* change argument to char **const [MCR]
* eliminate kernel_alg_esp_sadb_aalg() in favour of kernel_alg_esp_auth_byikev2() [MCR]
* do not initialize alg_info, it is never used [MCR]
* rename algo_id to ikev1_algo_id [MCR]
* reviewed all headers for #ifdef nested inclusions [MCR]
* t7257 - refactored db2_prop_init() to test inputs before allocation,
cleanup exit unrolling [Bart Trojanowski]
* t7257 - comment about indexing [Bart Trojanowski]
* t7257 - cleanup indents [Bart Trojanowski]
* t7257 - missing header, preserve const in enum_and_keyword_names [Bart Trojanowski]
* t7257 - cleanup docs/UNITTESTING.md formatting [Bart Trojanowski]
* updates to tests after adding vendor ID sanity to lp13 and friends [MCR]
* some updates after pcapupdate [MCR]
* added ike= to functional and other updates [MCR]
* updated test 18 for LIBNSS version [MCR]
* updated test cases with additional RW configs [MCR]
* sanity for other variations of VendorID [MCR]
* introduce some additional debugging options [MCR]
* updates seams and pcap files [MCR]
* added MORE_DEBUGGING option to lp12-R2 test cases [MCR]
* final renames of output->output1 [MCR]
* enabled test cases in Makefile, build SEQUENCE file [MCR]
* updated pcap files [MCR]
* move init_pluto_vendorid to vendor.c [MCR]
* removed unwanted IPsec policy check [MCR]
* extraenous set_suspended(NULL) removed as per 2.6.52 [MCR]
* wo#7257 . update policy for 3des-md5 [MCR]
* wo#7257 . update policy to sha256 [MCR]
* wo#7554 . clarify debugging of key lengths [MCR]
* wo#7257 . update logging to show correct algorithm output [MCR]
* added ikev1-NAT traversal sequence [MCR]
* added additional sequences [MCR]
* wo#7257 . ignore unknown vendor ID, and remove self-recognition,
since pcap files may be older than current version [MCR]
* removed redundant input file logging [MCR]
* do not put pointer in debug message [MCR]
* updated ikev1 basic sequence [MCR]
* enable vendorID for NAT-T [MCR]
* added additional vendor ID pattern [MCR]
* updated tests with new policy, and added local pcap files [MCR]
* updated tests with new policy [MCR]
* sanify included by default and it removes vendor ID differences now [MCR]
* bring in changes to crypto fake out from algo-rebased [MCR]
* log arguments better, and set WHACKFILE is not set [MCR]
* include sanity.sed for vendor ID sanitization [MCR]
* set WHACKFILE is not already set [MCR]
* move to consistently use ${UNITTEST1ARGS} [MCR]
* additional integ algorithms added [MCR]
* updated packet trace with new length [MCR]
* additional logging for instantiation of policy [MCR]
* added empty packet trace [MCR]
* clean out PID file [MCR]
* updated policy type [MCR]
* register new algorithms, show keys, working [MCR]
* add explicit zero value for connection_kind, to distinguish value never set [MCR]
* removed ikev2_acceptable_group, as it is not used [MCR]
* compilation fixes for libopenswan [MCR]
* updates due to loading of CKAID [MCR]
* check for and report if there are core dumps [MCR]
* reintroduce ipsec.secrets logging [MCR]
* updated test case with revised certificates from samples, replace sun with dave [MCR]
* updates so that TLV structure is now correctly parsed [MCR]
* updates to packet.c to remove inclusion of AF_TV in definition of header [MCR]
* correct error in output file when splitting up test case [MCR]
* include keymgmt.o into all tests as orient() needs private key info [MCR]
* introduce programs: target to lp14 [MCR]
* correct SAMPLEDIR to have trailing / [MCR]
* updated for correct registration of SHA1 and MD5 PRF [MCR]
* update many test cases for PRFs SHA1 and MD5 [MCR]
* fix algorithm type of PRF-SHA1 and PRF-MD5 [MCR]
* removed dead spdb database [MCR]
* log which algorithms were searched for, and if they were found [MCR]
* move to per-state lists of keys move to per-state lists of CAs [MCR]
* instantiate some buffers so that we can log situation where peer proposes
other than self [MCR]
* bring some small changes to debugging of default_end() and fc_try() [MCR]
* just include openswan.h [MCR]
* add end_type_name printer [MCR]
* include constants.h it is needed [MCR]
* wrap oswcrypto.h against multiple inclusion [MCR]
* some include file parser issues solved [MCR]
* added ikev1 settings for keyexchange values [MCR]
* clear out some remaining ikev1 cruft [MCR]
* removed openswan.h from linux kernel code [MCR]
* rename algorithms to not have leading AUTH_ [MCR]
* removed LABELLED_IPSEC, and a bunch of dead code [MCR]
* enable the integ and prf algorithm checks [MCR]
* removed ikev1_alg from library, as it should no longer be needed [MCR]
* deal with off-by-one error in growth logic for db2_trans [MCR]
* removed dead test case [MCR]
* xformmock unit tests now compile correctly [MCR]
* make the crypto unit tests compile quietly by default [MCR]
* added notes about unit testing [MCR]
* whitespace changes, and remote .ei, and change st_orig->st_ikev2_orig_initiator [MCR]
* always use EXTRAOBJS to get linker order correct [MCR]
* removed db_ops and spdb.o and spdb_print.o from link list [MCR]
* prefer EXTRAOBJS for object files [MCR]
* wo#6269 . generate db2 IKEv2 algorithm structure from alg_info structure [MCR]
* remove series of #ifdef KERNEL_ALG [MCR]
* wo#6269 . split up kernel.c so that init_kernel() and references to kernel
types is in a single file [MCR]
* wo#6269 . update dependancies now that kernel_forces.c exists [MCR]
* wo#6269 . split up kernel_netlink.c into low-level netlink routines and
higher level "forces" routines [MCR]
* ikev2crypto unit test refactoring [MCR]
* removed errant keys.o object file [MCR]
* import test case from rebase branch [MCR]
* rename recv_pcap_packet -> recv_pcap_packet_with_ke [MCR]
* added keys.o, remove signatures.o so that ct02 will compile [MCR]
* bring in alice config [MCR]
* added db2 operations [MCR]
* remove programs/pluto/ike_alg.c, and translate calls to those that
libalgoparse supports move sha2 routines and ike init to libsha2, split off
NSS implementation [MCR]
* change #include to reflect ike_alg.h -> pluto/ike_alg.h, so that unit
tests compile also change kernel.h and plutoalg.h for move to include/pluto [MCR]
* introduce libalgoparse library get pluto that compiles: massive changes
to use libalgoparse [MCR]
* transform many IETF constants to defines remove some dead code, and keep
definition for ike_alg_prf_present for now [MCR]
* bring in t7257 test cases from libpluto [MCR]
* wo#8784 - update unit test results, removing padding [Bart Trojanowski]
* ignore core files [MCR]
* not ready for libalgoparse and policy unit tests yet [MCR]
* fix libalgo unit test libraries [MCR]
* update hexdump() interface [MCR]
* disable many tests that are missing or core dump [MCR]
* turn off unit test cases that require fixed algorithm code [MCR]
* added SAMPLEDIR= setting [MCR]
* updates to unit tests for algorithm additions [MCR]
* attempt to rework ikev2_parse_parent_sa_body with IKEv1 values [MCR]
* removed ike_alg.o and added missing object files after re-org [MCR]
* updates to functional tests for algorithm additions [MCR]
* added loadcertpath for functional/15-certload [MCR]
* fix Makefile libraries for aes128 test [MCR]
* register SHA1 and MD5 PRF and INTEG algorithms under #ifdef [MCR]
* move sha2 routines and ike init to libsha2, split off NSS implementation
remove programs/pluto/ike_alg.c, and translate calls to those that
libalgoparse supports [MCR]
* removed dead #ifdef IKE_ALG clauses. [MCR]
* removed dead comment from Makefile.options [MCR]
* added openswan_exit_log() to make pluto more like libraries [MCR]
* added -DIKEV1 if USE_IKEv1 is defined [MCR]
* added ike_alg_aes to register AES algorithms to plugable crypto [MCR]
* add programs to targets that will recurse in unit tests [MCR]
* do not stop running tests if KEEPGOING=1 is set [MCR]
* bring in t7257 functional test cases [MCR]
* bring in t7257 test cases [MCR]
* plutoalg.o is now included in libalgoparse [MCR]
* rename PLUTOLIB -> LIBPLUTO to be consistent with other variables [MCR]
* change #include to reflect header file renames, so that unit tests compile [MCR]
* remove dead private numbers for SERPENT and TWOFISH [MCR]
* remove KERNEL_ALG support from "ipsec spi", as it can not be supported [MCR]
* transform many IETF constants to defines [MCR]
* obsolete USE_MODP_RFC5114 define [MCR]
* removed dead alg_info_test target [MCR]
* wo#5640 Don't ABORT if duplicate event gets scheduled, replace existing [Martin Hicks]
* Only print 'took too long -- replacing phase 1' when it actually gets replaced [Martin Hicks]
Openswan 2.6.52.3
v2.6.52.3 (December 3, 2020)
Fixing segfault bug.
- github#541: Fix segfault when rekeying child SA with no parent [Martin Hicks]
- pluto: add ALLOW_MICROSOFT_BAD_PROPOSAL for self-proposals [Emil Velikov]
/home/shussain shussain@wendy %
2.6.52.1 release
Fixing compiler warning and working with musl.
- fix warning about switch fallthrough in parse_isakmp_sa_body() [anatoli]
- fix warning about switch fallthrough in nat_traversal_vid_to_method() [anatoli]
- fix warning about switch fallthrough in finish_pfkey_msg() [anatoli]
- fix warning about switch fallthrough in informational() [anatoli]
- fix warning about switch fallthrough in xauth_inI0() [anatoli]
- lib/libpluto/writehackmsg.c: fix build on musl [Fabrice Fontaine]
2.6.52 release
v2.6.52 (December 25, 2019)
Bug fixes for various issues.
* fix up 01-confread to included desfails test cases [MCR]
* updated functional/01-confread so that make update works, and include
ikev1= keywords results [MCR]
* wo#9234 - update unit test output [Bart Trojanowski]
* wo#9234 - make sure no one passes netlink_raw_eroute() more than 4
proto_info[] entries, because that would overflow templ[] [Bart Trojanowski]
* wo#9234 - allow for rekey of child SA to inherit tunnel/transport mode
from exsting child SA [Bart Trojanowski]
* selecting 1DES does not crash, but pluto proceeds to attempt to negotiate [MCR]
* lp210 demonstrates what happens when selecting 1des [MCR]
* fixup NULL pointer check, remove logging of pointer [MCR]
* Null pointer check. One Segfault less. [anatoli]
* port 14-deadalgos test case from rebased branch [MCR]
* Makefile needs to clean out WHACKFILE3 as well [MCR]
* Incr 'status' size to get rid of programs/pluto/adns.c [anatoli]
* Clean compile connections.c & decrementing warns in pluto_constants.c [anatoli]
* - 2 GCC warng: [anatoli]
* update COMPATIBILITY_ISSUES to reflect outstanding pfs=yes DH group change
on rekey problem [Bart Trojanowski]
* wo#9094 - fix lp08-parentR1 output, since md->st was cleared after state
deletion [Bart Trojanowski]
* wo#9094 - fix cleanup of st after accept_v2_KE() fails [Bart Trojanowski]
* wo#9094 - do not remove state from hash if not there [Bart Trojanowski]
* wo#9094 - avoid crashing with NULL conn when cleaning up state [Bart Trojanowski]
* wo#7305 - ipsec.conf man page update, add firstmsgid [Bart Trojanowski]
* wo#7305 - update COMPATIBILITY_ISSUES with firstmsgid=1 [Bart Trojanowski]
* wo#7305 - unit output output, 'preparing to delete' messages [Bart Trojanowski]
* wo#7305 - ikev2_delete_out() - fix role setting, and log role [Bart Trojanowski]
* wo#7305 - add firstmsgid=[0|1] to conn settings [Bart Trojanowski]
* wo#7305 - unit output output [Bart Trojanowski]
* wo#7305 - original responder msg_id numbering stats from 0 [Bart Trojanowski]
* wo#7305 - unit output update [Bart Trojanowski]
* wo#7305 - remove free_state() from process_packet() [Bart Trojanowski]
* wo#7305 - state handling for response to our INF/DEL request [Bart Trojanowski]
* wo#7305 - state handling for response to our CHILD_SA request, as
original responder [Bart Trojanowski]
* wo#7305 - FSM flags to match only request/response messages [Bart Trojanowski]
* wo#7305 - improve find_state_ when processing responses for our requests [Bart Trojanowski]
* wo#7305 - unit output update, new 'firstmsgid: 0' text [Bart Trojanowski]
* wo#7305 - add firstmsgid=[0|1] to conn settings, ignore the value [Bart Trojanowski]
* ct14-bigkeyI2: fix pcapupdate issue [Bart Trojanowski]
* pluto-log-merge.pl - improve parsing of the message ID string [Bart Trojanowski]
* wo#9111 - update output files [Bart Trojanowski]
* wo#9111 - fix selfsigned/generate-certs.sh, and regenerate keys [Bart Trojanowski]
* wo#9111 - revert ouptut changes that claim lacking private key [Bart Trojanowski]
* Revert "wo#9113 - sed <invalid> to 0.0.0.0 for lp08" [Bart Trojanowski]
* wo#9113 - sed <invalid> to 0.0.0.0 for lp08 [Bart Trojanowski]
* wo#9111 - update unit test output with new cert [Bart Trojanowski]
* wo#9111 - regenerate selfsigned certs [Bart Trojanowski]
* wo#8938 - IKEv1 concurrent continuation checks [Bart Trojanowski]
* wo#8938 - fix suspended md IKEv1 assertions [Bart Trojanowski]
* wo#8938 - more debug when throwing suspended-md assertions [Bart Trojanowski]
* updates to log outputs [Bart Trojanowski]
* wo#8938 - prevent duplicate async crypto operations [Bart Trojanowski]
* wo#8938 - add assert_suspended(), use it to test for st<->md
association validity [Bart Trojanowski]
* wo#8938 - assert bad conditions in set_suspended() [Bart Trojanowski]
* wo#8898 - prevent duplicate %acquire-netlink bare shunts [Bart Trojanowski]
* wo#8898 - documentation/debug for netlink_raw_eroute() [Bart Trojanowski]
* wo#8898 - remove netlink_raw_eroute() complaint when deleting [Bart Trojanowski]
* wo#8898 - scan bare shunts, expire old entries [Bart Trojanowski]
* wo#8898 - add delete_bare_shunt_ptr() [Bart Trojanowski]
* wo#8898 - add READ_ONCE() macro [Bart Trojanowski]
* updated DN for dave [MCR]
* updated pcapupdate for lp25, was missing [MCR]
* some sanitizers are using sed -r, others are not, duplicate file for now [MCR]
* sanitize size of loaded certificates, change DN [MCR]
* wo#8781 updated symlinks for configuration directories [MCR]
* wo#8781 resign all certificates [MCR]
* wo#8781 setup scripts and structure for draft-moskowitz-{rsa}-pki [MCR]
* wo#8781 added bobCert private key from DrTaylorPlumage [MCR]
* wo#8897 - avoid assert when handling STF_TOOMUCHCRYPTO on build_ke() [Bart Trojanowski]
* wo#8451 - unit testing dpddelay/dpdtimeout in cassidy.conf [Bart Trojanowski]
* wo#8451 - libipsecconf: allow time with no unit suffix; detect more
overflows [Bart Trojanowski]
* wo#8451 - dpddelay and dpdtimeout arguments accept time [Bart Trojanowski]
* wo#8784 - update unit test results, removing padding [Bart Trojanowski]
* wo#8784 - IKEv2 will not add padding to INIT exchange [Bart Trojanowski]
* fix reduce/reduce and shift/reduce conflicts based upon libreswan patch [MCR]
* Add CONTRIBUTION.md [Samir Hussain]
* Update VERSION to 2.6.52dev1 [Samir Hussain]
* update COMPATIBILITY_ISSUES about v2.6.50 interop [Bart Trojanowski]
* wo#7875 - lp201-lp205 output files [Bart Trojanowski]
* wo#7875 - lp201-lp205 uses real x509 code, and needs special cert init [Bart Trojanowski]
* wo#7875 - new config for lp201-lp205 that uses IKEv2 CERTREQ to validate peers [Bart Trojanowski]
* wo#7875 - clone lp7[12345] to lp20[12345] for new tests [Bart Trojanowski]
* wo#7875 - output test update [Bart Trojanowski]
* wo#7875 - do not send cert twice for the same state [Bart Trojanowski]
* wo#7875 - update test lp25 output [Bart Trojanowski]
* wo#7875 - remove unique dates from "RSA ... key" line in unit test output [Bart Trojanowski]
* wo#7875 - split init_fake_secrets() from lp13 main [Bart Trojanowski]
* wo#7875 - remove seam_x509 from lp13 head.c [Bart Trojanowski]
* wo#7875 - update test output [Bart Trojanowski]
* wo#7875 - ikev2_send_cert() using doi_send_ikev2_certreq_thinking() [Bart Trojanowski]
* wo#7875 - sent CERT after CERTREQ was requested [Bart Trojanowski]
* wo#7875 - make sure refine_host_connection() uses ikev1_requested_ca_names [Bart Trojanowski]
* wo#7875 - update test output [Bart Trojanowski]
* wo#7875 - allow for certs that lack X509v3 estension defining the Auth KeyID [Bart Trojanowski]
* wo#7875 - update test lp21 output with sends CERTREQ [Bart Trojanowski]
* wo#7875 - update test output with no validation CA cert [Bart Trojanowski]
* wo#7875 - update test lp19 output [Bart Trojanowski]
* wo#7875 - do not send CERTREQ if we have no CA certs for validation [Bart Trojanowski]
* wo#7875 - update test output [Bart Trojanowski]
* wo#7875 - add ikev2_send_certreq() which encodes CERTREQ for IKEv2
using KEYIDs [Bart Trojanowski]
* wo#7875 - add doi_send_ikev2_certreq_thinking() which decides when CERTREQ
is needed [Bart Trojanowski]
* wo#7875 - rewrite ikev2_decode_cr() to extract IKEv2 CERTREQ
containing KEYIDs [Bart Trojanowski]
* wo#7875 - add trusted_ca_by_keyid() and match_requested_ca_keyid() for IKEv2 [Bart Trojanowski]
* wo#7875 - update tests due to trusted_ca_by_name() rename [Bart Trojanowski]
* wo#7875 - fix up unit tests and expected output after IKEv1 struct and
function renames [Bart Trojanowski]
* wo#7875 - cleanup IKEv1 CERT/CERTREQ code [Bart Trojanowski]
* wo#7875 - give ikev2_certificate_req_desc its own fields [Bart Trojanowski]
* wo#7875 - I2 st_firstpacket_him preserves the packet not message [Bart Trojanowski]
* Revert "wo #5535 . turn off sending cert req in IKEv2: they are not the
same as in IKEv1, and it is all a mistake." [Bart Trojanowski]
* wo#7875 - update test output files after typo fix [Bart Trojanowski]
* wo#7875 - report if there are multiple reasons to not send certreq [Bart Trojanowski]
* wo#7875 - test error return from ikev2_send_certreq(), consequently fail
ikev2_send_cert() [Bart Trojanowski]
* wo#7875 - send IKEv2 CR for roadwarriors too [Bart Trojanowski]
* libpluto unit tests pcapupdate dependencies [Bart Trojanowski]
* removed references to libmd2 [MCR]
* removed dead md2.h file [MCR]
* remove unused libmd2, was referenced by certificate processing only [MCR]
* remove support from MD5 from certificate processing code [MCR]
* Bump version to 2.6.52dev [Samir Hussain]
* DPD: openbsd isakmpd bug workaround for duplicate DPD seqno [Paul Wouters]
* tests - readwritetest set -x for debugging [Bart Trojanowski]
* logging - ikev2_validate_key_lengths() reports func:line [Bart Trojanowski]
* wo#8180 - do not pass MAKEFLAGS explicitly [Bart Trojanowski]
* include subnetsize(), new routine since rework [MCR]
* resolve symbolic links into linux/ into regular files [MCR]
* bring all kernel (linux/) located crypto files used to userspace libraries,
adjust many paths [MCR]
* remove dead code from kernel_netlink [MCR]
* fix make depend mechanism [MCR]
* correct how STF_FAIL+x is generated by stf_status_name() [Bart Trojanowski]
* wo#7347 - validate group in accept_v2_KE() [Bart Trojanowski]
* wo#7347 - force release of SPIs when moving to next proposal [Bart Trojanowski]
* wo#7347 - do not send v2N_INVALID_KE_PAYLOAD twice [Bart Trojanowski]
* wo#7347 - switch from instance to template to evaluate conn fitness [Bart Trojanowski]
* wo#7347 - retry after v2N_AUTHENTICATION_FAILED for AUTH exchange [Bart Trojanowski]
* wo#7347 - properly handle peer rejecting our DH group proposal [Bart Trojanowski]
* wo#7347 - failing auth, send notification on next message ID [Bart Trojanowski]
* wo#7347 - return STF_FAIL + AUTHENTICATION_FAILED from ikev2_decrypt_msg() [Bart Trojanowski]
* wo#7347 - easier switching sa_v2_print() output to syslog [Bart Trojanowski]
* run-unit-tests.sh - fail hard if make pcapupdate fails [Bart Trojanowski]
* run-unit-tests.sh - avoid looping indefinately when make update fails [Bart Trojanowski]
* wo#8419 - refactor Travis test matrix, add validate-libpluto test [Bart Trojanowski]
* wo#8419 - libpluto/run-unit-tests.sh does not rely on figlet [Bart Trojanowski]
* wo#8419 - libpluto run-unit-tests.sh --make-options [Bart Trojanowski]
* wo#7818 - updte pcap in lp58 [Bart Trojanowski]
* Update README for dependencies [Samir Hussain]
* wo#5579 - updated lp{87,88,89} logs and pcaps [Bart Trojanowski]
* wo#5579 - lp87 will corrupt CHILD_SA nonce [Bart Trojanowski]
* wo#5579 - clone lp{46~48} to lp{87~89} to handle invalid nonce notification [Bart Trojanowski]
* wo#5579 - ntf processor for rekey-childSA-ack [Bart Trojanowski]
* wo#5579 - encrypted notification processor mechanism [Bart Trojanowski]
* wo#5579 - encrypt failure v2N response to CHILD_SA [Bart Trojanowski]
* run-unit-tests.sh -v will set make V=1 flag [Bart Trojanowski]
* wo#7614 - remove the claim that left=%interface is supported from the
man page [Bart Trojanowski]
* wo#8102 - retain connection policy when calling ipsecdoi_replace() on parent SA [Bart Trojanowski]
* wo#6996 - update unit test output files with additional log lines [Bart Trojanowski]
* wo#6996 - keep stale IKE SA up while replacing it [Bart Trojanowski]
* pluto-log-merge.pl - improve event start/end timestamp calculation [Bart Trojanowski]
* pluto-log-merge.pl --sync will merge two files with divergent clocks [Bart Trojanowski]
* pluto-log-merge.pl - add ability to process rsyslog high-def timestamps [Bart Trojanowski]
* wo#7257 . normalize the creation of the testlists to better enable comparisons [MCR]
* wo#8100 . updates to test cases as a result of updates to debugging related
to how encryption keylength are compared [MCR]
* wo#8100 . remove long dead arpa/nameser.h [MCR]
* bring forward some changes to how encryption keylength are compared, remove
keylength from PRF and INTEGRITY algorithms [MCR]
* do not call ip route flush as it fails in containers [MCR]
* wo#7257 . compilation with full -Werror results in some functions not
declared, and some const static that are not used with LIBNSS [MCR]
* wo#8100 . fixed {} bug in get_my_cpi [MCR]
* wo#8100 . remove some unused-const-variables [MCR]
* wo#8100 . some additional include errors detected by Alpine/musl build [MCR]
* asm/types is not needed if linux/types.h will do [MCR]
* introduce USE_NOMANINSTALL to avoid installing man pages on embedded systems [MCR]
* upgrade to proper include file, and sighandler type [MCR]
* removed MSG_ERRQUEUE from files that do not need it [MCR]
* use HAVE_ERRQUEUE to avoid compiling check_msg_errqueue on systems/libraries
that do not support it [MCR]
* wo#8100 . removed unneeded asm/types [MCR]
* wo#8100 . do not insist on GLOB_BRACE being available, turn off NOMAGIC,
as file must always exist [MCR]
* wo#8100 . remove long dead arpa/nameser.h [MCR]
* wo#8100 . remove incorrect calls to linux/types.h [MCR]
* wo#7302 - update lp80-h2h-rekeyikev2-R2-msgid0 test case after encryption fix [Bart Trojanowski]
* wo#7302 - initiating v2_CHILD_SA means we are INITIATOR. [Bart Trojanowski]
* wo#7302 - use correct role when dealing rekeying child SA [Bart Trojanowski]
* wo#7302 - pluto-log-merge.pl skips non pluto lines [Bart Trojanowski]
* wo#8115 - skip transport w/ subnet protection for shunt connections [Bart Trojanowski]
* protected against pick_matching_interfacebyfamily failing to find port 4500 [MCR]
* wo#7616 - added lp67-natt-replaceR unit test [Bart Trojanowski]
* wo#7616 - added lp66-natt-replaceI unit test [Bart Trojanowski]
* wo#7616 - refactor handle_next_timer_event() so that it can be
unit tested [Bart Trojanowski]
* unit tests: fix descriptions of lp{46,48,50,51,56,58} which are IKEv2 tests,
but claimed to be IKEv1 [Bart Trojanowski]
* wo#7616 - need to defer expiration of SA, when we are waiting for the
NATTed remote to rekey [Bart Trojanowski]
* wo#7616 - do not initiate parent SA rekey from RESPONDER if peer is behind
NAT-T [Bart Trojanowski]
* wo#7616 - generailize original-initiator flag for IKEv1/IKEv2 [Bart Trojanowski]
* wo#7613 - lp03-whacksemantics refactored and added n2n-transport test [Bart Trojanowski]
* wo#7613 - 01-confread, new conf for n2n-transport connection [Bart Trojanowski]
* wo#7613 - transport conn w/ subnet marked as INVALID_CONFIG [Bart Trojanowski]
* wo#7613 - added POLICY_INVALID_CONFIG bit [Bart Trojanowski]
* wo#7613 - subnetsize() function [Bart Trojanowski]
* wo#7613 - refuse to create a v2 transport child SA with subnets [Bart Trojanowski]
* wo#7615 - unit tests will confirm nat_traversal_new_ka_event() was called
for NAT-T test cases [Bart Trojanowski]
* wo#7615 - enable NAT-T keepalive events for IKEv2 conns [Bart Trojanowski]
* wo#7615 - set IKEv2 NAT-T flags based on notification correctly [Bart Trojanowski]
* wo#7710 - tests corrected to capture correct output from
ikev2_evaluate_connection_fit() [Bart Trojanowski]
* wo#7710 - fix IKEv2/rw/rsa conn eval when plutodebug=none [Bart Trojanowski]
* use consistent build options for install time [MCR]
* wo#7817 . ignore fips-mode status for testing [MCR]
* wo#7817 . sanitize the location of secrets and certificate files [MCR]
* added nss3-tools for certutil [MCR]
* wo#7817 . additional tweaks to build and test NSS version correctly [MCR]
* wo#7817 . fixup pathnames for LIBNSS loading, and keyids (which are
generated each time) [MCR]
* wo#7817 . move determination of OBJRIDR= into Makefile.inc, based upon
LIBNSS, so that test cases can find correct build [MCR]
* wo#7817 . ignore output directories [MCR]
* look for toilet once, rather than spiting out distracting toilet not found error [MCR]
* wo#7817 . when generating private keys, do it from captured noise, to
be deterministic, but also non-interactive (and VMs have terribley
entropy anyway) [MCR]
* wo#7817 . run LIBNSS version of pluto load configuration, with certificates generated [MCR]
* wo#7817 . clarify role and IKE version when private key is not found [MCR]
* turn off extra debugging of sha256 routines [MCR]
* first attempt to build test case for certload from NSS [MCR]
* wo#6269 . leverage lp13-objectlist.make to reduce clutter in Makefiles [MCR]
* wo#6269 . reorder tests so that updates to pcap files are easier to propogate [MCR]
* wo#7290 . put list of object files to link in a common place [MCR]
* wo#7572 . ISAKMP_SA_established() should never release the current connection [Bart Trojanowski]
* wo#7572 . addrcmp() of two undefined addresses should return 0 [Bart Trojanowski]
* Update .travis.yml to remove libgmp3-dev [Samir Hussain]
* built test case for orient using private key from certificate [MCR]
* added test cases that orients based upon private key using certificates [MCR]
v2.6.51.5
Fix kernel algorithm table and if() block that is missing a {}
- removed dead code that causes warning [MCR]
- change IKE->kernel mapping table to be correct; likely fixes incorrect mapping for ESP_NULL, which is hardly ever used [MCR]
- fix for incorrect {} after if statement [MCR]
v2.6.51.4
Fix for CVE-2019-10155 (IKEv1 information exchange packet's integrity check
value is not verified)
- cleanup warnings in delete_connection() [Bart Trojanowski]
- tests: cleanup warnings in libpluto unit tests [Bart Trojanowski]
- tests: cleanup warnings in libopenswan unit tests [Bart Trojanowski]
- tests: add quick_mode_hash12() to libpluto seam code [Bart Trojanowski]
- ikev1: hack to check informational payloads [Andrew Cagney
(from Libreswan commit 9391eab9)]
v2.6.51.3
Fix memory leak bug.
- wo#8179 . defer freeing states until all references are clearly gone,
clear them out in the main loop [MCR] - attempt to free the state [MCR]
- added leak detective reporter [MCR]
v2.6.51.2
v2.6.51.2 (December 17, 2018) Additional commits for libnss. * added --built-withlibnss when built without nss [MCR] * update Makefile to tables driven version [MCR] * added --built-withlibnss option [MCR] * updates to tests for show ipsec.secrets location [MCR] * wo#7817 . show location of ipsec.secrets file in whack status [MCR] * Specify email address for reporting security vulnerabilies [Samir Hussain] * change NSS init to use sql: method [MCR] * adjust functional tests to ignore NSS status, but some certificate tests are not going to run with NSS [MCR] * wo#7067 . include run-unit-tests.sh and rework Makefile with testlist [MCR] * initialize NSS libraries [MCR] * remove another USE_1DES [MCR] * cast appropriate for 32-bit platforms [MCR]
v2.6.51.1
v2.6.51.1 (October 5, 2018)
Bug fixes for using libnss and building with Debian.
- wo#7597 . move errant LIBNSS setup to private_key_setup [MCR]
- Fixing typo in debian/changelog. [Samir Hussain. Hat tip to github user fleish]