/
CHANGES
288 lines (246 loc) · 11.6 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
Please see docs/KNOWN_BUGS file for more information
v2.6.07
* IKEv2 retransmit fixes [mcr]
v2.6.06
* Added IKEv2 X.509 CERTREQ [antony]
* Interop fix for IKEv2 PSK - Use correct IETF Key Pad without \0 [paul]
* Fixed a few IKEv2 related crashers on receiving a NOTIFY in R1 [paul]
v2.6.05
* Added IKEv2 X.509 CERT [antony/paul]
v2.6.04
* Added IKEv2 PSK AUTH [antony/paul]
v2.6.03
* Added IKEv2 RSA AUTH [mcr]
#stable
* Merged in XAUTH DNS/WINS server-side patch from Anna Wiejak [paul]
See: http://popoludnica.pl/?id=10100110
* Various fixes to the scripts for NETKEY [paul]
* KLIPS support for the 2.6.23+ UDP ENCAP sockets [mcr]
Userland support not yet finished. This should obsolete the NAT-T patch
when finished.
* incorporated changes between 2.4.8 and 2.4.9
* incorporated changes between 2.4.9 and 2.4.10
* Notice and gracefully fail to load KLIPS when we try to load esp/ah/ipcomp
protocol and another module already has registered these (eg esp4, ah4,
ipcomp) [paul]
* Fix for KLIPS NAT-T dropping all packets on 64bit big endian machines [dhr]
* FIx for KLIPS on 2.6.23.1 without CONFIG_NF_CONNTRACK* [paul]
* Bugtracker bugs fixed:
#708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
#654: XAUTH strips space out of username/password + patch [Dustin Lang]
#641: Herein patches to fix warnings if -Wshadow is used [andygay/paul]
#580: kernel 2.4.x cryptoapi broken [espakman]
#582: Cannot initiate on demand a connection with traffic selectors [Ilia Sotnikov]
#590: serpent lib used private kernel header [paul]
#544: the following error should only show up for x509 debugging: ... [paul]
#185: Deadlock in function "scx_release()" daemon pluto.(SMARTCARD) [Kurodo]
v2.5.15
change ipsec_breakroute to permit non-existant eroute's to be replaced.
fix for NAT-T negotiation with IP address changes during negotiation.
adjusted addconn to support nat-t debug keywords.
v2.5.14
failed attempt to fix ipsec_breakroute.
fixed leftsendcert= to be implemented in keyword parser.
introduced startnetkey functions.
UML kernel configuration canonicalization updated.
v2.5.13
move DNS lookups from libipsecconf into pluto, where they belong. DNS lookups
are still only done once during conn load time, and are done synchronously.
v2.5.12
A fix to detect that XEN has been patched into the kernel, and set
some of the 2.6.18 changes.
never log starter_log() things to stdout, they always go to stderr.
when a packet is passed through, do not call NF_IP_LOCAL_OUT, as it has already
passed through the output hooks, and doing it again, confuses things
causing ip_route_me_harder() which creates a look, since it does the flow
lookup again. (This doesn't happen if the kernel hasn't got XFRM support)
fixed parsing of config file so that "version 2" is accepted.
fixed addconn to respect "right/left"sourceip=, new test case sourceip-01
fixed processing of "first"/"last" packet for %trap/%hold conns in KLIPS, it now
properly forwards the packets when the packet is released.
v2.5.11
Some fixes in KLIPS for "ipsec eroute --clear" bug. It is not clear
why this suddendly became an issue, or if it would have been an issue
previously, given the right compiler optimization.
v2.5.10
Includes fixes for xmlto generation for _confread directory.
v2.5.09
Minor fix to build process, updated CHANGES file.
v2.5.08
Correct release.
Includes some changes to permit OE to work without nexthop,
however this seems to cause it to return an unreachable on
the first message.
v2.5.07 -dud due to release script error.
v2.5.06
set LANGUAGE, LANG and LC_ALL in setup script.
change OE off by default note and scripts.
Merge of additional code from 2.4.
v2.5.05
2.5.03 and 2.5.04 were not properly released, and 2.5.05 now
is properly released and includes below items
v2.5.04
zero peer_ca to avoid crashes.
(include glob's may still not work correctly)
v2.5.03
ipsec.conf parsing should ignore keywords that start with x-
they are a form of structured comment.
added in forceencaps= keyword.
process wildcards with glob() in include statements.
v2.5.02
fixed bug in ipsec.conf parser, where it could not read values
that had = in them (such as base64 encoded keys)
fixed bug in key continuation code that could cause a crash
if the DNS request timed out after the state was deleted
for other reasons.
v2.5.01
merged xauthusername code base + multinet tests in.
removed /dev/hw_random from list of valid random sources on linux.
use "rngd" instead to feed /dev/random.
v2.5.00
fixed various bugs with lifetime values in ipsec.conf parser
AES-128 (group 5, MD5 or SHA1 for PRF) is now accepted for phase 1,
and it is now the preferred cipher as well. This should be the
case for Main mode, Aggressive mode, and for XAUTH client and
XAUTH server, and PSK and RSA sig mode.
fixes so that starter will now compile
move whacklib to lib/libwhack
adjust makefiles to work with OBJDIR version of Makefile.program
switch to OBJDIR in programs/* and lib/* if it is defined
added sanitizer for PID files
be smarter about including git version info into version
We need to use /dev/urandom first, as it has more random than /dev/random.
Otherwise, we run out really fast (within a few minutes)
Use endian.h when comiling out-of-kernel
patch to turn error about 17/500,0/0 vs 17/0 error with Cisco VPN3000
into a warning.
remove test for NAT-T VID vs NATD payload test. It fails for reasons
that are unknown at this time, and this check is really being pedantic.
MAJOR: use starter code for "addconn"
MAJOR: always use OBJDIRs, and compile on Windows (no kernel)
MAJOR: includes "Taproom" code --- TCL call outs from pluto at IKE
transition states.
v2.4.10
* Fix for sock.sk_stamp type change in 2.6.22 [dhr]
* Workaround for implementations that propose port 0 for l2tp to allow
us to connect to all their ports (instead of only 1701). This happens
with Cisco VPN 3000, OSX and Windows XP. This relates to various
reported bugs about rightprotoport=17/%any and CK_INSTANCE crashers [mcr]
Use the workaround for OSX clients using rightprotoport=17/0
* Backport of fix for xauth name containing a space [paul]
* Fix for final next payload in Aggressive Mode [David McCullough]
* Fixes for compliling against 2.6.22 [David McCullough / Hugh Redelmeier]
(note: NAT-T KLIPS patch will not work on 2.6.23+)
* Speed gains in the scripts on systems with many interfaces [David McCullough]
* passert declaration fix [David McCullough]
* A missed nfmark -> mark case in ipsec_sa.h [David McCullough]
* Fix for ktime_to_timeval to use proper kernel versions [paul]
* Added back -DCONFIG_KLIPS_ALG in KLIPSCOMPILE, which we require when not
building KLIPS with David's OCF patch [paul]
* Added SElinux patch in contrib/ [Venkat Yekkirala]
* Bugtracker bugs fixed:
#449: 17/%any is a template conn problem [mcr]
#708: vanilla kernel-2.6.19, KLIPS compile error (sock_unregister) [sergeil]
#796: can't compile 2.4.8 on kernel 2.4.34 (module_param fix) [sergeil]
#802: Error: "our client ID returned doesn't match my proposal" [mcr/paul]
#813: incorporate bleve's lsb patch [tuomo]
#824: defaultroute detection fails with PPP default route [sergeil]
(this is also the bug introduced in 2.4.9 that causes failed subnet tunnels)
#855: Pluto restart impossible on busybox [paul]
v2.4.9
* Fix for Aggressive Mode with NAT-T (no negotiation in aggrmode) [mcr]
* Integrated most openwrt workarounds - tested on whiterussian [paul]
* Typofix for smartcard support [andreas zwicker]
* Fix for when responder PSK incorrectly uses pfs and has nhelpers=0
[Matthias Haas]
#801: Patch for fixing type-punned compiler warnings [Alin Nastac]
#811: Patch for using custom algs with CONFIG_KLIPS_ALG [iamscard]
#812: Bogus defaultroute nexthop for PPPoE (& PPP?) [BruceS]
v2.4.5
* Fix for compiling on 2.6.14 kernels
* Refactored natd_lookup / hash code, probably fixes lot of NAT related bugs
#401 l2tp connection is not work with 2.6 build in IPSEC
#442 Pluto uses wrong port in NAT-D calculation
#450 macosx (possible generic PSK+NAT-T rekey bug: eroute already in use.
#462 updated patch for Openswan and OS X with NAT-T
#509 KLIPS compilation fail with kernel-2.6.14.2
v2.4.4
#487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state)
(see http://www.openswan.org/niscc2/)
(proper fix in pluto_constants.h)
* Fix for kernels having strstr
* Various gcc4 warning fixes
* disable CONFIG_IPSEC_NAT_TRAVERSAL per default so we can build KLIPS on
Fedora systems.
* questionable spin_unlock commented out. Might fix reported SMP crashers.
* update to permit alg code without module support
* Fix for detecting proper kernel source/header directory on fedora
* Various bugfixes as reported on http://bugs.openswan.org/
#499: check for module support in kernel for IPsec Modular Extensions
#500: recent awk breaks on 'setdefault' command
v2.4.3
#487 ASSERTION FAILED at state.c:120:IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state)
(see http://www.openswan.org/niscc2/)
(incorrect fixed. version not released)
v2.4.2
* Fixes for compiling on 2.6.14 by David McCullough
* Minor fixes to accomodate FC4 2.6.11 kernels.
* Fix for compilation of KLIPS on 2.4.x kernels.
* Fix for NAT-T on 2.4.31
* Fix for 'short' packets with KLIPS on 2.4.x
* Merged in Jacco's l2tp configuration examples
* Various bugfixes as reported on http://bugs.openswan.org/
#286 Incorrect links in intro.html
#344 netkey-acquire patch
#376 install_ipsec_sa and install_inbound_ipsec_sa
#486 ASSERTION FAILED at crypto.c:258: key_size==(DES_CBC_BLOCK_SIZE * 3)
(see http://www.openswan.org/niscc2/)
v2.4.1
* Not publically released
v2.4.0
* NAT-T support for KLIPS on 2.6 (Sponsored by Astaro)
* Additional Cipher support with KLIPS on 2.6 (Sponsored by Astaro)
* Fix for NAT-T/PSK rekey (Ulrich @ Astaro)
* Various bugfixes: #269, #328, #342, #350, #355, #357, #361, #363
v2.3.1
* NAT-T RFC support (mlafon/mcr)
* NAT-T Server Side rewrite - handles rekeying alot better
* NAT-T Client Side rekey bug fixed
* Removed HowTo (obselete)
* IPKG packaging updates
* Log message updates
* dpdaction=restart support
v2.3.0
* KLIPS for 2.6 support (Experimental)
[ good results on FC3-AMD and vanilla/debian kernel source, but not
FC3-intel. Might be the grsecurity patch ]
* Aggressive Mode Support (client and server)
* IKE Mode Config support (Experimental)
* Cisco VPN 3xxx client Interop (Experimental)
* Cryptographic helpers framework
* Fixes for NAT-T on 2.4.28+ kernels.
v2.2.0
* Added RFC 3706 DPD support (see README.DPD)
* Added AES from JuanJo's ALG patches
* Fixes for /proc filesystem issues that started to appear in 2.4.25
v2.1.2
* Fix loading of 2.6 modules
* Fix for snprintfs() in /proc, new for 2.4.25 kernels (dhr/pw)
* Fix checks for some log files/dirs in case they are sockets or pipes (pw)
* Fix for crl.pem crash/core (dhr/as/kb)
v2.1.1
* Fix _pluto_adns installation path (kb)
* Fix sending of X.509 CR's when no CA present (mcr)
v2.1.0
* NAT-T support (Mathieu Lafon - Arkoon)
* X.509 fixes (Andreas Steffan)
* New configuration file directive, {left|right}sourceip=#.#.#.#
This will set the source address when talking to a particular
connection. This is very usefull to assign a static IP to your laptop
while travelling. This is based on Tuomo Soini's Advanced Routing
patch.
<<<<<<< HEAD:CHANGES
RCSID $Id: CHANGES,v 1.326.2.31 2005/11/24 05:35:43 ken Exp $
=======
RCSID $Id: CHANGES,v 1.326.2.118 2007/07/09 23:11:56 paul Exp $
>>>>>>> 1121e33... changes for 2.4.9:CHANGES