forked from xelerance/Openswan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGES
1876 lines (1765 loc) · 103 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Note that listings are in chronological order of release times, not in order
of version numbers, so you will find 2.5.x and 2.6.x releases intersperced.
See also docs/KNOWN_BUGS.txt and https://github.com/xelerance/Openswan/issues
v2.6.46dr2 (October 26, 2015)
* Fixed find_host_pair so that it finds right=%any matches correctly [MCR]
* Change listing to give IP/ID type on every bucket [MCR]
* Added option to readwriteconf to load all conns marked add/route/up [MCR]
* Document --listhostpairs debug option [MCR]
* Possible fix for IKEv2 issues when built with libnss [MCR]
* Return proper IKEv2 Notify when authentication fails due to wrong ID [MCR]
* Make sure that host_type is initialized [MCR]
* Take care of deleting IDhostpair when connection is deleted [MCR]
* Use IDhost_pair list to find appropriate conn by ID [MCR]
* Added IDhostpair support [MCR]
* Initial work on creating a hostpair list by ID [MCR]
* Added listing of hostpairs to available whack debugs [MCR]
* INVALID_MSGID becomes -1 on 32-bit, but not on 64, so translate it better [MCR]
* Rename host_pair to IPhost_pair in preperation to adding IDhost_pair [MCR]
* Remove file that was accidentally committed [Simon Deziel]
* Debian: update patch list file [Simon Deziel]
* Debian: bump standards version to 3.9.6 (no change required) [Simon Deziel]
* Debian: drop dpatch (obsolete) [Simon Deziel]
* Split up IKEv2 RSA verification into nss and non-nss versions [MCR]
* Move try_RSA_signature_v1 to seperate file [MCR]
* When loading conn, process alsoflip= as well [MCR]
* Refactor also processing so it can be applied to alsoflip [MCR]
* Fixing minor typo and spelling mistakes. [Samir Hussain]
* Refactor whack_listen processing to seperate function for unit testing
Added called to check_orientations() after discovery of new interfaces [MCR]
* Log the connection name for each IPhostpair that is being compared to [MCR]
* lp24-certreply dave discovered that find_host_pair was still wrong.
Rewrote find_host_pair again to with bestpair mechanism to get it right [MCR]
* Updating man page in order to remove manual option from auto keyword
(it is no longer supported) [Samir Hussain]
v2.6.45 (August 27, 2015)
This release fixes CVE-2015-3240 (IKE DoS)
* Minor compile tweaks that were missed at cottage [MCR]
* Possible fix for CVE-2015-3240: if KE payload is 0, then
exponentiation fails, tripping a passert for nss [MCR]
v2.6.44 (August 13, 2015)
Massive bug patch and IKEv2 processing fixes by MCR
* Potential fix for #4285 - make sure kernel.c uses correct destination for outgoing SPD when responding to an initiator/32 [MCR]
* Change negotiated tunnel message to be clearer with IPv6 addresses [MCR]
* Using short notation, using GNUmakefile notdir, and making sure that $< will
reference the right file by making explicit %.c->%.o rule. [Jason]
* Show the connection name when the state is found, provide a way to nicely dump a single state to debug log [MCR]
* Change find_host_pair so that it knows if it is creating a new host pair, as host pairs that have right=%any will always match [MCR]
* Tweak CA business so that correct CA is loaded, it is referenced correctly, the correct ID is used to lookup the CA [MCR]
* Make sure that certificate file name is properly terminated [MCR]
* Use a mcro to set SIN_LEN [MCR]
* Added st_peer_id to store decode ID from inside I2 message [MCR]
* Added fmt_connection_inst_name [MCR]
* Add additional way to orient: me defaultroute with other end not having private key [MCR]
* Make passing pass_prompt_t into key loading function officially optional [MCR]
* Cope with a NULL prompt_pass, make something up to store passphrase if necessary [MCR]
* Adopted some kernel_netkey.c fixes from libreswan, and added some debug of port numbers [MCR]
* Reset the remote port number to 0, as lack of client should indicate lack of port numbers (XXX maybe not) [MCR]
* rw_instantiate needs to take remote address from state [MCR]
* Simplify evaluation of when we need to instantiate templates: all conns that
are templates should be instantiated [MCR]
* Log why connection was marked as a template [MCR]
* Added explicit struct end that to ipsec installation to deal with rightsubnet=%self situation [MCR]
* find_client_connection can use endclient too [MCR]
* Note better when find_host_pair() is done [MCR]
* Replace series of our_net/peer_net + protocol/port arguments with struct end. [MCR]
* Use endclienttot() to format things in more places [MCR]
* Use endclienttot() to print fc_try debug [MCR]
* Added enddclienttot() function to format end->client, taking into account that the host_type might be %any [MCR]
* Need to set send_whack_msg to a value even if ctlbase is going to default [MCR]
* Log when there is no send_whack_msg function [MCR]
* Do not even try to use libnss for certain non-critical PEM related 3DES operations [MCR]
* Make sure that st_localaddr and st_localport is setup based upon where we observe traffic to flow
this information is used when has_client=0, and we are really proposing a conn for self. [MCR]
* If end has no client, then set end to appropriate value from state [MCR]
* Correctly return no proposal chosen when the initiator suggests 0.0.0.0->0.0.0.0,
which previously matched encoding for %any [MCR]
* When IKEv2 has right=%any, the remote address and port needs to be recorded into the state [MCR]
* Use macro for -lefence so that it can be globablly turned off [MCR]
* Write record number in debug output from readwriteconf [MCR]
* Send public keys before policy [MCR]
* Eliminate some testing specific code in readwriteconf that duplicated code from starterwhack.c [MCR]
* Orient should be able to consider an end local if a private key is present for the public key indicated [MCR]
* Orientation now takes into account which end has a private key (if no interface IP
address could determine orientation) [MCR]
* Split nss and non-nss signature routines [MCR]
* Explain liboswkeys library [MCR]
* Explain libpluto [MCR]
* Make connection loading description a bit prettier [MCR]
* Module mis-named, got an i in front of af_key [MCR]
* Clean up orient info -- debug only [MCR]
* Warn about FIPS mode only once [MCR]
* libnss brings in some additional libraries that reveals that rsasigkey does not have exit_tool() defined [MCR]
* Use NSS_LIBS and FIPS_LIBS defines properly [MCR]
* Split off nss function to make files simpler to read [MCR]
* Sort out LIBNSS nonsense in rsasigkey [MCR]
* Mark rhel builds as using LIBNSS.
remove build_klips parts -- they are unmaintained on rhel7 [MCR]
* Make ikeping diagnostics saner, and show help rather than aborting [MCR]
* Update IPSECBASEVERSION in Makefile.ver for packagingprep target (simon)
* Make ikeping diagnostics saner, and show help rather than aborting [MCR]
* Clarify that whack_magic mismatch has nothing to do with klips [MCR]
* Permit debug-netkey to be alias for debug-klips as well debug-xfrm [MCR]
* Log the version that is placed into the version file [MCR]
* Mark some SPD/SA creation code as debug [MCR]
* Remove extensive but useless satype processing from netlink_raw_eroute [MCR]
* Added state to eroute_connection so that peer address can be taken from there [MCR]
* Just because right=%any, does not mean that it is a template [MCR]
* Simplify the kernel SA add code to use src/dst where appropriate, and src_client/dst_client properly [MCR]
* Updated natt port handling to pull from parent_st. [MCR]
* Found potentially dead code in update_ipsec_sa() [MCR]
* Log src/dst after it is inbound/outbound set [MCR]
* Take IPsec SA end points from state rather than from policy [MCR]
* Pass parent state down in IPsec SA creation routines so that an accurate st_localaddr/st_remoteaddr is available.
Note should also add port numbers --- IKEv2 NAT work is probably still open [MCR]
* Some debug of setup_half_ipsec_sa [MCR]
* SA src/dst is not a subnet, but an address, so use appropriate structure [MCR]
* Log algorithm lookup in KLIPS debug, and also IP address pairs of endpoint [MCR]
* When responding in an error condition, keep the state around awhile
in case there is a retransmit; but eventually remove it [MCR]
* Always collect other peers SPI value, we need it. With this change, the spi=0000000 problem goes away [MCR]
* Moved detection that responder has sent multiple proposals outside of block that matches them [MCR]
* Role can never change in ikev2parent_inR2, it is always the initiator [MCR]
* Added progress debug to setup_half_ipsec_sa so errors from kernel make more sense [MCR]
* Removed role parameter from emit_ts, and move next_payload calculation to parent [MCR]
* Removed note about duplicate_state --- state duplication occurs in ike_child_sa_respond [MCR]
* Defend ikev2_encrypt_msg against possible bad inputs; might come from ikev2_delete_out [MCR]
* Make code associated with being a responder not optional [MCR]
* Removed role parameter from ike_child_sa_respond, as it never is called by initiator [MCR]
* Set crypto importance once SA has been validated [MCR]
* Log state numbers better, and log SPI# in network order [MCR]
* Do not log a NAT change on first packet [MCR]
* Log the msgid for parent and child IKEv2 SAs [MCR]
* Added some notes about when parent state is relevant and when child is needed [MCR]
* Try to log better in setup_half_ipsec_sa() so that errors are more easily associated [MCR]
* R2 message was not being accepted because msgid replay counter
was being compared on child SA, rather than parent [MCR]
* Do not log NAT port changes if original address is 0.0.0.0 [MCR]
* Import libreswan (2bc8abe3) netlink fixes [MCR]
* Make sigusr1 handler static [MCR]
* Added DEBUG_WITH_PAUSE to keep pluto from running away with retransmits
when developer is thinking after a failure [MCR]
* Adopt a bunch of IKE algorithm definitions, and attempt to
find and quiet source of duplicate algorithm entries [MCR]
* Refactor ESP creation into new function for readability [MCR]
* Pluto now accepts SIGUSR1: this presently does nothing (crypto subprocesses ignore it)
it can be used with DEBUG_WITH_PAUSE to "single step" pluto interactions which are going
too fast to figure manually inspect.
In particular, one can do "ipsec whack --status" on the peer before letting the processing
proceed. [MCR]
* Note in logs when parentSA is considered good [MCR]
* Disentangle LIBNSS and non-LIBNSS code [MCR]
* Convert some uses of whack_log to loglog() so that they go into system log too! [MCR]
* Log the IKE version in state, and if v2-parent, log the msgid counters [MCR]
* State_hash now returns the bucket number, which can aid in certain kinds of debugging [MCR]
* Some minor comments about msgid processing
make sure that if the msgid is too large or cookies do not match, that no further processing occurs [MCR]
* Gave all the IKEv2 state microcodes a human readable name [MCR]
* Found problems with mis-initialized st_msgid_nextuse, created new routing to allocate them from parent [MCR]
* Added record of IKE maj/min version to state structure.
Collect it in into the msgdigest, and insert into stats on receive/create-state, and initialize
it when initiating. [MCR]
* Found error in starter_whack_add_pubkey that resulted in public keys not loaded. This was
introduced in commit: 0783e455 by mcr (me!) [MCR]
* Improve documentation of starter_whack_build_pkmsg [MCR]
* Set LOOSE_ENUM_OTHER values appropriate, and debug the result if desired [MCR]
* Parser_loose_enum used to return explicit "255", which matches LOOSE_ENUM_OTHER
as a value. But instead put the appropriate value into the keyword_def structure.
* Not only is this more flexible, but it is much easier to understand [MCR]
* Mark keyword_name() arg0 as const [MCR]
* Adjust ikev1 for new find_host_connection ANY that takes histype [MCR]
* Added KH_IPADDR to list of host type keywords [MCR]
* Added histype to find_connection functions [MCR]
* Some initial changes to put %any processing into host_pair code [MCR]
* Log host type of remote side of conn in host_pair [MCR]
* Changes to link order cause liboswlog to be properly linked in; this requires exit_tool
and progname to be setup properly [MCR]
* Import TS checking/narrowing code from libreswan into ikev2parent_inR2 [MCR]
* Changed SEND_NOTIFICATION to SEND_V2_NOTIFICATION, from libreswan [MCR]
* Ikev2_log_parentSA should be used on initiator and responder.
It is a good candidate for a function that could be omitted when memory is tight [MCR]
* Ikev2_process_payloads is wrong for processing and encrypted payload, do it inline [MCR]
* Make sure that event is always deleted on free_state [MCR]
* Added counter for number of retransmissions from responder seen [MCR]
* Repeated payload problem fixed [MCR]
* Notification should go to whack log, with appropriate value
make sure to set the current state, and remove debugging of payloads seen [MCR]
* Create a way to run parentI1 with calculations so that they can be saved (does not work yet) [MCR]
* Always include RFC5144 groups, no more ifdef [MCR]
* Split libnss code from non-libnss for better clarity [MCR]
outR1 could well assign the header msgID from the initiator's messageID,
but since the I1 messageID is defined to be zero, it should all be the same.
The messageID is sequence in IKEv2, but in IKEv1, it's opaque, so handle htonl() here. [MCR]
* Processing of v2N_INVALID_KE_PAYLOAD notify [MCR]
* Now picks correct state when notify is seen [MCR]
* ikeI1 state to deal with respondering sending a notify [MCR]
* Add target to make assembly for examining underlying causes [MCR]
* Do not delete state immediately, mark it as waiting to delete [MCR]
* Permit the RHEL7 spec file to also build on RHEL6.5. xmlto otherwise can not resolve dependancy
for lynx vs elinks. RHEL7 does not seem to have lynx [MCR]
* Change log of state deletion to not be a debug, log state name too (idea from libreswan) [MCR]
* Move spd formatting routines to library [MCR]
* Split orient() function into new file so it can be tested [MCR]
* When processing conf files, a missing right=/left= should cause an error and the conn should not be loaded [MCR]
* Move orient function to libpluto.
Pass it the pluto_port number to use, rather than reference a global [MCR]
* Change pluto_port -> pluto_port500,
introduce pluto_port4500. Make setting the pluto_port also set the NAT traversal port to +4000 of it.
Do not hard code the port 4500, use IETF name for port 4500 [MCR]
* New function: ikev2parent_outI1_withstate permits IKEv2 to start with some state [MCR]
* Refactor pubkey addition process, add this to whack write [MCR]
* Include option to create whack files from loaded conns [MCR]
* Refactor serialization of whack message to reuse in readwriteconf [MCR]
* Return count of messages read so that failures can more easily be diagnosed [MCR]
* Move whack msg write functions to libpluto [MCR]
* Make sure that the --secctx_attr_value is always accepted, and if appropriate, ignored [MCR]
* Permit an explicit nhelpers=-1 [MCR]
* Added family2str to decode AF_INET/AF_INET6 nicely [MCR]
* Moved defs.h to include/pluto/defs.h, so change the include slightly [MCR]
* Change some more variables to LIBFOO from FOOLIB [MCR]
* A batch of libreswan configuration code was ported as it was noticed that there was some
mix of strdup/clone_str already.
Some keywords were imported, many were not yet imported. The code is formatted vastly differently [MCR]
* Refactor key building whack message processing [MCR]
v2.6.43 (March 13, 2015)
Bugfixes and Certificate handling improvements
* Sign_hash was not being compiled when libnss was unset [MCR]
* Modifications to sign_hash_nss [MCR]
* Change order of functions to avoid forward declaration [MCR]
* Silence some warnings when building with LIBNSS [MCR]
* Modifications to decrypt_sig to help with nsscert test case [MCR]
* Added dhr-style shortcuts to constants.h [MCR]
* Added IOD for SHA224_WITH_RSA, renegerated oid.h and oid.c [MCR]
* Be more careful about examining dsig when digest is not successfully extracted [MCR]
* Tweaks to get LIBNSS defines into the right place [MCR]
* Allow unit tests to set a fake time [MCR]
* Added V=1 flag to turn off concise builds [MCR]
* Move ocsp.c into liboswkeys [MCR]
* Move rnd.h header so that ocsp.c will compile [MCR]
* Move list_ocsp routines to x509.c, as those routines are tied too closely to pluto [MCR]
* Fix GCC->CC macro so that make depend works [MCR]
* Whitespace changes in Makefiles [MCR]
* Create new liboswkeys and move liboswlog to separate directory [MCR]
* Rename FOOLIB variables -> LIBFOO [MCR]
* Be less verbose when building; especially do not emit paths that would screw up regression builds. [MCR]
* Added NULL argument for labelled IPsec support [MCR]
* Remove build dependancy upon bind-devel, as USE_LWRES= is not true anymore [MCR]
* RHEL7 spec file [MCR]
* Tweak IP_SELECT_IDENT_NEW for kernel 3.2: must have gotten lost [MCR]
* Ubuntu has backported some code to 3.13, so use correct select code [MCR]
* KLIPS patches for kernel 3.18 [MCR]
* Use a more KLIPS-y way to detect if KLIPS is loaded; not ancient pfkey interface [MCR]
* While the uid and pid types changes for namespace support since 3.12,
rather than fix that, KLIPS really does not need to know the PID at all. [MCR]
* Compile out the pfkey /proc interfaces; they provide no value [MCR]
* Use IP_SELECT_IDENT_NEW for kernel 3.12 series [MCR]
* Replace the ipsec_proc interface with seq based interfaces [MCR]
* Patch to work with Linux 3.11,3.15 [MCR]
* Ripped out --show and --showonly, and awk processing of ipsec auto --up [MCR]
* Cleaned up much ugliness (ifdefed argument lists) due to HAVE_LABELED_IPSEC [MCR]
* When a connection is deleted, log if the whack is open for the state [MCR]
* Get rid of compiler/printf warning on size of pointer [MCR]
* Append .ctl to socket name as whack does [MCR]
* Tweaks to whack message format: make it more resistant to 32/64-bit differences [MCR]
* Make whack magic values more clearly 32-bit [MCR]
* Removed kernel 24 build code [MCR]
* Clarify whack magic to be dependant upon size of pointer [MCR]
* Flush whackrecord on each write [MCR]
* Whackstoprecord option should not require an argument [MCR]
* When whack record is on, output debugging [MCR]
* Tweaks to whack message format: make it more resistant to 32/64-bit differences [MCR]
* Do not make whack message depend upon an ifdef [MCR]
* Move resolv_myid from pluto into libopenswan, but remove it from liboswlog, which is for non-pluto pieces only [MCR]
* If nexthop is not set, then it ddefaults to %defaultroute, otherwise left=%defaultroute does not work [MCR]
* Add check for bison/flex [MCR]
* Some minor enhancements to newhostkey to use /dev/urandom by default, and fill in the
debian place for ipsec.secrets.inc if it exists, but is zero [MCR]
* Do not install development man pages on target system by default [MCR]
* Re-organize, and enable obsolete keywords to be processed [MCR]
* Change USER* for USER*EXTRA [MCR]
* Removed unused tsc variable [MCR]
* Change //-comments that change code flow into #if 0 instead [MCR]
* More changes to addrbytesptr() rework [MCR]
* Removed dead function: ikev2_narrow_instantiate [MCR]
* 32-bit,64-bit issues with printf [MCR]
* Try to deal with -Wqual-cast/-Werror issues: addrbytesptr() should perhaps not be promising const-ness on ptr [MCR]
* NAT-T: new style uses setsockopt and old (KLIPS-only) uses ioctl [Simon Deziel]
* Use pidof instead of ps -C in _realsetup as the former is guarantied to
be available even on minimal installs. Closes Debian bug #719126. [Simon Deziel]
* Update README to include dependencies for RH-based distros [Simon Deziel]
* Added SSL roadwarrior configuration [Renzo Dani]
v2.6.42 (October 20, 2014)
Bugfixes
* Update two minor copyright statements [MCR]
* Make -lgmp into a variable [MCR]
* Clarify use of Makefile.vendor, and clean it out. [MCR]
* buildlin should warn if WERROR set, and look for missing gmp.h [MCR]
* Target build for Trusty by instead of Precise [Simon Deziel]
* Improve wording of leftsubnets' explanation in the man page [Simon Deziel]
* Bring back NAT traversal that got mistakenly pulled out by CVE-2014-2037 patch. [Thomas Geulig]
v2.6.41 (February 21, 2014)
This version specifically addresses CVE 2014-2037
This CVE is a continuation of CVE 2013-6466. We missed some cases.
* SAREF: kernel patches updated to linux 3.11.0 (Simon Deziel)
* Fix for CVE-2014-2037 (Paul Wouters, Hugh Redelmeier)
v2.6.40 (February 14, 2014)
This version specifically addresses CVE 2013-6466.
Big changes are coming for the testing subsystem.
From this version on, we are disengaging the testing subsystem from
the Openswan source tree. You can still get a copy at
git@github.com:xelerance/old-openswan-testing.git
Some parts of an RFC4306/5996 patch were removed due to it
introducing a few IKEv2 specific crashers.
We will introduce a greater IKEv2 functionality upgrade in
the next version.
* CVE-2013-6466 fix: Integrated fix from Steve Lanser [Patrick Naubert]
* KLIPS: Fix for crashes in ipsec_xmit_ipip() for 3.4.65+ kernels [Thomas Geulig]
* Revert "relpath changes" [Brenda J. Butler]
* Add xmlto as Debian build dependency to have fresh man pages. [Simon Deziel]
* Avoid dns(sec) lookups for numerical sourceip= values [Paul Wouters]
* Updated FSF address on the GPLv2 COPYING file [Paul Wouters]
* Removed some obsoleted files in docs/ [Paul Wouters]
* Added "ipsec initnss" command [Paul Wouters]
* XAUTH: Use incoming XAUTH VID when picking best connection [Andrey Alexandrenko]
* XAUTH: fix pam race condition and contrib/pam.d file [Paul Wouters]
* Do not perform XAUTH/ModeCfg during rekey when using Cisco compatibility [Avesh Agarwal]
* v1phase2tov2child_integ() addition [Avesh Agarwal]
* Changed related to bz#703985 for Secure Labeling [Avesh Agarwal]
* Added Avesh's additional labeled ipsec logging to starterwhack [Paul Wouters]
* Support reading NSS password from file [Paul Wouters]
* Restore postpluto functionaliy which was missing [Tuomo Soini]
* Don't refer to NETKEY as "2.6" or "experimental code" [Paul Wouters]
* Added AH_SHA2_256_TRUNC to ah_transform_name_private_use [Paul Wouters]
* helper: helper_passert_fail no longer used. Fix two string format warnings [Paul Wouters]
* Put rpmbuild values used to compile in Makefile.inc as commented examples [Paul Wouters]
* X509: fetch_ocsp should return void, not void * [Paul Wouters]
* gen_reqid() can call exit_log() but confuses compiler [Paul Wouters]
* XAUTH: fixup previous maxlength fix. mova hardcoded to defines [Paul Wouters]
* Support /etc/sysconfig/ipsec and /etc/default/ipsec (rhbz#789917) [Paul Wouters]
* Backporting proc_subdir_remove with Al Viro's code.
There must a better way than me backporting something... [Patrick Naubert]
* Added package to load dependancy for developers [Michael Richardson]
* Make ls command explicitely avoid columns, and search both regular
directory and execdir [Michael Richardson]
* When logging ESP keys, be clear about which direction is which [Michael Richardson]
* inet6 protocol does not have netns_ok flag [Michael Richardson]
* Added netns_ok lie to get regression tests to pass [Michael Richardson]
* Changes to work with linux 3.9 [Michael Richardson]
* Fix a typo reported by someone to the dev@lists.openswan.org (https://lists.openswan.org/pipermail/dev/2013-September/003104.html) [Simon Deziel]
* Update links in the README and mention that Python is a dependancy
for ipsec verify now [Patrick Naubert]
* Log if we send non-default PLUTO_*_RETRANSMIT_* values via env variables [Paul Wouters]
* NETKEY: linux_pfkey_add_aead() left alg.sadb_alg_reserved uninitialised [Paul Wouters]
* starter: remove prototypes for static functions [Paul Wouters]
* Remove duplicate include of oswlog.h in x509dn.c [Paul Wouters]
* Merge virtif.c header change [Paul Wouters]
* _updown.netkey: fix route to be inserted on correct interface when
nexthop is used [Tuomo Soini]
* Added new option plutostderrlogtime= (default=no) [Paul Wouters]
* Cap xauthpasslen and xauthnamelen at 128 (their buffer size) [Paul Wouters]
* fmt_log() fix similar to previous strncat() use [Paul Wouters]
* xauth: in theory, in xauth_inI0() it could attempt to memcpy NULL [Paul Wouters]
* Ensure not to call same_chunk on a null pointer [Paul Wouters]
* Simplified functions around strncat/snprintf [Paul Wouters]
* Fixup format_end(), do not use strncat but snprintf [Paul Wouters]
* Move the close() call for the sock to the function that created it. [Paul Wouters]
* Undo the close on whack_sock, as it is placed in the state. [Paul Wouters]
* Close dup()ed whack_sock in ipsecdoi_replace() to avoid leaking fd [Paul Wouters]
* Remove other half of ipsec_copyright_notice() [Paul Wouters]
* Include "sysdep.h" in udpfromto.c [Paul Wouters]
* Close socket fd of the interface in _iface_down() [Paul Wouters]
* Fix potential strncat() failure in format_end() [Paul Wouters]
* More strnat() safety checks [Paul Wouters]
* Additional safety checks to alg_info_snprint_esp() and
alg_info_snprint_ah() [Paul Wouters]
* Additional safety checks to addrtot(), inet_addrtot() and sin_addrtot() [Paul Wouters]
* Block rules created by openswan remain even after tunnel establishment [Panagiotis Tamtamis]
* Remove KLIPS define in initiate.c [Paul Wouters]
* DNSSEC: added root and DLV (dlv.isc.org) key for dnssec validation [Paul Wouters]
* ipsec-tools 0.8.0 mistakenly sets some NAT-OA fields that are defined
in RFC1374 as "always zero". We define these as "ft_mbz" (Must Be Zero) [Paul Wouters]
* Fixup some credits. Remove merged contrib code for selinux [Brenda J. Butler]
* Redone and simplified functions around strncat/snprintf for addrtot.c [Paul Wouters]
* Fix addrtot() with a passert and off-by-one [Paul Wouters]
* Move the close() call for the sock to the function that created it. [Paul Wouters]
* Close socket fd of the interface in _iface_down() [Paul Wouters]
* Change name from libreswan.h to openswan.h [Brenda J. Butler]
* Fixup IPSECKEY support with ipv4/ipv6 family and support --precedence [Paul Wouters]
* Updated vendorID to be Openswan specific. Print it with --version [Michael Richardson]
* Remove support for kernels without snprintf [Paul Wouters]
* Remove support for kernels not supporting MALLOC_SLAB [Paul Wouters]
* Remove remaining pre 2.4.4 kernel support [Paul Wouters]
* Remove pre 2.4.4 IP_FRAGMENT_LINEARIZE compat code [Paul Wouters]
* Remove pre 2.4.4 kernel compat for PROTO_HANDLER_SINGLE_PARM [Paul Wouters]
* Remove compat code for SKB_COW_NEW for < 2.4.4. kernels [Paul Wouters]
* Remove compat old/broken IP_SELECT_IDENT for < 2.4.2 kernels [Paul Wouters]
* Remove SKB_COPY_EXPAND for < 2.3 kernels [Paul Wouters]
* Remove /proc dummy code for old kernels (PROC_NO_DUMMY) [Paul Wouters]
* Always add support for alias capability (CONFIG_IP_ALIAS) [Paul Wouters]
* Remove support for NET_23 (kernels before 2.3) [Paul Wouters]
* Remove kernel support predating NETLINK [Paul Wouters]
* Remove /proc support pre-2.4 kernels (PROC_FS_2325/PROC_FS_21) [Paul Wouters]
* Remove more old 2.1 and 2.3 kernel code [Paul Wouters]
* Remove support for kernels without SPINLOCK and SPINLOCK_23 [Paul Wouters]
* Remove support for Linux kernels < 2.1.0 via NET_21 define [Paul Wouters]
* Fixup IPSECKEY support with ipv4/ipv6 family and support --precedence [Paul Wouters]
* Updated ipsec showhostkey to support IPSECKEY [Paul Wouters]
* Fix generating libreswan versions based of git [Paul Wouters]
* Typo fix in man 5 ipsec.conf [Simon Deziel]
* Handle NULL returns from glibc 2.17+ crypt(). [mancha]
* Only use -Wno-error=cpp when GCC's version is >= 4.6 [Simon Deziel]
* Remove debug code [Simon Deziel]
* Call "ss" without using the fully qualified path as this binary is installed in different place depending on the distro [Simon Deziel]
* Removed some /testing links in Makefile.top [Patrick Naubert]
* DPD typo fix: Dectection -> Detection [Simon Deziel]
* Redone and simplified functions around strncat/snprintf for addrtot.c [Paul Wouters]
* Fix addrtot() with a passert and off-by-one [Paul Wouters]
* Move the close() call for the sock to the function that created it. [Paul Wouters]
* Close socket fd of the interface in _iface_down() [Paul Wouters]
* Additional safety checks to addrtot(), inet_addrtot() and sin_addrtot() [Paul Wouters]
* Sync patches with variables names [Paul Wouters]
* Log a warning for NETKEY/XFRM breaking RFC 4301, Section 5.2 [Paul Wouters]
* Always assume UDPFROMTO works on Linux and BSD [Paul Wouters]
* Only set MODP768_MODULUS with USE_VERYWEAK_DH1 [Paul Wouters]
* updown: Delete the source ip addres on down only for Cisco peer [Paul Wouters]
v2.6.39 (May 31, 2013)
* Hardening patches from Florian Weimer
* Created .in files for distro packages [Patrick]
* Target deb builds for Precise instead of Lucid [Simon]
* Enable hardened builds by default [Simon]
* Bring 'ipsec policy' back form the dead [Simon]
* Drop the builddep on htmldoc and man2html as those are not needed anymore [Simon]
* CVE-2013-2053 fix: Integrated fix from Andreas Steffan
* Refactor x509dn to seperate out atodn from other functions [MCR]
* Fixed regression test to be 64-bit and IPv6 aware [MCR]
* Patches for kernel 3.9 and changes to work with Linux 3.9 [MCR]
* Nighly builds fixes and whitespace fixes [MCR]
* Fix for three AES-GCM issues with key lengths 128, 192, 256 bits and IV
of 8, 12, 16 bytes as per RFC 4106 [Avesh]
* SAREF: kernel patches updated to linux 3.2.0 [Simon]
* Refresh debian/control files to point to the right git URL [Simon]
* KLIPS: startklips-ip_route patch [Harald]
* MAST: updown.mast-scriptfix patch [Harald]
* Refresh debian/po from Debian [Simon]
* Fixed ipsec verify to avoid perl and use python instead. It helps during minimum install so that openswan does not have to pull perl packages, and it keeps minimal install really minimum. Also Removed compilation of ipsec policy subprogram as it is not needed with NETKEY. [Paul]
* NATT: rhbz #834400 NAT-OA reserved field issue. [Avesh]
* rhbz #834396 Coverity scan fixes, warnings, dead code. [Avesh]
* rhbz #785180 openswan uses ifconfig which is deprecated. [Avesh]
* barf: ipsec barf should not grep sparse file. [Paul]
* XAUTH: Phase15 as xauth and modecfg is called in openswan is not handled properly when only xauth (without modecfg) is used. [Avesh]
* Interop: Fixes to interop issues (related to updating/removing local interface with remote ip address and removing local routes) between cisco ASA and openswan. [Avesh]
* XAUTH: Fixes to interop issues between cisco ASA and openswan in main mode. These fixes prevents xauth/modecfg negotiation during IKE rekey in main mode. [Avesh]
* rhbz #831676 [Avesh]
* IKE: ikev1 aes-gcm esp fixes [Avesh]
* IKE: ikev1/ikev2 sha2-256 related changes [Avesh]
* rhbz#609343: pluto crashes when removing logical interface [Avesh]
* Reading password from a file when creating keys. [Avesh]
* IKEv2: IKEv2 RFC4306/5996 related changes [Avesh]
* Interop: Fixes to solve interop issues between cisco ASA and openswan in aggressive mode.[Avesh]
* Fix for the issue where ipsec help shows the list twice (rhbz 524146, 509318) [Avesh]
* relpath changes [Avesh]
* Bugtracker bugs fixed:
#1308 forceencaps= setting does now show up in "ipsec auto --status"
[Matt Rogers]
#1329 IKEv2 core dumps on 2.6.32 with changes backported from the 2.6.38
tree [Steve Lanser]
#1349 pluto logging no subjectAltName matches ID '%fromcert', replaced
by subject DN [Tuomo]
#1371 SAref patches 3.2.0 [Simon]
* Fix url to bugs system. [Tuomo]
v2.6.38 (March 23, 2012)
* DPD: seq_no logged after hton() call [Shinichi Furuso]
* DPD: With multiple phase 2 SAs, we sent too many [Shinichi Furuso]
R_U_THERE's
* barf: iptables-save on suse is in /usr/sbin, not /sbin [Paul/Shinichi]
* SUSE: Package compliant with Kernel Module Package Manual [Shinichi Furuso]
* verify: fix false positive on IP forwarding (perl dependant) [Steve Delaney]
* IKEv2: Introduced new keyword narrowing=yes|no [Paul]
* IKEv2: Send TS_UNACCEPTABLE when narrowing would violate local policy [Paul]
* IKEv2: Fix for multiple SAs to the same peer with different ports [Avesh]
* IKEv2: IKE-SA_INIT with INVALID_KE_PAYLOAD Notify Payload should
continue [Avesh]
* IKEv2: incorrecty sent PAYLOAD_MALFORMED on unknown minor version [Avesh]
* IKEv2 should ignore unknown RESERVED bits in payload [Avesh]
* IKEv2: Implement sending higher IKEv2 major and minor versions [Paul]
* IKEv2: Delete SA states added to state machine [Avesh]
* IKEv2: Informational Exchange added [Avesh]
* hostpair: initial_connection_sent was never set to not FALSE [Avesh]
* Crypto: handle leading zeroes in DH keys [Avesh]
* Add PLUTO_IS_PEER_CISCO= to updown scripts [Avesh]
* XFRM: update userland copies of xfrm.h netlink.h rtnetlink.h [Paul/Avesh]
* SHA2 fix when pluto is compiled without USE_EXTRACRYPTO [Paul/Tuomo]
* SHA2: Fix for Linux kernel using bad sha2_256 truncation (96 instead of 128)
(to get the old behaviour for interop, specify sha2_truncbug=yes) [Paul]
* Fix two format string buglets [Moritz Muehlenhoff]
* XAUTH: Support unbound as local resolver in remote_peer_type=cisco [Paul]
* NATT: Fix iphone/iOS by removing outdated OSX NAT-T workarounds [Paul]
* SAREF: kernel patches updated to linux 3.0.0 [Jonathon Padfield]
* SAREF: fix all patch versions to use new numbers for SAREF [Paul]
* Fix various compiler warnings in lib, pluto and ikeping [dhr]
* Various ESP_* and AH_* fixes/updates from IANA [Paul]
* Fix authalg in esp_info to be u_int16_t, not u_int8_t [Paul]
* Debian: Various debiacn packaging fixes [Simon]
* KLIPS: Fix crasher on returning -ENODEV from ppp devices [David]
* XAUTH: Support dynamic config update for unbound DNSSEC resolver [Paul/Tuomo]
* Remove non-iproute2 version of _updown.klips and its USE_IPROUTE2 [Paul]
* Bugracker bugs fixed:
#1263 /usr/lib/ipsec/_startnetkey selects wrong default gateway if there
are multiple [Petr Tichy]
#1314 update the updateresolvconf routines to be able to reconfigure
locally running unbound [Paul]
#1322 get rid of unused bucketno argument in state_hash [Paul]
#1326 0001-SAREF patch not compiling on 3.0.0 [Jonathon Padfield]
v2.6.37 (October 28th, 2011)
* Fix for CVE-2011-4073 crypto helper crash [Paul/dhr]
* KLIPS: Fixes to run on Linux 3.1 [David McCullough / Greg Ungerer]
* KLIPS: Fix sending icmpv6 packets in an ipv6 ipsec tunnel [David McCullough]
* Fix for ike_alg_get_encrypter() possibly returning NULL [Steve Grubb]
(this is rhbz#747852)
* Bugtracker bugs fixed:
#1241 vhost allows connections with subnets proposed and ignores
virtual_privat [Wolfgang Nothdurft]
v2.6.36 (October 5th, 2011)
* CVE-2011-3380 Openswan IKE invalid key length fix [Paul/Hugh]
* auto: Add --checkpubkeys option for checking expiry of X.509 certs
[Mika Ilmaranta]
* Update building (with SAref) on SLES10 / SLES11 / Opensuse [Shinichi Furuso]
* KLIPS: backported 2.6.19 CryptoAPI for SuSe kernels [Shinichi Furuso]
* KLIPS: ipsecdevices index overflow [Shinichi Furuso]
* KLIPS: cleanup off by one interface,prevented module unload [Shinichi Furuso]
* tncfg called incorrectly for adding more ipsecX interfaces [Shinichi Furuso]
* KLIPS: ipsec_sa_getbyid() did not work properly on IPv6 [Shinichi Furuso]
* NAT-T: Fix delete for port floating case [Shinichi Furuso]
* IKEv2: We always sent the openswan VID instead of using #ifdef [Avesh/Paul]
* IKEv2: ikev2_get_dcookie used SHA1Update() with pointer size [Avesh]
* TESTING: Added some more consistent logging in prerunsetup() [Paul]
* pcr_init() should memset the request helper size, not pointer size [Avesh]
* Prevent deferencing ctx->trans_cur in db_trans_add() [Avesh/Paul]
* XAUTH: whack_get_value() never decremeanted "tries" [Avesh]
* Fix closing fd in lib/libopenswan/oswconf.c [Avesh]
* rsasigkey: configdir is always set in the NSS #ifdef part [Avesh]
* examples: clarify hub-spoke netkey design [Tuomo]
* NAT-T: Fixed logging for broken NAT-T keepalives [Tobias Brunner]
* Use iptables-save instead of iptables -L if possible (rhbz#737973) [Avesh]
* ipsec verify: New kernels use nf_conntrack instead of ip_conntrack [Avesh]
* LDAP/CRL needs liblber (rhbz#737975 [Avesh]
* SAREF: kernel patch added for Linux 2.6.36 and 2.6.38 [Paul]
* SAREF: Remap IP_IPSEC_REFINFO/BINDREF from 22/23 to 30/31 [Sony Japan]
* Disable USE_IPSECPOLICY per default, was only proof of concept code [Paul]
(local user could cause pluto to stop responding if /var/run is a tmpfs
mount and /var/run/pluto was manually deleted, Found by Sony Japan)
* Bugtracker bugs fixed:
#1270 malloc is being used which does not use alloc_bytes/pfree [Paul]
v2.6.35 (July 23, 2011)
* OCF: Fix accidental 'always' setting of large resources [Sony Japan]
* OCF: Give a hard #error in ipsec_ocf.h without proper CONFIG_KLIPS_OCF [Paul]
* OCF: Only include ipsec_ocf.h when using CONFIG_KLIPS_OCF
* MAST: Add ipsec_xmit_sanity_check_dev() in the mast path [Paul]
* MAST: Be more careful about {mast,ipsec}priv structure [Bart]
* MAST: Fix host-host connections, bug introduced in v2.6.34 [David]
* SAREF: Fix crasher in ipsec.ko unload with saref kernel [Sony Japan]
* SAREF: ip_cmsg_recv_ipsec_refinfo() doesn't initialize refs array [Sony Japan]
* SAREF: Added null check of secpath_dup(NULL) [Sony Japan]
* KLIPS: Fix possible double skb free [Sony Japan]
* KLIPS: Fix MTU on interface - bug introduced in 2.6.33 [Wolfgang Nothdurft]
* KLIPS: debug messages often had pre-refactor names in prefix [Paul]
* DPD: Do not ignore failure in dpd_init() but return STF_FAIL [Paul]
* pluto: Fix IPcomp pull-up from 2.4 introduced in 2.6.20 [Paul]
(malloc <-> pfree caused assertion with LEAK_DETECTIVE set)
* pluto: st_peeridentity_port missed ntohs() causing interop
failure between big/little-endian machines [Magnus Öberg]
* pluto: Fix for Tuomo's (rare) crasher where globals were not reset [dhr]
v2.6.34 (June 8, 2011))
* Fix build without USE_EXTRACRYPTO introduced in 2.6.33 [Tuomo]
* Fix new leftmtu= option to pass correctly to _updown [Mattias Walstrom]
* Add Apple iOS work-around to l2tp example configs [Tuomo]
* KLIPS: Support to compile on Linux 2.6.38 and 2.6.39 [David]
* KLIPS: Make sin_family setting in delflow the same as addflow [David]
* KLIPS: IPv6 and SLES10 compile fixes [Sony Japan]
* KLIPS: IPv6 outbound policy check used wrong index [Sony Japan]
* KLIPS: Enable CryptoAPI per default [Paul]
* KLIPS: Module unload fixes [David]
* KLIPS: Routing cache corruption due to ip_select_ident [David]
* KLIPS: Only fixup the ethernet header it might be on [David]
* KLIPS: Fix for ixs->skb->dev is null at the top of ipsec_xmit_send [David]
* MAST: refcount bug in transport mode prevented ipsec.ko unload [Sony Japan]
* MAST: Don't autopick mast [David]
* NETKEY: Fix AH mode [Avesh]
- rh #704548
* DYNDNS: using hostnames could lead to loss of ports in SA [Avesh]
- rh #703473
* Many uml testing harness fixes and updates, mostly IPv6 related [Paul/Hugh]
* "ipsec look" now shows NETKEY/XFRM and IPv6 routing table [Paul]
* "ipsec look" now shows iptables NEW_IPSEC_CONN mangle table [Paul]
* "ipsec look" and "ipsec barf" now shows ip6tables like iptables [Paul]
* Fix inbound policy --addin, and added --replacein [David]
* KLIPS: Fix family check when policies are not set [David]
* MAST: Fix family check when policies are not set [Sony Japan]
* Improve build speed (don't recalculate build version all the time [David]
* XAUTH: Fix rekey with Cisco when remote_peer_type=cisco [Avesh]
* Openswan (IKEv2/IKEv1) icmp issue (redhat bz 681974) [Avesh]
* IKEv2: port range was hardcoded to 0-65535, not local policy [Avesh]
* MAST: Fix oops on module unload [David]
* Improve build speed, calculate version once [David]
* Import OpenWRT packaging updates [Simon]
* contrib: added openswan patch for 2.4.37.9 [Yannick Koehler]
* KLIPS: Fix for compiling on 2.6.22 (Fedora Core 6 based) kernels [Paul]
* KLIPS IPV6: Fix packet fragmentation [Paul]
* Added PLUTO_CONN_ADDRFAMILY= to updown.* (to disable SAref on v6) [Paul]
* KLIPS: cleanup packaging/*/config-* files [Paul]
* Fix a bunch of gcc unused-but-set-variable warnings [Paul]
* Fix some WERROR warnings [mcr]
* Various file descriptor leaks and mimor memleaks [Avesh/dhr]
* Removed reference to http://www.freeswan.org from ipsec --help [Tuomo]
* Bugtracker bugs fixed:
#1233 WARNING: at net/ipv4/af_inet.c:151 inet_sock_destruct on stop [David]
v2.6.33 (February 18, 2011)
* Merge in the klips-ipv6 branch [David]
* modprobe more crypto modules on startup (gcm, camelia, sha2* etc) [Paul]
* Added %v4:26/8 to virtual_private ("thanks" to T-Mobile/Rogers/FIDO) [Paul]
* Pluto did not start nhelpers due to --nofork, bug introduced in 2.6.32 [Paul]
* OCF: Set the OCF queues to 10000 when 256MB+ RAM and 1000+ bogomips [Paul]
* Improved NetworkManager support [Avesh]
- This is Red Hat bugzilla 642722, 658253, 659709 and 641068
* ipsec verify now also shows parse errors in ipsec.conf [Paul]
* Always build SHA2 family support for IKE [Paul]
* KLIPS: Add a new option to override the replay window via /sys [David]
(echo 0 > /sys/module/ipsec/parameters/ipsec_replaywin_override)
* Add aesni_intel to the list of crypto modules we attempt to load [Paul]
* enable dumpdir= in stock ipsec.conf for use with abrtd [Paul]
* New per-conn keyword mtu= allows setting the mtu per tunnel [Paul]
* per-conn keyword metric= did not export to userland or updown [Paul/Tuomo]
* Cleaned up and moved some old docs [Paul]
* KLIPS: arp_broken_ops is no longer exported in 2.6.37+ [Paul]
* KLIPS: Fix crasher in ipsec_xmit_state_delete [David]
* KLIPS: Fix oops if packet is received on detached tunnel [David]
* Bugtracker bugs fixed:
# 601 KLIPS: NAT-OA UDP checksum bad in transport mode when both sides are
NATted [Wolfgang]
# 645 hundreds of replacements [...]: 000 #3: pending Phase 2 [Anthony Tong]
#1182 Verification of X509 certificate signed by SHA2 [fryasu@yahoo.co.jp]
#1183 Fix documentation typo (in ipsec.conf) [Tuomo]
#1190 nat-t broke on transport mode for klips between 2.6.31 and 2.6.32
[Paul]
#1199 when leftsubnet has a different netmask than the localnet, a route
is added for the localnet to the ipsec device [Tuomo]
#1201 dpd + ddns does not work [Mattias Walström]
#1204 Workaround for iPhone/MacOS X NAT problem [Wolfgang Nothdurft]
#1210 Failes to compile with uClibc >= 0.9.29 [mb@openwrt]
v2.6.32 (December 17, 2010)
* Remove by default forced -DLEAK_DETECTIVE [Tuomo]
* Makefile.inc now uses USE_LEAK_DETECTIVE?=false [Paul]
* NOMMU: Add -DCOMPILER_HAS_NO_PRINTF_LIKE to support arm-elf-gcc [Paul]
* NOMMU: If pluto is started with --nofork, then also disable nhelpers [Paul]
* NOMMU: Added HAVE_NO_FORK?= option to Makefile.inc (default false) [Paul]
* INTEROP: Ignore IKEv1 notification type 40001 (Netscreen private use)
[Andreas/Daniel]
* IKEv2: Fix crash on receiving retransmited STATE_PARENT_I2 on bad AUTH [Paul]
* IKEv2: Check for USE_TRANSPORT_MODE in all received notification payloads,
not just the first notify payload. This is Red Hat bugzilla 646718 [Avesh]
* MAST: The mastX interface no longer gets/needs an IP address [Paul]
* MAST: avoid routes towards virtual ipsecN interface [Bart/Roel]
* Support for Isomorphic Algorithms and Identity Disks [Olivia Wilde]
* SAREF: set sareftrack=yes as the default policy [Paul]
* Fix printf format arguments [Simon]
* Added ipsec addconn --checkconfig and initscript support [Harald]
* Fix for: either "local" is duplicate, or "secondary" is garbage [Simon]
* KLIPS: Better interface handling in _startklips [Paul]
* fix interface parsing in getinterfaceinfo() [Bart/Roel]
* KLIPS: Support more then 9 ipsec/mast interfaces in parser [Simon]
* OCF: Change some hardcoded variables to module paramters [David]
-ipsec_ocf_batch(1): Make OCF queue packets rather than process immediately
-ipsec_ocf_cbimm(1): Does OCF immediately (ie., at irq time) run callbacks
or queue and call later"
-ipsec_ixs_cache_allocated_max(1000):
* OCF: Fix up usage of crp_olen as returned from ocf [David]
* OCF: Order algs correctly for processing when mixing AUTH/CIPHER algs [David]
* OCF: Update to OCF for SMP systems to allow using multiple CPU's [David]
* OCF: Added /proc/net/ipsec/ocf to indicate if we support OCF or not [Paul]
* OCF: move netif_wake_queue inside the lock in ipsec_xmit_state_delete [David]
* OCF: OCF: Attempt to load OCF kernel HW module on startup [Paul]
* SMP/OCF: Fix up queue stop/start on SMP systems [David]
* OCF: Fix OCF deadlock (do not call schedule with a lock) [David]
* Fix bad memory read with full debugging enabled (pbs_room vs pbs_left) [Dhr]
* Fix bad memory read with -lefence in osw_alias_cmp() [Dhr]
* Fix for STF_INLINE case in quick_inI1_outR1_cryptocontinue1() [Dhr]
* KLIPS: make kpatch is more robust, less manual patching [Paul]
* UML: Various minor fixes to get uml system back online [Paul]
* SPEC: Add "development" define in spec file to build devel version [Tuomo]
* RSA: Fix generation of ipsec.secrets when missing on first startup [Paul]
* DPD: DPD_ACTION_RESTART would always execute DPD_ACTION_RESTART_BY_PEER [dhr]
* DPD: DPD_ACTION_CLEAR crash on CK_INSTANCE with -lefence [Tuomo]
* DPD: flush_pending_by_connection() when doing a %clear on DPD timeout [dhr]
* NAT: Put old/new style chatter into DBG_NATT [Paul]
* NETKEY: Reduce bogus noise about Old/New NAT-T support [Paul]
* Bugtracker bugs fixed:
#1095 Local packets are dropped on ipsec device when marking packets in
OUTPUT chain [Wolfgang Nothdurft]
#1160 init.d script not reporting correct exit status on config parse
error [James Mead]
#1162 IKEv2 transport mode interop with racoon [PATCH] [Avesh]
#1170 pluto option --impair-shared-phase1 causes segfaults on --down'ing
a connection
v2.6.31 (October 18, 2010)
* Fix for OCSP compile of commit 934ce6c9443832c [Paul]
v2.6.30 (October 18, 2010)
* Fix for: ASSERTION FAILED at connections.c:1579: c->kind == CK_TEMPLATE
[Paul]
* Add --listen/listen= option to limit listening to a single IP [Paul]
* sa_policy_bit_names was missing ModeConfig DNS and WINS bit names [Paul]
* SAREF: Add sareftrack=<no|yes|conntrack> connection option [Paul]
* Fix for "handling event EVENT_RETRANSMIT for <invalid>" [Paul]
* Fix for specifying protport=47 (GRE has no ports) [Paul]
* IKEv2: Don't fill traffic selector struct in IKEv2 child SA when not recv'd
[Paul]
* MODULES: Add geode-aes to the list of crypto modules to load [Paul]
* Don't install ipsec init script as /etc/init.d/setup [David]
* Don't create rc.? symlinks - let user use chkconfig etc instead [Paul]
* Bugtracker bugs fixed:
# 252/619 more than 20 payloads in message; ignored [paul]
# 690 ipsec lwdnsq --help not implemented
# 860 Port --random for newhostkey [Paul]
#1005 Incorrect message "R_U_THERE_ACK has unexpected sequence number"
[Mike]
#1040 Fix to compile without DEBUG [Paul]
#1054 Startup warning: "ignored obsolete keyword (null)" [Michael Smith]
#1112 Prototypes only, if function enabled in c-source with KLIPS or
PFKEY [Henry N.]
#1115 Fix various warnings u_char * vs. char * for sscanf,... [Henry N.]
#1149 pluto uses empty NAT_OA as IDci, Server behind NAT and non natted
Windows XP [Wolfgang Nothdurft]
#1151 The ipsec module is not removed by 'ipsec setup stop' [Paul]
v2.6.29 (September 27, 2010)
! This release is made for CVE-2010-3302 and CVE-2010-3308
! Duplicate CVE's issues for these are CVE-2010-3752 and CVE-2010-3753
* XAUTH: Avoid buffer overflow in CISCO DNS info [dhr/paul]
Avoid shell problems with single quotes CISCO DNS paramters [dhr/paul]
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3302
* XAUTH: Avoid buffer overflow in CISCO BANNER [dhr/paul]
Avoid shell problems with single quotes in CISCO paramters [dhr/paul]
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3308
* NETKEY: Fix for spurious %hold netlink-acquires [Paul/dhr]
* KLIPS: Fix compiling on 2.6.18 based RHEL5 kernels [Paul]
* Various fixes based on automated source code review [dhr]
* SAREF: Updated for 2.6.35 kernel [Harald]
* KLIPS: Updated for 2.6.35 kernel [Harald]
* PACKAGING Use Epoch 1: for Debian/Ubuntu [Simon]
* MAST: fix iptables rule "leak" on rekey [Bart]
* MAST: use only the most recent iptables rule [Bart]
* pluto: restrict rekeymargin to be smaller than salifetime [Bart]
* MAST: ensure we don't end up with mtu=0 on mast0 [Bart/Paul]
* MAST: enforce outgoing tunnel policy [Bart]
* MAST: use addflow pfkey command to set policy on tunnel SAs [Bart]
* Added a new pfkey flag, POLICYONLY, to the ADDFLOW command [Bart]
* MAST: allow for setting of policy for inbound SAs [Bart]
* MAST: favour deleting an SA even if the pfkey op failed [Bart]
* HAVESTATSD: Log new phase2 messages as a result of a rekey [Paul]
* MAST: use iptables --comment to show the conn name [Bart]
* VNET: differentiate instantiation of road warriors and vnet [Paul]
* Log LEAK_DETECTIVE and HAVE_LIBNSS support on startup [Paul]
* IKEv2 connections were broken since 2.6.25 [Avesh]
* MAST: new "ipsec policy" command replaces "ipsec eroute" [Bart]
* Fix SElinux warning in realsetup (bz628879) [Avesh]
* Support for SHA2_256 in IKEv2 (bz621790) [Avesh]
* IKEv2: Fix for using MD5 and PRF conversion function [Avesh]
* SAREF: Improved workaround for rp_filter [Bart]
* NSS: Increase minimum nss for rhbz#453577 [Paul]
(this allows us to revert workaround in git 6c8ff2791d1)
* SAREF: Added /proc/net/ipsec/saref that shows kernel patch state [Bart]
* SAREF: Add SAref checks to ipsec verify [bart/paul]
* A bunch of Makefile.inc variables could not be overridden properly [Paul]
* Bugtracker bugs fixed:
#1042 NF_INET_LOCAL_OUT vs NF_IP_LOCAL_OUT still broken [David]
#1102: Ensure KLIPS still works on older kernels [Paul]
#1113: crypt_dh.c: Fix "warning: multi-line comment" [Tuomo]
v2.6.28 (July 29, 2010)
* MAST: Fix SAref vmalloc() call that could cause a kernel panic [Bart]
* SAREF: rework exported interface to avoid might_sleep() during rcu lock [Bart]
* SAREF: Use the correct mask when updating nfmark in rcv path [Bart]
* MAST: Cleanup updown.mast iptables rule management [Bart]
* MAST: Rework mast init scripts to use conntrack [Bart]
* MAST: Remove iptables rules after SA is deleted [Bart]
* SAREF: Fix bug in stream-socket saref mode [Bart]
* SAREF: Ported to apply on Linux 2.6.34 [Harald]
* MAST: Fix for NAT-T mode (set ixs->outgoing_said in mast mode) [Bart]
* MAST: Fix module unload with mast [Bart]
* Allow rightsubnet=vnet:%priv rightprotoport=17/%any w/o right=%any [Paul]
* SAREF: Log SAref and SAbind capabilities on pluto startup [Paul]
* Log tunnel down with HAVE_STATSD as "down", not "unknown" [Paul]
* Changes to _realsetup.in for making the init script LSB compliant [Avesh]
rhbz #594767
* _startnetkey update for DNS and NetworkManager [Avesh]
* SAREF: fix bug in stream-socket saref mode [Bart]
* Added TCP header flags to ipsec_print_ip() output [Bart]
* KLIPS: Don't fail non-existant header_ops (breaks ppp) [David]
* KLIPS: ip_select_ident hashing fix in AH xmit path [Kirill Berezin]
* HAVE_STATSD: Fix phase1/phase2 logging through HAVE_STATSD interface [David]
* HAVE_STATSD: log output fix when two connections share a phase1 [David]
* HAVE_STATSD: Slightly clarified and changed log messages [Paul]
* SAREF: Clarified defines and fixed nfmark printing in HAVE_STATSD [dhr/Paul]
* MAST: Temp workaround in _updown.mast for martians problem [Bart/Paul]
* Cleanup source code to use C-style comments [Tuomo]
* Bugtracker bugs fixed:
# 1120: [PATCH] netlink receive buffer size too small for linux 2.6.32
[Roman Hoog Antink]
v2.6.27 (June 21, 2010)
* Fixes to the SAREF / MAST code to avoid recursion loops [Bart]
* KLIPS compile fixes for 2.4 kernels [David]
* Memory leak fix unshare_connection_strings [Shinichi Furuso]
* define ALLOW_MICROSOFT_BAD_PROPOSAL to allow connecting to behind NAT [Paul]
* Missing load_oswcrypto() call 'ipsec showhostkey' [Kevin Locke]
(this is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575757?)
* Log the netfilter mark (him/me) with HAVE_STATSD=true [Paul]
* saref-bind kernel patch that allows setsockopt() to an saref [Bart]
* Rename /bin/statsd to /bin/openswan-statsd with HAVE_STATSD=true [Paul]
* contrib/sarefnc is netcat (nc) with saref settable option [Bart]
* Allow multiple proposals in Aggressive Mode, as long as the DH group is
the same for all of them [Michael H. Warfield]
* alg_info_addref() needed #ifdef KERNEL_ALG like alg_info_delref() [Shinichi]
* Remove the obsolete _confread script. [Simon]
* Correct the creation of the directory /var/lock/subsys. [Simon]
* Set a default value for IPSECsyslog in setup to avoid logger errors. [Simon]
* Cleanup source code to use C-style comments [Tuomo]
* Enable addconn to read config from stdin when called with --config - [Simon]
* Fix for broken enum_names regarding ENCAPSULATION_MODE_TUNNEL* [Paul]
* Fix for a few gcc warnings in dnskey.c and xauth.c [Paul/Simon]
* Fix for kernel_pfkey.c bad_case(esatype) introduced in 2.6.25 [Bart]
* Bugtracker bugs fixed:
# 76: ipsec verify warns about no RSA key when using X509 pem files [Paul]
#1074: virtual_private broken on U2.6.19/K2.6.27.25-78.2.56.fc9.i686?
Fix virtual_private checks to give correct warnings [Tuomo]
#1101: protoport code and nat-t code are switching ports with netkey
[Mika Ilmaranta/Tuomo]
#1106: Incorrect xfrm policy with both-NAT client connection [Paul]
v2.6.26 (May 25, 2010)
* KLIPS fixes for 2.6.33 kernel [Greg Ungerger/David]
* RFC-5114 Diffie-Hellman group 22, 23 and 24 support [Avesh]
* Revert broken work-around for nspr4 warning [Tuomo]
* Copy David's klips fixes to netlink where they are needed too [Tuomo]
* Fix bogus initiations of existing tunnels on netkey introduced
in 2.6.25 [Tuomo]
* Compile fixes for compiling without NAT_TRAVERSAL [Paul]
* Fix pfkey error on tunnel deletion [David]
* Fix up eroute_connection for klips [David]
* When we ASSERT, show where we asserted [Bart]
* Merge in #osx branch [Paul]
* Fix eroute_type to satype conversion for pfkey [Bart]
* Fix confusion about transport_proto and proto in comments and bsdkame [Tuomo]
* Updated SecureClient patch for hybrid mode in contrib [Yair Elharrar]
* remote_peer_type= support for whack [Avesh Agarwal]
* Cisco banner support in _updown via PLUTO_PEER_BANNER [Avesh Agarwal]
* New option nm_configured=yes will skip reconfiguring resolv.conf, so
that NetworkManager can handle this. Can be directory whack'ed using
the --nm_controlled option. [Avesh Agarwal]
* Clean up DPD logging. [Tuomo]
* SAref updated to 2.6.32 kernel [Bart/Paul]
* Bugtracker bugs fixed:
# 414: Y2K38 bug in X.509 Digital Certificate handling [Andreas Steffen]
(happened only on 32bit machines for certs expiring after 2038)
# 428: Fix for representation of [...] used algorithms
in ipsec auto --status [Martin Schiller]
#1004: Better fix for bug #1004 [Mika Ilmaranta/Tuomo]
#1035: Allow specifying interface name, eg left=%ppp0 [Martin Schiller]
#1080: duplicate of #414
#1085: Random disconnects of (ipsec+l2tpd) tunnels [Mika Ilmaranta/Tuomo]
#1087: acquires cause invalid policies being inserted into xfrm policy
introduced in 2.6.25 [Tuomo]
#1093: enc alg=0 not found in constants.c:oakley_enc_names [Henry N.]
#1094: IPSEC_RCV_DECAPFAIL with auth=ah [Wolfgang Nothdurft]
#1096: ipsec_xmit_send ignored mark of skb. causing ignoring of ip rules
and only main routing table was used. [Wolfgang Nothdurft]
#1104: Compile for NETKEY without KLIPS fails with missing symbols
[Henry N.]
#1107: buildfix for showpolicy.c when using gcc 4.5 by Paweł Zuzelski
#1108: gcc-4.5.0 enum warning fix [Paweł Zuzelski]
#1110: rightsubnet=vhost:%priv,%no not working as expected for non-natted
case fixed by new #1004 fix [Mika Ilmaranta/Tuomo]
* Fix for protostack=auto when KLIPS or NETKEY is not compiled in [Paul]
* Fix for compiling without XAUTH (introduced with remote_peer=cisco support)
[Thomas Geulig]
* Fix %prompt for encrypted X.509 private keys [Harald]
* Fix plutodebug=natt being accepted just like whack --debug-natt [Tuomo]
v2.6.25 (Mar 21, 2010)
* Google Summer of Code 2009 project for osxApp merged in [Paul]
code contributed by student Jose Quaresma and mentor Stefan Arentz
* Google Summer of Code 2009 project for livetest merged in [Paul]
code contributed by student Daniel Snider and mentor Paul Wouters
* Added exceptsocket NULL kernel_ops for non-bsd stacks [Paul]
* Remove hardcoded sql: from nss db path (showhostkey, rsasigkey) [Tuomo]
* Remove version from README.nss [Tuomo]
* Fixed obvious errors on fedora and centos5 rpm specs [Tuomo]
* Remove --key option from showhostkey [Paul]
* Fix for NAT-T vendorid payload on some ARM processors [dhr]
* Fix reference to unused file in README.nss [Tuomo]
* Fix 'ip' failure when built against libcap-ng [Kyle McMartin]
* Split networking support for remote_peer_type=cisco [Avesh]
* Fixup for compiling with broken version of nspr [Avesh]
* Update ipsec.conf man page [Tuomo]
* In rare circumstances, DPD could kill an active tunnel [Shinichi Furuso]
* Compile fixes for NETKEY without KLIPS [Ajay.V.Sarraju]
* Fix tcpdump operation on KLIPS/ipsecX interfaces [David]
* Report NETDEV_TX_BUSY when klips is overloaded with requests [David]
* Fix usage of KLIPS_IP_SELECT_IDENT to prevent kernel trace/warnings [David]
* Auth corruption due to unprotected data in sha1 (work_space) [Shinichi Furuso]
* Correct locking for SA tables in pfkey interface [Shinichi Furuso/David]
* Add locking to PRNG to prevent possible corruption [Shinichi Furuso/David]
* Fix oops on held packets [David]
* Implement remove_orphaned_holds for NETKEY [Tuomo]
* Fix _plutorun to use standard restart option for ipsec setup [Tuomo]
* Disable auto skb_dst_release so that icmp_send works [Ronen Shitrit/David]
* Fix for unloading KLIPS module on latish kernels [Ronen Shitrit]
* Fix init script default not to start up on boot by default [Tuomo]
* Do not store XAUTH password in a variable if read from the prompt [Avesh]
* spi/spigrp/tncfg blindly assumed KLIPS. Give nicer error output [Avesh]
* Fix for _updown.netkey not being able to delete route [Tuomo]
* Fix bad bare_shunt entry that break tunnel routing [David]
* Fix oops when network driver doesn't support all header_ops [David]
* Fix for hardcoded hmac 96 bits length [Avesh]
* Check for clrngd as well as rngd in ipsec verify [Paul]
* Fix default value for ikev2 in ipsec.conf man page [Tuomo]
* Support for USE_TRANSPORT_MODE in IKEv2 [Avesh]
* Fix fox implicit DSO linking with NSS [Avesh]
- redhat bz#565140
* Fix various spelling errors [Harald]
* Fix for leftid=@[foo] notation [Michael H. Warfield]
* Interop issue with Cisco where with XAUTH and ModeConfig we expected
ISAKMP_CFG_REPLY but we got ISAKMP_CFG_ACK [Paul]
* Support for receiving Cisco dns and domain settings and updating
/etc/resolv.conf. Requires remote_peer_type=cisco [Avesh]
v2.6.24 (Jan 8, 2010)
* Give clear warning about missing defaultroute [Tuomo]
* Fix to allow ";" in the ike/esp parameters as per man page. [Avesh]
* Fix for DPD with NETKEY [Frank Eberle]
* Make initscript LSB compliant [Avesh]
* Fix for compiling with nss and broken nspr header [Elio Maldonado Batiz]
* Do not set the IKEv2 Critical flag for payloads defined in RFC 4306 [Avesh]
* Client side support for Cisco load balance directives in IKEv1 [Avesh]
- new keyword: remote_peer_type=cisco
* Update ipsec_setup man page to match setup changes [Tuomo]
* Zeroize ISAKMP and IPsec SA's when in FIPS mode [Avesh]
* Initial contact from Windows/l2tp would fail once before succeeding [David]
* KLIPS compiles on all recent (upto 2.6.31) kernels [mcr]
* KLIPS fixes for 2.6.32 [david/paul]
* Fix for mixed IPv6 in IPv4 and vice versa tunnels [Heiko Hund]
* Fix for NETKEY on kernels 2.6.26+ [Andreas Steffan]
* NAT-OA fixes [David]
* Fixup cryptoapi sg_set_page for older kernels [David]
* Honour kernel build verbose setting via V=1 [mcr]
* Change NAT-Traversal support log message (It's not a patch) [Tuomo]
* Some programs were installed twice causing .old files [Avesh]
- This is redhat bugzilla #546024
* lwdns.req.log moved from /var/tmp/ to /var/run/pluto/ [Avesh]
- This is to avoid an SElinux AVC Denial
* Fix compilation so it does not require xmlto [paul]
* Fix NSS by removing extra sql: from NSS db directory name [Tuomo]
(sql: syntax not supported on RHEL/CentOS nss version)
* Move NSS debug logging to DBG_PARSING [Tuomo]
* Bugtracker bugs fixed:
# 428: KLIPS NULL encryption patch (through cryptoapi)
#1004: L2TP broken with NAT'ed clients [dhr/Tuomo/Paul]
#1053: typo in notification sending routine [Seong-hun Lim]
#1055: init script hangs on startup with semi-broken shells [Michael Smith]
(eg busybox and debian's new default /bin/dash shell)
#1056: setup script start_stop() checks for filesystem writability
#1067: openswan fails on systems not supporting popen() [Jonathan Miller]
#1072: Compiling with USE_VENDORID=false fails [paul]