Skip to content

@shussain shussain released this Mar 25, 2019

Fix memory leak bug.

  • wo#8179 . defer freeing states until all references are clearly gone,
    clear them out in the main loop [MCR]
  • attempt to free the state [MCR]
  • added leak detective reporter [MCR]
Assets 2

@shussain shussain released this Dec 17, 2018 · 4 commits to master since this release

v2.6.51.2 (December 17, 2018)

Additional commits for libnss.

* added --built-withlibnss when built without nss [MCR]
* update Makefile to tables driven version [MCR]
* added --built-withlibnss option [MCR]
* updates to tests for show ipsec.secrets location [MCR]
* wo#7817 . show location of ipsec.secrets file in whack status [MCR]
* Specify email address for reporting security vulnerabilies [Samir Hussain]
* change NSS init to use sql: method [MCR]
* adjust functional tests to ignore NSS status, but some certificate tests are not going to run with NSS [MCR]
* wo#7067 . include and rework Makefile with testlist [MCR]
* initialize NSS libraries [MCR]
* remove another USE_1DES [MCR]
* cast appropriate for 32-bit platforms [MCR]
Assets 2

@shussain shussain released this Oct 5, 2018 · 17 commits to master since this release

v2.6.51.1 (October 5, 2018)

Bug fixes for using libnss and building with Debian.

  • wo#7597 . move errant LIBNSS setup to private_key_setup [MCR]
  • Fixing typo in debian/changelog. [Samir Hussain. Hat tip to github user fleish]
Assets 2

@shussain shussain released this Sep 14, 2018 · 20 commits to master since this release

v2.6.51 (September 14, 2018)

Bug fixes for various issues. Improving interopability with strongSwan. Additional work to enable NAT-Traversal in IKEv2.

Assets 2

@shussain shussain released this Aug 24, 2018 · 267 commits to master since this release

v2.6.50.1 (August 24, 2018)

This release fixes CVE-2018-15836 (a Bleichenbacher-style signature forgery which involves RSA padding attack)

Assets 2
Aug 3, 2018

@shussain shussain released this Aug 3, 2017 · 275 commits to master since this release

v2.6.50 (August 3, 2017)
Bug fixes for RSA key size and other issues

Assets 2

@shussain shussain released this Mar 8, 2017 · 531 commits to master since this release

Always build whack with debug options and define IKEv1 as on

  • KEv1 as disabled at compile time [mcr]
  • define IKEV1 as on, as we can not remove IKEv1 yet, but one piece of code anticipated it [mcr]
  • always build whack with debug options [mcr]
  • debian: stop depending on iproute that's just a virtual package [Simon Deziel]
Assets 2
Aug 8, 2016
v2.6.49rc1 (August 3, 2016)
Implements the IKEv2 child rekey facility in IKEv2.

* revert "have R2 keep parent SA as md->st, and manipulate the child
  SA state directly" [MCR]
* have R2 keep parent SA as md->st, and manipulate the child SA state
  directly [MCR]
* use shunt_eroute, rather than eroute() to protect against attempting to
  replace tunnels with shunts when deleting [MCR]
* change child final state by adjusting microcode [MCR]
* initialize the IKE version maj/min when creating state [MCR]
* explicitely set child state on responder [MCR]
* clean out some dead comments [MCR]
* added additional debug for rekey event. Delete processing now increment
  message ID properly, so the numbers are higher. When no parent exists, the
  child can not be deleted, so message about scanning does not occur [MCR]
* use allocate_msgid_from_parent properly when sending delete messages [MCR]
* have process_informational_ikev2 return STF_IGNORE to avoid confusing parent
  state I3->I3 message, clean up some debug messages and comments [MCR]
* clear up small comment [MCR]
* log current time when indicating when next event is [MCR]
* removed stack of #if0/PATRICKXXX blocks, and reformat to fit screen [MCR]
* log reason for creating new CHILD SA (rekey) [MCR]
* do not reset PARENT SA replace timer [MCR]
* accept reply from responder, do calculations and install new IPsec SA.
  No further reply is needed [MCR]
* lp47 test now validates that Nonce and KE are in fact sent [MCR]
* note that it was decryption that failed [MCR]
* the first payload in reply should always be Nonce, send it. If PFS is
  enabled, then send KE. Finally, send SA and Traffic Selectors [MCR]
* if PFS is enabled, then tell tail() function so that it can send KE [MCR]
* refactor nonce sending into justship_v2Nonce [MCR]
* added additional constraints on required encrypted payloads: mistyped
  Nonce (Initiator/Responder) as Notify! [MCR]
* mark failure to decrypt as such [MCR]
* take care to diagnose when a continuation is not found [MCR]
* refactor out child_notify_process, and child_validate_responder_proposal.
  Complete inCR1 processing, calculating g^xy if PFS is enabled [MCR]
* in responder from child, make sure to mark packet as having a reply [MCR]
* put packet input/output debug into middle of pluto log [MCR]
* added missing description for C1_REKEY state [MCR]
* added explicit initial state microsoft code child rekey state [MCR]
* deal with compiler warnings due to new bounds checker [MCR]
* move pcap_recv_packet to per-test .c file, as per lp13, and update for
  reduced debugging in setup portion [MCR]
* move pcap_recv_packet to per-test .c file, out of common code [MCR]
* transform lp13-parentI3 like lp10, such that it can take an arbitrary
  number of pcap files as input; refactored for creating lp48 [MCR]
* added test case lp47 [MCR]
* added missing "in hash X" to test case [MCR]
* added run_one_continuation for use by lp47, which has to run multiple
  continuations [MCR]
* run continuations, one at a time [MCR]
* updated CI1 packet [MCR]
* run two continuations in test case: one for g^y calculation, one for
  g^xy calculation [MCR]
* inCI1_tail routine takes request and replies to it using child_sa_respond [MCR]
* permit child_sa_respond to be provided with the child state object [MCR]
* get rid of dead code that tried to kill empty notifications [MCR]
* accept_v2_KE and accept_v2_nonce do not return the same type, check each
  properly [MCR]
* lookup state 3 for rekey debugging [MCR]
* decrypt incoming packet, having recorded the correct state [MCR]
* allow compile time directive to expand size of state table [MCR]
* make ikev2_decrypt_msg available to ikev2_child [MCR]
* guard against st still being NULL when dealing with initial handshake [MCR]
* make sure to clear list of seen payloads [MCR]
* fix ikev2_child I1 packet to have correct np for first encrypted payload [MCR]
* minor reformat [MCR]
* change silly message about IKEv2_ROOF [MCR]
* when receiving a package on responder, look up with the messageid first,
  and find parent to do retransmission logic. [MCR]
* added microcode and initial processing for receiviving the CI1 packet [MCR]
* refactor accept_v2_KE from ikev2_parent [MCR]
* move SEND_*NOTIFICATION macros to ikev2.h [MCR]
* added prototypes for child CI1 states on responder [MCR]
* added forward declaration for recv_pcap [MCR]
* new test case for receiving IKEv2 CHILD rekey [MCR]
* actually send the packet once it is formed [MCR]
* rename test case, open pcap file and make sure it is closed [MCR]
* add send_packet_close() [MCR]
* renamed test case [MCR]
* IKEv2 rekey child calls the right KE, auth, encrypt and nonce functions
  which have been marked as non-static from ikev2_parent [MCR]
* minor reformat and addition of positional argument names [MCR]
* use enum_name rather than explicit reference to array to find state_stories
  --- english description of current state [MCR]
* t5: do rekey work [MCR]
* enable ikev2child_outC1_continue and ikev2child_outC1 and kev2child_outC1_tail [MCR]
* when deleting SAs, make sure to delete child SAs first, then parent SAs [MCR]
* added state_stories and state_name for STATE_CHILD_C1 states. Change
  microcode to take CHILD SA from I3 to C1 [MCR]
* include IKEv2 states in IS_ISAKMP_SA_ESTABLISHED [MCR]
* adjustments to seams for change to ipsecdoi_initiate API [MCR]
* start duplication of ike2 child negotiation into ikev2 child rekey code [MCR]
* initial test case base for rekey experiment [MCR]
* added AFTER_CONN() call to do things after conn is established [MCR]
* split up parentI3 so that it can be reused [MCR]
* added name for new SA_DELETE event [MCR]
* move some headers to include/pluto so that they can be used in unit test seams [MCR]
Jun 6, 2016
v2.6.48 (June 6, 2016)
Bug fix release.

* fix leak error found by travis [MCR]
* some minor fixes to unit test cases as a result of merge and travis testing [MCR]
* Fixing compile error when HAVE_STATSD=true is set. [Samir Hussain]
* ipsec eroute connections number kept increased. [freedai]
* Update ipsec_proc.c [freedai]
* Update pfkey_v2.c [freedai]
* Providing more meaningful name to variable that will get modified via sed [Samir Hussain]
* For debian packages, we need to have a tilda (~) between version and
  rc/dr in order to do proper versioning [Samir Hussain]
* Minor spelling fixes [Samir Hussain]
* Fixing issue with missing OCF symbols when trying to modprobe KLIPS on
  Trusty [Samir Hussain
* convince compiler that j is never too big [MCR]
* const-ify as many spd_eroute arguments as possible [MCR]
* update some dependancy headers [MCR]
* update test case to expect AUTHENTICATION_FAILURE, rather than NO_PROPOSAL_CHOSEN [MCR]
* reject connections that have a version mismatch using AUTHENTICATION_FAILED [MCR]
* test case to check that IKEv2 is reject with a message of AUTHENTICATION_FAILED [MCR]
* verify that correct IKEv1 notify is sent when IKEv1 is disabled [MCR]
* when looking for a connection, determine if a different connection would
  be returned if IKEv1/IKEv2 policy was ignored [MCR]
* permit notifications to be sent from complete_v1_state_transition even
  when no state was created [MCR]
* added mytunnel-no-ikev1 [MCR]
* log number of whack messages processed to aid in debug of new unit tests [MCR]
* complain if a conn can not be found [MCR]
* missed three changes to policy dump from adding policy_clear [MCR]
* additional debug of policy, output for lset_clear policy search [MCR]
* with changes to find_host_connections2, the ikev1 packet is now properly rejected [MCR]
* find_host_connections2 now takes an lset of policies that must be clear [MCR]
* include complete_v1_state_transition when not doing IKEv1 processing [MCR]
* initialize wire_chunk_t in crypto_req using macro [MCR]
* added appropriate seams for responding to ikev1 messages, when no ikev1 permitted [MCR]
* protect against smc might be null when processing ikev1 packet [MCR]
* support receiving ikev1 messages in ikev2 receive test [MCR]
* mark include paths for headers moved to include directory [MCR]
* no-ikev1 tunnel case [MCR]
* new test case for process IKEv1 packets when only IKEv2 are expected [MCR]
* confirm output is an IKEv1 main mode init [MCR]
* move some nat-t headers to include/pluto, and permit them to be link-seamed out [MCR]
* removed main_outI1 from seam so that lp43 can use it [MCR]
* added lp43 - generate IKEv1 first packet [MCR]
You can’t perform that action at this time.