[Openswan Users] Xelerance has released Openswan 3.0.0

Samir Hussain shussain at xelerance.com
Fri Jan 22 19:59:22 UTC 2021

Hash: SHA256

Xelerance has released Openswan 3.0.0

This release contains cryptography modernization code.


v3.0.0 (January 22, 2021)

Crypto modernization

* Update ipsec.conf.5 man page [Samir Hussain]
* wo#11022: extrapolate_v1_from_v2 wasn't sending all transforms [Martin
* Fix mapping PRF to hasher in the pluto helper [Martin Hicks]
* Add v2tov1_prf() to convert IKEv2 prf functions into OAKLEY_* hash
identifiers [Martin Hicks]
* Update lp177 due to changes in parentM1.pcap and parentM3.pcap [Martin
* wo#10966: Update lp178 to fail with NO_PROPOSAL_CHOSEN [Martin Hicks]
* wo#10966: ikev1: Enforce local policy for selection of ESP proposal
[Martin Hicks]
* rework IKEv1 w/NAT test cases with MODP2048 policy for IKE= [MCR]
* SAMPLEDIR always has trailing slash [MCR]
* wo#10966: ikev1: Enforce local policy for selection of IKE proposal
[Martin Hicks]
* set default phase1 proposal if none set [MCR]
* Print keylength in child proposal debug messages [Martin Hicks]
* wo#10964: Fix printing of IKE algorithm info in `ipsec status` [Martin
* Fix printing of IKEv2 Integ names in ipsec status [Martin Hicks]
* restrict the memcpy length to size of target, redundant with
passert(), but
  compiler does not know that [MCR]
* rename some duplicate test numbers [MCR]
* wo#10850: Add NULL cipher to the ikev2 to ikev1 ESP encryption mapping
[Martin Hicks]
* Don't attempt to convert proposals to IKEv1 if disabled for this
connection [Martin Hicks]
* Allow 'make pcapupdate update' in tests/unit/libalgoparse [Martin Hick
* wo#10844: Fix mapping ESP auth identifiers from ikev1 to ikev2 [Martin
* wo#10876: Properly translate key length attributes into ikev1
proposals [Martin Hicks]
* github#541: Fix segfault when rekeying child SA with no parent [Martin
* pluto: add ALLOW_MICROSOFT_BAD_PROPOSAL for self-proposals [Emil Velik
* wo#10594: Fix printing of spdb AUTH attribute string [Martin Hicks]
* wo#10594: ikev1: Fix ESP proposal AUTH identifier [Martin Hicks]
* wo#10625: ikev2: Properly close pbs after processing child SA proposal
[Martin Hicks]
* wo#10625: Use default keysize if none is specified in the default
phase2alg [Martin Hicks]
* wo#10537: ikev2: Loop through multiple local proposal options [Martin
* wo#10631: ikev2: Set default ESP ealg keylen if not provided [Martin
* wo#10596: Propose disabled Extended Sequence Numbers for ESP [Martin
* wo#10596: Do not send Key Length proposal attribute for aalgs [Martin
* wo#10596: Add default IKE encryption alg key sizes [Martin Hicks]
* Fix spelling in log messages and related QA test output changes
[Martin Hicks]
* Fix looping comments [Martin Hicks]
* wo#10527: Use cert issuer CA if none is specified [Martin Hicks]
* wo#10508: ikev2_decode_cert(): Attach keys to parent state [Martin Hic
* wo#10507: Use the IKEv2 algorithm ID to look up the hasher [Martin Hic
* Make V=1 work for more directories during 'make programs' [Martin Hick
* Fix too small buffer for algorithm name information [Martin Hicks]
* Fix up XML for new ike section of ipsec.conf manual [Martin Hicks]
* Unit test updates to deal with 2.6.52dev merge [Martin Hicks]
* Fix unresolved symbols in cr01-aes128 [Martin Hicks]
* 01-confread: Update to ipv6-inconsistent test [Martin Hicks]
* wo#7566 . update man page for ike= and phase2alg= [MCR]
* make fallthrough markings work with pre and post gcc-7 [MCR]
* for IKEv1 operations, translate IKEv2 policy values. For IKEv2, use
them directly [MCR]
* ask for IKEv2 hash/integ routines [MCR]
* split up IKEv1 and IKEv2 hash/prf number space when talking to helpers
* clear up labels for memory leak tracker, and update unit test cases
  for memory leaks [MCR]
* always build with efence and leak detective [MCR]
* provide for detailed tracing of allocation/free in case of extreme
debug need [MCR]
* clear pc->props when it is freed [MCR]
* mark fall throughs in switch statment to get rid of compiler warning [
* document how valueaux is used by AES keyword-enum parser [MCR]
* added copyright and protection ifdef for ikev1.h and ikev2.h [MCR]
* free oakley_sa if out_sa() failed [MCR]
* guard against failing call to allocate_RSA_public_key [MCR]
* ignore output of failed steps [MCR]
* shorten fakecheck to deal with compiler warning [MCR]
* change argument to char **const [MCR]
* eliminate kernel_alg_esp_sadb_aalg() in favour of
kernel_alg_esp_auth_byikev2() [MCR]
* do not initialize alg_info, it is never used [MCR]
* rename algo_id to ikev1_algo_id [MCR]
* reviewed all headers for #ifdef nested inclusions [MCR]
* t7257 - refactored db2_prop_init() to test inputs before allocation,
  cleanup exit unrolling [Bart Trojanowski]
* t7257 - comment about indexing [Bart Trojanowski]
* t7257 - cleanup indents [Bart Trojanowski]
* t7257 - missing header, preserve const in enum_and_keyword_names [Bart
* t7257 - cleanup docs/UNITTESTING.md formatting [Bart Trojanowski]
* updates to tests after adding vendor ID sanity to lp13 and friends [MC
* some updates after pcapupdate [MCR]
* added ike= to functional and other updates [MCR]
* updated test 18 for LIBNSS version [MCR]
* updated test cases with additional RW configs [MCR]
* sanity for other variations of VendorID [MCR]
* introduce some additional debugging options [MCR]
* updates seams and pcap files [MCR]
* added MORE_DEBUGGING option to lp12-R2 test cases [MCR]
* final renames of output->output1 [MCR]
* enabled test cases in Makefile, build SEQUENCE file [MCR]
* updated pcap files [MCR]
* move init_pluto_vendorid to vendor.c [MCR]
* removed unwanted IPsec policy check [MCR]
* extraenous set_suspended(NULL) removed as per 2.6.52 [MCR]
* wo#7257 . update policy for 3des-md5 [MCR]
* wo#7257 . update policy to sha256 [MCR]
* wo#7554 . clarify debugging of key lengths [MCR]
* wo#7257 . update logging to show correct algorithm output [MCR]
* added ikev1-NAT traversal sequence [MCR]
* added additional sequences [MCR]
* wo#7257 . ignore unknown vendor ID, and remove self-recognition,
  since pcap files may be older than current version [MCR]
* removed redundant input file logging [MCR]
* do not put pointer in debug message [MCR]
* updated ikev1 basic sequence [MCR]
* enable vendorID for NAT-T [MCR]
* added additional vendor ID pattern [MCR]
* updated tests with new policy, and added local pcap files [MCR]
* updated tests with new policy [MCR]
* sanify included by default and it removes vendor ID differences now [M
* bring in changes to crypto fake out from algo-rebased [MCR]
* log arguments better, and set WHACKFILE is not set [MCR]
* include sanity.sed for vendor ID sanitization [MCR]
* set WHACKFILE is not already set [MCR]
* move to consistently use ${UNITTEST1ARGS} [MCR]
* additional integ algorithms added [MCR]
* updated packet trace with new length [MCR]
* additional logging for instantiation of policy [MCR]
* added empty packet trace [MCR]
* clean out PID file [MCR]
* updated policy type [MCR]
* register new algorithms, show keys, working [MCR]
* add explicit zero value for connection_kind, to distinguish value
never set [MCR]
* removed ikev2_acceptable_group, as it is not used [MCR]
* compilation fixes for libopenswan [MCR]
* updates due to loading of CKAID [MCR]
* check for and report if there are core dumps [MCR]
* reintroduce ipsec.secrets logging [MCR]
* updated test case with revised certificates from samples, replace sun
with dave [MCR]
* updates so that TLV structure is now correctly parsed [MCR]
* updates to packet.c to remove inclusion of AF_TV in definition of
header [MCR]
* correct error in output file when splitting up test case [MCR]
* include keymgmt.o into all tests as orient() needs private key info [M
* introduce programs: target to lp14 [MCR]
* correct SAMPLEDIR to have trailing / [MCR]
* updated for correct registration of SHA1 and MD5 PRF [MCR]
* update many test cases for PRFs SHA1 and MD5 [MCR]
* fix algorithm type of PRF-SHA1 and PRF-MD5 [MCR]
* removed dead spdb database [MCR]
* log which algorithms were searched for, and if they were found [MCR]
* move to per-state lists of keys move to per-state lists of CAs [MCR]
* instantiate some buffers so that we can log situation where peer propo
  other than self [MCR]
* bring some small changes to debugging of default_end() and fc_try() [M
* just include openswan.h [MCR]
* add end_type_name printer [MCR]
* include constants.h it is needed [MCR]
* wrap oswcrypto.h against multiple inclusion [MCR]
* some include file parser issues solved [MCR]
* added ikev1 settings for keyexchange values [MCR]
* clear out some remaining ikev1 cruft [MCR]
* removed openswan.h from linux kernel code [MCR]
* rename algorithms to not have leading AUTH_ [MCR]
* removed LABELLED_IPSEC, and a bunch of dead code [MCR]
* enable the integ and prf algorithm checks [MCR]
* removed ikev1_alg from library, as it should no longer be needed [MCR]
* deal with off-by-one error in growth logic for db2_trans [MCR]
* removed dead test case [MCR]
* xformmock unit tests now compile correctly [MCR]
* make the crypto unit tests compile quietly by default [MCR]
* added notes about unit testing [MCR]
* whitespace changes, and remote .ei, and change
st_orig->st_ikev2_orig_initiator [MCR]
* always use EXTRAOBJS to get linker order correct [MCR]
* removed db_ops and spdb.o and spdb_print.o from link list [MCR]
* prefer EXTRAOBJS for object files [MCR]
* wo#6269 . generate db2 IKEv2 algorithm structure from alg_info
structure [MCR]
* remove series of #ifdef KERNEL_ALG [MCR]
* wo#6269 . split up kernel.c so that init_kernel() and references to ke
  types is in a single file [MCR]
* wo#6269 . update dependancies now that kernel_forces.c exists [MCR]
* wo#6269 . split up kernel_netlink.c into low-level netlink routines
  and higher level "forces" routines [MCR]
* ikev2crypto unit test refactoring [MCR]
* removed errant keys.o object file [MCR]
* import test case from rebase branch [MCR]
* rename recv_pcap_packet -> recv_pcap_packet_with_ke [MCR]
* added keys.o, remove signatures.o so that ct02 will compile [MCR]
* bring in alice config [MCR]
* added db2 operations [MCR]
* remove programs/pluto/ike_alg.c, and translate calls to those that
  libalgoparse supports move sha2 routines and ike init to libsha2,
split off
  NSS implementation [MCR]
* change #include to reflect ike_alg.h -> pluto/ike_alg.h, so that unit
  tests compile also change kernel.h and plutoalg.h for move to
include/pluto [MCR]
* introduce libalgoparse library get pluto that compiles: massive change
  to use libalgoparse [MCR]
* transform many IETF constants to defines remove some dead code, and ke
  definition for ike_alg_prf_present for now [MCR]
* bring in t7257 test cases from libpluto [MCR]
* wo#8784 - update unit test results, removing padding [Bart Trojanowski
* ignore core files [MCR]
* not ready for libalgoparse and policy unit tests yet [MCR]
* fix libalgo unit test libraries [MCR]
* update hexdump() interface [MCR]
* disable many tests that are missing or core dump [MCR]
* turn off unit test cases that require fixed algorithm code [MCR]
* added SAMPLEDIR= setting [MCR]
* updates to unit tests for algorithm additions [MCR]
* attempt to rework ikev2_parse_parent_sa_body with IKEv1 values [MCR]
* removed ike_alg.o and added missing object files after re-org [MCR]
* updates to functional tests for algorithm additions [MCR]
* added loadcertpath for functional/15-certload [MCR]
* fix Makefile libraries for aes128 test [MCR]
* register SHA1 and MD5 PRF and INTEG algorithms under #ifdef [MCR]
* move sha2 routines and ike init to libsha2, split off NSS implementati
  remove programs/pluto/ike_alg.c, and translate calls to those that
  libalgoparse supports [MCR]
* removed dead #ifdef IKE_ALG clauses. [MCR]
* removed dead comment from Makefile.options [MCR]
* added openswan_exit_log() to make pluto more like libraries [MCR]
* added -DIKEV1 if USE_IKEv1 is defined [MCR]
* added ike_alg_aes to register AES algorithms to plugable crypto [MCR]
* add programs to targets that will recurse in unit tests [MCR]
* do not stop running tests if KEEPGOING=1 is set [MCR]
* bring in t7257 functional test cases [MCR]
* bring in t7257 test cases [MCR]
* plutoalg.o is now included in libalgoparse [MCR]
* rename PLUTOLIB -> LIBPLUTO to be consistent with other variables [MCR
* change #include to reflect header file renames, so that unit tests
compile [MCR]
* remove dead private numbers for SERPENT and TWOFISH [MCR]
* remove KERNEL_ALG support from "ipsec spi", as it can not be supported
* transform many IETF constants to defines [MCR]
* obsolete USE_MODP_RFC5114 define [MCR]
* removed dead alg_info_test target [MCR]
* wo#5640 Don't ABORT if duplicate event gets scheduled, replace
existing [Martin Hicks]
* Only print 'took too long -- replacing phase 1' when it actually gets
replaced [Martin Hicks]


More information about the Users mailing list