2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / CHANGES

New and notable in 1.97:

Sanity check added for at least one of AH or ESP more for checking if
"make *config" has even been run.

Fixed 2.2 local IKE fragmentation blackhole.  Still won't work if
iptraf or another pcap app is running.

MCR added ikeping(8).

Applied DHR's tunnel patch to streamline IKE/specialSA processing.

Added local and remote IKE bypass tests to the UML test suite.

UML KLIPS %trap* tests now check for upbound pf_key messages.

An ICMP ICMP_DEST_UNREACH, ICMP_PKT_FILTERED is now sent upon %reject.

Added a UML input file with first and last packets being outside the 
covered range to "sandwich" the packets under test.

The default _updown script has been cleaned up slightly, reducing
internal duplication that arose accidentally.

When doing --add on an RSA-signature conn, ipsec_auto now tells Pluto
about the keys before, not after, telling it about the conn.  The main
consequence of this is that if something is wrong with one of the keys,
the conn itself does *not* get loaded.  This should reduce confusion.

The rp_filter checks during KLIPS startup have been fixed to be a bit less
paranoid; rp_filter is thought to cause problems only on the physical
interfaces, not on the ipsecN interfaces. 

The configuration process has been fixed to be a bit more paranoid.  Some
users have had mysterious compile failures with complaints involving names
like MD5_CTX; they seem to have resulted from kernel configuration changes
somehow getting into .config but not into include/linux/autoconf.h (which
is what actually controls most of the kernel compile).  The post-config
checking now verifies not only that .config has the right stuff in it, but
that autoconf.h does too.  (We still don't see *how* this discrepancy can
arise, but this will at least catch it when it does.)

The details of linking the KLIPS source into the kernel are now under
control of a configuration variable in Makefile.inc, to make it easier
for distribution builders to change.

The top-level Makefile now includes cleverness which assigns a date-based
version code if a build is done from a raw CVS checkout.

The library now includes a new function, ttodatav(), like ttodata() but
in some cases it gives more verbose error reports.  Also, there are now
a couple of functions which distill an RSA public key to a "key ID" for
use in messages, a crypto-quality pseudo-random-number generator, and a
function that converts a single address into a (singleton) subnet.

Barf's secret/key-censoring utilities have been tidied up so that what
they emit matches the key-ID library functions. 

The ipsec command now supplies a couple more environment variables to
things it calls, and this has reduced the number of things which need to
be edited at build time to know about configuration variables. 

The configuration reader now allows parameter names to begin with "_";
these are strictly reserved for internal development purposes and will
not in general be documented.


As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.96:

Compatibility with the 2.0.xx kernels (under Red Hat 5.2) is broken.
This was accidental, and we have some hopes of fixing it, although it
won't last forever even if we do.  See README.

Our "IKE Implementation Issues" IETF draft has been added to our docs.

Newhostkey now has a mandatory --output "option" specifying a filename
(although the magic filename "-" means "standard output"), and sets
restrictive permissions on newly-created files to try to keep private keys
truly private. 

Pluto now gracefully handles a couple of odd error cases (missing private
keys, network errors at just the wrong time in negotiations) which used to
cause it to die, provoking an automatic restart of the IPsec subsystem. 

Makefile.inc now has more detailed control over where manpages go, to ease
integration into distributions.  The name of the destination directory for
RPMs is also now centralized there.

Rsasigkey now checks for certain obscure internal failures, which can
happen if --random is used to supply a source of random bits that aren't
really very random, and complains accordingly.

Barf's eroute table, formerly sorted by source, is now sorted by destination.
This is probably a bit clearer for hosts with lots of eroutes.

Use of the %reject target in a shunt eroute now, as long planned, actually
causes an ICMP rejection message (Destination Unreachable:  Communication
Administratively Prohibited). 

KLIPS now declares its module license to be "Dual BSD/GPL".  (It is 
dual because the libdes and zlib code is BSD licensed, while KLIPS itself 
is GPL).  Whether this is exactly right is not yet clear, but at least it
stops the latest module loaders from whining.

The UML test stuff continues to grow and add new test cases.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.95:

The last remnants of the "%hold" bug, which broke 1.93 and 1.94, have
(we think) been dealt with.

Minor bugs in the RPM-building stuff have been fixed, and it has been
updated to deal with Red Hat's abrupt removal of the --buildroot option
from rpm.

Pluto now supports the ability to delete an instance of a conn, rather
than just the whole conn (for cases, notably OE, where a single connection
description can be involved in multiple connections).  There is no support
for this in ipsec_auto yet.

Pluto's routine (non-debug) logging is now somewhat terser, and some of
the more boring messages are produced only if --debug-lifecycle is turned
on (this is a temporary hack, it's not really debugging output).

Pluto's innards have been reorganized somewhat, in preparation for making
DNS lookups asynchronous.  There should be no user-visible effects.

Pluto now ignores IPv6 link-local interface addresses; we think that they
are never relevant, and trying to bind to them causes difficulties.  This
decision is tentative and may be revisited when we make more progress on
IPv6 support in general.

A Pluto bug in handling of malformed TXT records has been fixed.  (The
complaint is still a bit mysterious, but at least Pluto doesn't fall over.)

Pluto's Responder cookie-generation algorithm has been changed so that a
particular peer no longer gets the same cookie each time. 

KLIPS and its utilities now take their debug and optimization compile
options from Makefile.inc.

There have been some internal upheavals in the library include files,
moving kernel-specific stuff out of the library and back into KLIPS where
it arguably belongs.  No user-visible impact known. 

The UML test facilities continue to improve in various small ways,
including the arrival of a script to start all defined UMLs
(testing/utils/start-all-umls.sh).

If KLIPS has been built without its debugging facilities, the startup
scripts no longer attempt to set a KLIPS debugging level.

"ipsec" and "ipsec --help" are no longer synonymous:  "ipsec" gives a
shorter, more introductory message and omits the command list.  Also,
the --help command list now excludes non-executable things (one or two
of which have sneaked into our command directory). 

The top-level Makefile now gives a better diagnostic for the case where
there is no /usr/src/linux symlink to the kernel source tree.

Eroute statistics (packet count and last-used time) are now kept up to
date for shunt eroutes as well as normal ones.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.94:

1.93, as shipped, wouldn't compile as a module due to an erroneous
#include.  Oops.  Fixed.  Even after that, it also wouldn't compile as a
module in a 2.2.xx kernel, for more subtle reasons; also fixed. 

A structure name in KLIPS (struct net_device) has been changed to avoid
ominous mutterings from the compiler when building in a 2.2.xx kernel.

Due to an obscure internal oversight, the KLIPS utilities were being built
at the wrong time during the build, and this could cause trouble for folks
who build as one user and install as another.  Fixed, as is the Makefile
carelessness which permitted this to go unnoticed. 

The exemption of UDP/500 packets from being caught by the IPsec machinery
did not apply to %hold eroutes.  Now it does.  This should mostly have
affected opportunistic encryption.

The bug (noted in 1.93, but dating back earlier) in which the updown
script was called twice for auto=start connections has been fixed.  (To be
precise and technical, the updown script is now called only when tunnels
are set up, not when shunt eroutes are put in place.)

We think we have solved the notorious "%hold bug", which is difficult to
describe tersely.  In the course of this, some improvements were made in
Pluto's logging, and it now also handles some unlikely cases rather more
cleanly. 

There is now provision for uninstalling:  "make uninstall_freeswan" gets
rid of everything we install *except* the stuff in the kernel (a kernel
rebuild will be needed to get rid of KLIPS).  (Yes, the name is long,
that's deliberate, for accident prevention.)  This is now documented.

There are the beginnings of provisions for centralized control of compile
options like -g and -O3 in Makefile.inc.  This is still in development,
don't rely on it just yet. 



New and notable in 1.93:

The code that decides whether to send an ICMP complaint back about a
packet which had to be fragmented, but couldn't be, has gotten smart
enough that we now feel comfortable enabling it by default.  That is,
the default for the "fragicmp" setting has changed from no to yes.
This may help with the 1.92 fragmentation bug.

Pluto now proposes Diffie-Hellman group 5 before group 2, as the basis for
key negotiation.  Group 5 is more secure but uses a bit more CPU time; our
first impression is that this is not a serious problem.  Pluto *does*
still propose and accept group 2 as well, so there shouldn't be any
interoperability problem with the many group-2-only systems. 

To aid with key rollover -- replacement of an old key by a new one -- if
Pluto is fetching RSA public keys from DNS and gets more than one, it will
now try all of them rather than arbitrarily picking one.  (There is, as
yet, no support for multiple keys explicitly specified in ipsec.conf.)
This required substantial reworking of Pluto's innards; with any luck no
new bugs have resulted!

The ipsec command now has a --versioncode option which supplies just the
version code (equivalent to "ipsec --version | awk 'NR == 1 { print $NF }'"
but more convenient for scripts).

IKE (UDP/500) packets which were large enough to be fragmented used to be
mishandled, with some of the fragments failing to bypass IPsec tunnels
properly.  This has been fixed; our thanks to Hans Schultz. 

We now have the beginnings of a facility for building RPMs (after a full
normal build).  Instead of (e.g.) "make xgo", do "make xrpm", and after
the Makefile does the software and kernel build, it will make some RPMs
and leave them under the out.rpms directory.  The RPMs are:

        freeswan        the userland utilities
        freeswan-module the ipsec.o kernel module (see below)
        freeswan-kernel the Linux kernel and its modules
        freeswan-userkernel     all of the above

(The freeswan-module RPM gets built only if you specified building KLIPS
as a module.)  This is all very preliminary and needs a lot of polishing
as yet -- not to mention some documenting -- but it's a start.  (Thanks
to Paul Lahaie at Steamballoon for the first draft of this stuff.)

Argument checking in the default _updown script has changed slightly, to
make it easier to build custom scripts based on copies of the default one.
The script used to object to getting arguments it did not expect; now, if
the first argument is "custom", there will be no objection to further
arguments.  This will simplify small customizations by people who don't
want to learn the details of shell programming. 

Precisely where we insert our entry into the kernel's net/Makefile has
been changed, partly to put our stuff with related stuff, partly to move
us away from unstable areas where new changes often break our patches.

Ipsec_spi has been fixed to correctly report cannot-delete-an-unknown-SA
cases which could previously produce a cryptic "Unknown socket write error"
message.

There have been some small changes to messages to distinguish automatic
Pluto restarts (see 1.91, below) from normal ones, so that barf output
will extend back to a real restart.  (If this sounds familiar, it's
because this same item was noted in 1.92... but in fact the implementation
was not finished and didn't work.  Now it does.)

Pluto now stirs a bit of /dev/urandom randomness into some internal
decisions (notably rekeying times) which formerly were a bit too
predictable and could conceivably have resulted in different machines
being more or less synchronized.

Pluto log and status lines now include a bit more context.

KLIPS was checking for sequence-number rollover before packet authentication,
permitting a nasty denial-of-service attack.  This has been fixed.

A KLIPS locking problem which could cause system hangs on SMP machines
(and perhaps on non-SMP machines with SMP-enabled kernels) has been fixed.

Ipsec_spi now has an option for specifying SA lifetimes, although Pluto
is not yet using it.

Internal handling of release/snapshot version numbers has been revised;
in particular, there are now functions in the library for obtaining the
current version code, etc.  There should be no user-visible effects.
The master source for the version code (during builds) is a new top-level
file, Makefile.ver .

Pluto has a new "dns" debugging flag.

There have been some internal shakeups within KLIPS, which are believed
to have no user-visible effects.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.92:

Packets emerging from (automatically-keyed) tunnels are now checked for
plausible addresses, i.e. for whether they *should* have been sent through
that particular tunnel.  This can be controlled, on a per-connection
basis, with the new disablearrivalcheck parameter.  The default is "yes"
(disable the check) for backward compatibility, but the supplied ipsec.conf
now includes "disablearrivalcheck=no" in its %default section, since
almost all users will want the checking enabled. 

As a result of refusing to start an already-running IPsec, the startup
script would sometimes balk during a reboot after a crash.  This showed up
only on old Red Hats, which don't completely clear out /var/run during
reboot.  The locking has been revised to work around this.

The code which reports fragmentation (if fragicmp=yes is set in ipsec.conf)
has been made more selective, sending back an ICMP Fragmentation Needed
response only for non-ICMP packets with Don't Fragment set.

Quoting practices in ipsec_auto have been revised, so that essentially all
parameters emitted into shell commands are now enclosed in ""; this
permits a few unusual ones to have embedded white space, and makes the
errors easier to diagnose when ones that shouldn't have such space do. 
(This is likely to impact users of the X.509 patch, which was exploiting
the old quoting behavior in messy ways.  It also hurts people who have
been getting away with always-illegal practices like stray backslashes
in the middle of (left/right)rsasigkey parameter values.  Reporting of
such problems has always been poor, and these cases are no exception.)

The FreeS/WAN Makefiles have been shaken up substantially.  Notably, things
like installation pathnames are now located in a Makefile.inc include file,
rather than being passed down from the top Makefile by a long list of
command-line parameters.

White space within a non-quoted ipsec.conf parameter is now diagnosed as
an error.  It always was a violation of the rules, but we've now found
some cases where it causes real trouble, so the rules are now being
enforced more rigorously.

There is a new command, newhostkey, for generating a complete new minimal
ipsec.secrets file with a new public/private key pair.  (This is a first
step toward tools for more graceful key rollover.)

The "postpluto" parameter was broken in the last release, and is now fixed.

Pluto no longer does internal caching of DNS data, since it was not smart
enough to monitor it for staleness, and this increasingly matters.

There is now a "rekey" parameter for automatic keying, and rekey=no means
that this end will not attempt to rekey the connection when it's about to
expire.  The supplied opportunistic-encryption connection now sets rekey=no
(and a short keylife).

Pluto now incorporates a change which has been floating around for some
time as an informal patch:  the notorious Commit Bit is ignored, rather
than being cause for rejection of a message. 

The output of "ipsec auto --status" now keeps certain long lines intact
rather than automatically splitting them; this may hurt readability
slightly but simplifies program processing of the output.

There have been some small changes to messages to distinguish automatic
Pluto restarts (see 1.91, below) from normal ones, so that barf output
will extend back to a real restart.

The "interfaces" machinery in ipsec_setup has been made slightly more
tolerant of strange ifconfig output, to handle ATM interfaces in
particular. 

A major bug in the diagnosis of failed "route" commands in the default
updown script has been fixed, and code has been added for better diagnosis
of bad nexthop settings (which show up as "route" failures).

Barf now includes iptables dumps and excerpts from ps output.

The algorithm barf uses to figure out which log files to examine has been
smartened up to deal with the case where IPsec has been running for a long
time and its startup messages are no longer in the current log files.  It's
a bit of a kludge but it should generally work.

Barf output now puts tags on its different sections, to facilitate
automatic disassembly and analysis.

There is a new shunt-eroute type, %trapsubnet, which turns completely into
a %hold when a packet hits it, rather than spawning off a /32->/32 %hold
as %trap does.  This is for (future work on) demand connection setup,
whereas %trap is for opportunistic encryption. 

Minor tweaks have been made to KLIPS to avoid using the kernel min() and
max() macros, whose definitions keep changing in the 2.4.xx kernels.

As usual, some changes have been needed in KLIPS to track changes in
internal interfaces in the 2.4.xx kernels.

A %hold shunt eroute now stores the first and last packets to hit it, and
releases them when it is replaced by a "real" eroute.

The showhostkey --txt output is now split up into multiple strings, if
necessary, since BIND 9 (unlike BIND 8) won't do this automatically.  The
result is fully compatible with both.

The PF_KEY code now includes an obscure extension to the Identity
Extension, mostly for OpenBSD compatibility. 

Compressed transport-mode connections used to flunk tunnel exit checks;
this has been fixed.

The KLIPS compression code has been made more tolerant of misbehaving
implementations on the other end:  some demented systems, when asked to
use a compression method for which a predefined number (CPI) exists, will
put that number in packets even if a custom number was in fact negotiated.
KLIPS now copes.

The KLIPS error code used to report missing SAs has changed from EEXIST to
ENOENT. 

The library header files have been reorganized, moving a lot of the
kernel-specific clutter out of freeswan.h.

A bug has been fixed (our thanks to Savatier Sibastien) in how explicit
IP-address IDs are emitted as IKE payloads.

Pluto's internal handling of kernel error reports has been made more
paranoid, avoiding certain conditions which may have been causing Pluto
to hang or to fail with confusing error reports.

Some work has been done to reduce spurious compiler warnings in KLIPS.

ipsec.conf(5) has been updated to include discussions of what happens when
the two ends disagree on parameter values, and also some notes on
recommended settings (a commentary on the standard boilerplate we supply).

The patcher now knows how to do "patching" by appending rather than by
using patch(1), and this is used for some kernel files.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.91:

The big news this time is prototype opportunistic encryption, and bug fixes.
This release goes back to the "main line" of development; it's not an
offshoot like 1.9 was.  This means it incorporates some code that's a bit
more experimental than 1.9, but the divergence has just gotten too large
to back-port all the important fixes to 1.9.

Opportunistic encryption is starting to be usable; see doc/opportunism.howto
for the gory details.  (Better docs are coming.)  There is now an
opportunistic connection description in the supplied ipsec.conf.

We think all the memory leaks in KLIPS have been fixed.

It works with current 2.4.x kernels (2.4.5 as of the time of writing).
Compatibility with earlier 2.4.x kernels may have been sacrificed to
some extent.

When the hardware device "underneath" an ipsecN device goes down, the
ipsecN device doesn't actually go down, to prevent loss of routes and
packets going out in the clear if the hardware device comes back up. 

The assembler assist for compression has been re-enabled, thanks to a
fix from Svenning Soerensen (who has also been very helpful with the
memory leaks, and with updating to match the current 2.4.x kernels).

The spin-lock bug, which caused kernel hangs in SMP-enabled kernels when
AH+ESP or compression was used, has been fixed.

The ipsec_setup script has been extensively rewritten, and the machinery
behind it has changed quite substantially.  The only user-visible effect
should be that the plutobackgroundload parameter is now ignored, because
the connection setup is always done in the background.  (Another effect,
possibly visible in unfortunate cases, is that if Pluto dies a messy
death, the scripts will log the fact and restart it.)  Oh, and the exit
status of ipsec_setup should now be more accurate.

A 2.2.x kernel's net/Config.in file is now patched using a patch
appropriate to 2.2.19, BUT NOT to earlier 2.2.x kernels.  (If you must
use an earlier 2.2.x, "cp klips/patches2.2/net.Config.in klips/patches2.3"
before building.)

While continuing to offer a nice large MTU, KLIPS now detects attempts
at path-MTU discovery, and deals with them honestly, so that systems
trying to do things right will not be misled (perhaps disastrously).
(This is mostly another Svenning Soerensen fix.)  The "honest" MTU is
also now reported in the ipsec_tncfg output.

As a first step toward avoiding kernel rebuilds, there is now an
experimental facility for doing *just* a module build as part of the
installation, bypassing the rest of the kernel build.  Where you'd
normally type (e.g.) "make xgo" and "make kinstall", type "make xmod" and
"make minstall" instead.  (You still get to do a kernel configure, but the
only essential bit is to set IPsec to install as a module.)  Not perfect,
and not yet tested on any great diversity of systems, but it's a start. 

The default handling of packets for which no eroute exists is now
controlled by a packetdefault parameter in the config-setup section of
ipsec.conf, instead of always defaulting to "drop".  This supersedes the
no_eroute_pass parameter, which no longer exists.  There is a new family
of special "shunt" eroutes, implementing this and also relevant to
opportunistic encryption.  (A side effect of this is that SPI values
supplied for manual keying are now *required* to be 0x100 or higher,
whereas formerly this was merely strongly encouraged.)

Incoming policy checking has been beefed up slightly, and in particular
IPIP encapsulation will be removed only if it is expected.  (Incoming
checking still does not, alas, check the most important thing:  whether
the addresses inside the encapsulation are acceptable.)

Vestigial code for the ESP transforms with no encryption, which have not
really been supported for some time, has been taken out.

There is a new value for the auto parameter, "route", probably useful
mostly for opportunistic encryption.

The _updown script now handles one case specially:  a far-end subnet of
0.0.0.0/0 is routed with a pair of routes, one for 0.0.0.0/1 and one for
128.0.0.0/1, to kludge around a problem found during opportunistic testing.

Rsasigkey's "pubkey" output (used by showhostkey) is now in base64 rather
than hex, for slightly greater compactness and easier eyeball comparison
of keys.

Setup will attempt to load a KLIPS module only if the kernel has modules,
will refuse to start IPsec if it appears to be started already, and will
comment (but continue) if asked to stop IPsec when it does not appear to
be running.  (The exit status from a stop request reflects this.)  Also,
"ipsec setup status" now gives a (terse) report of whether IPsec appears
to be running or not, and reports in more detail if inconsistencies are
found (e.g. no Pluto running).  CAUTION:  the status-report syntax has
changed slightly from its original version.

Showhostkey has a --txt option (which takes a gateway parameter) to
generate the TXT record used in opportunistic encryption. 

Auto now defaults (left/right)nexthop to %direct, instead of trying to
fill in right/left, to avoid problems in opportunistic setup in
particular. 

The prototype ipsec.secrets file no longer includes a shared-secret
example.

The startup/shutdown priority of IPsec, in the fallback case of systems
which do not have chkconfig available, has been fixed to be compatible
with what chkconfig will do.

The default build-a-kernel target is now "boot" for any non-x86, not
just for the Alpha.  (Unfortunately, "boot" doesn't do the right thing
on the x86 at present.)

The distribution now includes preliminary KLIPS2 documentation, to
facilitate comments and review.

KLIPS's utility programs no longer accept one-letter options, to avoid
confusion in cases of misspellings etc.

Private (x- etc.) parameters are now stripped from _confread's output,
to avoid shell complaints in some situations.  There should be no
user-visible effects, except perhaps to folks who have been unwisely
relying on undocumented properties of the implementation.

Eroutes now have accounting data associated with them, to aid Pluto in
managing them (especially in the opportunistic case).  Should be no
user-visible effects, except for slightly different output from
ipsec_look. 

Pluto has been fixed so that all preparations necessary for whack to talk
to it are done before it spins off into the background, eliminating an old
race condition. 

The IPSECDIR variable supplied by the ipsec prefix command is now
IPSEC_DIR, and there is a new IPSEC_VERSION variable also supplied.
Most scripts now use this in their --version reporting.

The old manual-keying stuff in the supplied ipsec.conf has been removed.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.9:

The big change is that it works with the 2.4.x kernels (specifically,
2.4.2 at the moment).  KLIPS Makefiles have been converted to the new
2.4.x style, with backwards compatibility for use under 2.2.x and 2.0.x. 
Various small KLIPS fixes have been done for 2.4.x kernels. 

Inability to start KLIPS now causes a quicker and cleaner abort of the
whole startup operation.

Routing failure in _updown is now diagnosed in more detail, at Claudia's
suggestion; mysterious difficulties there are a frequent user problem.

Incorporated Olivier Kurzweg's fixes so that auto= parameters can now be
picked up from %default sections or sections appended by also=.

Pluto (and rsasigkey) have been fixed to do the "lcm" optimization for RSA
private keys... which means that Pluto should no longer reject most keys
generated by modern versions of PGP.  There is a new --noopt option for
rsasigkey, which suppresses the optimization, to generate private keys
compatible with the old Pluto.  (Note that public keys are unaffected; for
the normal way RSA keys are used, all that matters is that a host's own
Pluto is compatible with the rsasigkey used to generate that host's key.)

showhostkey now has options to produce ipsec.conf (left/right)rsasigkey
lines.  It retains information on when and how the key was generated,
as comments.  The default hostname, for DNS format, now comes from the
hostname supplied by rsasigkey (NOTE INCOMPATIBLE CHANGE) rather than
from "hostname --fqdn".

Inability to communicate with Pluto (e.g. because Pluto has died or was
never started) is diagnosed better.

An obscure bug that caused Pluto to die midway through negotiating a
connection has been fixed.

Pluto now notices whether the kernel supports compression, and will
refuse to negotiate it if there is no kernel support.

Better diagnosis of the %any-plus-no-id-plus-RSA-key case in ipsec.conf,
not a sensible usage but some people ran into it accidentally. 

The ipsec command now has a --directory option, reporting where the IPsec
commands are kept, and a report of this is included in barf output.

There is now a global overridemtu parameter in ipsec.conf, which can be
used to force a smaller value for the MTU of the ipsecN devices.

A bunch of utilities used for building the docs have moved out of utils
and into a subdirectory of doc.  Should be no user-visible effects.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.8:

FreeS/WAN now uses the system's GMP library (WHICH MUST EXIST) rather than
carrying its own private copy.  This requires not only the GMP library
itself, but also any "GMP development" package too -- these ship with all
normal Linuxes, but might not be installed by default.  (Note, "GMP" and
"GPM" are completely different libraries, despite the similarity of name.)

The problem with ping and tcpdump (and possibly some other software) being
unable to see large packets emerging from a compressed connection has been
fixed.

KLIPS locking has been extensively revised, curing a number of mysterious
performance problems.  (We hope it hasn't introduced any new bugs...)

The default updown script's comments have been extensively revised, in
hopes of making its workings clearer and facilitating customization.

IPComp has been smartened up (thanks again to Svenning Soerensen) and is
now somewhat more intelligent about when it should try to compress.

The internal configuration-file reader is progressively getting fussier
about what it will accept, which may cause problems for illegal ipsec.conf
files whose sins previously passed unnoticed.  IN PARTICULAR, the "auto"
parameter's values are now checked for legality everywhere.

Pluto has some experimental code in it to give better reports of who's
to blame when our packets are being refused.  This depends on some new
(non-FreeS/WAN) kernel stuff (IP_RECVERR) that isn't well documented yet...

The ipsec_setup code implementing the forwardcontrol parameter is now
smart enough to turn forwarding on only if it was previously off, and
turn it back off only if it was originally off.

Ipsec_manual has been updated:  it copes with inbound policy checking
properly, and invokes updown scripts rather than having its own default
commands wired in. 

Several scripts which depend on being able to standardize output from
certain commands now unset even more environment variables, in an attempt
to keep up with the latest vagaries of the internationalization botches. 

The distribution no longer contains any binary files (a couple of them
sneaked in deep in the mysterious innards of libdes, but they appear to
have been spurious) or symbolic links.

The top-level Makefile now supports "make backup" (makes a tarball in
the current directory, name of the form backup-2000-Nov-29.tar.gz,
containing everything FreeS/WAN install touches except the kernel and
its sources) and "make unpatch" (takes all of our patches out of the
kernel sources; note that a couple of kernel-source files get altered
by other means, but they are included in "make backup").

The verb Pluto supplies to the updown script was wrong when the local
subnet contained only a single host (should have ended in -client, was
ending in -host); this has been fixed.

The output of "ipsec auto --status" has changed in several small ways,
for the better we hope.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.7:

Fix for nasty Pluto bug:  When starting to negotiate a connection, Pluto
has to guess which connection is the appropriate one.  Shortly thereafter,
it finds out for sure, and may have to switch; this switch did not work if
the guessed connection had a subnet and the right one didn't, or vice
versa.  The symptom was mysterious and inappropriate complaints about being
unable to negotiate because "no connection is known for..."

Another, not quite as bad but serious in the context of our slightly
unstable IPComp:  with compress=no or no compress parameter, Pluto
wouldn't propose compression but would accept a proposal with compression,
if the other end made it.  Now it refuses.  (Finer control is really
needed, but this will do for now.)

A null-pointer KLIPS bug which caused a hard crash on the first incoming
packet in a number of situations (manual keying, IPComp negotiated but not
supported in kernel, etc.) has been worked around.



New and notable in 1.6:

The documentation has been re-organised and parts of it re-written.
There is a better table of contents (doc/toc.html), or you can have
the docs as one big file (doc/Howto.html). Installation is now in
a separate section (doc/install.html) and the configuration section
now assumes auto keying and RSA authentication as defaults.

We now implement IPComp, the protocol for pre-encryption data compression.
(Because encrypted data doesn't compress much, hardware compression is
useless for encrypted connections, and compression *before* encryption is
necessary.)  We do only the Deflate algorithm, the control code is not too
smart yet, and the whole thing is STILL A LITTLE BIT EXPERIMENTAL... so it
defaults to "off" in the kernel configuration.  (NOTE NEW KERNEL OPTION,
which you won't see if you drop 1.6 in on top of an existing FreeS/WAN --
this is a bug in the installation machinery.)  Beware:  if you ask Pluto
to negotiate a compressed connection, it *assumes* that the kernel is
configured to do IPComp, and chaos will ensue if it's not.  Also beware:
neither ping nor tcpdump cope well with compressed connections, although
more mundane programs like ftp don't have any trouble.  (Credits:
Svenning Soerensen contributed preliminary versions of most of this code.)

The internal library has been extensively overhauled for IPv6 support, as
have Pluto and the KLIPS utilities.  KLIPS itself can't do IPv6 yet,
though, so this isn't too useful so far.  Some IPv6 loose ends like user
interface haven't been tidied up yet either. 

Diffie-Hellman modp 768 Group, aka "Group 1", which is cryptographically
unacceptably weak, is NO LONGER SUPPORTED.  Automatic keying will now work
only with systems supporting the stronger Group 2 or the still-stronger
Group 5; almost everybody does at least Group 2 anyway.

As part of the IPv6 support, changes were made to the Pluto/updown
interface.  See pluto(8) for the details.  One oft-requested feature is
some new environment variables in net/mask format.  The changes are
"upward compatible", so the version environment variable was changed from
1.0 to 1.1. 

Unfortunately, the version-variable change WILL BREAK many customized
updown scripts.  The standard _updown now rejects attempts to run it from
older versions of Pluto, but accepts attempts to run it from newer ones. 
Older _updown versions, which many people have used as the basis for their
own custom ones, were fussier and will *not* run with newer Plutos --
e.g., this one -- so they will need to be updated. 

Various changes have been made to prefer RSA authentication, the patent
having expired.  IN PARTICULAR, authby=rsasig is now in the "conn %default"
section in the sample ipsec.conf. 

There are new configuration parameters to control several kernel options,
which can now be changed at startup time instead of having to be fixed at
kernel-configuration time.  The defaults are the same as the old behavior.

There is now a configuration parameter controlling whether the TOS field
of a tunnel packet is cleared or copied from the enclosed packet.  The
default IS DIFFERENT from the old (copy) behavior, which we believe
represented a security flaw:  default is now to clear TOS. 

There is a new configuration parameter, uniqueids, to control a new Pluto
option:  when a new connection is negotiated with the same ID as an old
one, the old one is deleted immediately.  This should help eliminate
dangling Road Warrior connections when the same Road Warrior reconnects. 
It thus requires that IDs not be shared by hosts (a previously legal but
probably useless capability).  NOTE WELL:  the sample ipsec.conf now has
uniqueids=yes in its config-setup section.

Pluto has prototype experimental support for initiating and responding to
opportunistic negotiation.  A connection is considered for instantiation
for opportunism if it has a peer of %opportunistic (the connection
description must not specify a client for the peer).  Currently, the only
way to provoke an opportunistic initiation is to use whack to simulate the
interception of an outbound flow (do a "whack --help" and look at
opportunistic initiation).  These features are lightly documented because
they are experimental.  Limitations:  no actual interception of packets,
DNS query synchronous. 

Auto (and hence whack and Pluto) now recognize some magic keywords for
special addresses, instead of overloading 0.0.0.0 and such:
  + --host %any signifying any IP address, for Road Warrior,
    replacing 0.0.0.0 or 0::0
  + --nexthop %direct signifying "same IP as peer", replacing
    0.0.0.0 or 0::0
  + %any and %any6 as indices in ipsec.secrets to match IP addresses of
    Road Warriors (replacing 0.0.0.0 or 0::0)
  + --host %opportunistic signifying that the peer is actually
    to be discovered from the reverse DNS entry for the peer's client.
    This replaces --host 0.0.0.0 --client 0.0.0.0/32 (and IPv6 variants).
The old 0.0.0.0 forms continue to work... for now.

In ipsec.secrets, if multiple entries are the best match for the
connection, they must all have the same secret.  In the past there was no
code to compare RSA keys, so separate RSA entries were assumed to be
different.  Now they are compared.

The Pluto compile tries to figure out whether it's on a system that has
a modern resolver library, by looking at __RES in <resolv.h>.  Possibly
it gets some borderline cases wrong; we would appreciate bug reports.

Pluto now tries to defend itself against the clock being set backwards. 
The risk is that events might be delayed a lot.  Still no protection
against clock being moved forward. 

Interfaces that share IP addresses with others are ignored by Pluto,
avoiding a case it cannot handle gracefully yet.

The ipsec command has had its copyright goo split off into --copyright,
to reduce clutter in --version output.  Also, its --version option now
checks to see if it can determine the KLIPS version; if so, it checks
that against the userland version, and adjusts its output if the two are
different.

Ranbits and rsasigkey have had their key-size limits expanded.  Rsasigkey
hasn't gotten any faster, though; it will now blithely attempt to generate
a 20000-bit key, but your machine will probably die of old age before it
finishes. 

Pluto now rejects some forms of ID payloads that it doesn't support.

Manual now recognizes %default to mean 0.0.0.0/0.

The sample ipsec.secrets now uses the explicit "PSK" format for its
sample shared-secret entry. 

Barf now shows the values of the /proc/net/ipsec/* flags.

IPsec startup now checks for the presence of both /dev/random and
/dev/urandom, since various things use both. 

The last vestiges of support for the old netlink user-kernel interface
are vanishing fast.

Progress is being made toward more sophisticated PFKEY2 Pluto-KLIPS
communication; no spectacular new features to report yet. 

The KLIPS bypass for UDP/500 and type=passthrough used to misbehave on
very large packets; fixed.

In ipsec.conf, parameters with names starting with x_ and X_ are now
reserved for user customization, like ones starting with x- and X-.

/proc/net/ipsec_spinew is gone; it was never used and is no longer useful.

Rsasigkey now puts the host name in its output (and accepts an option to
override the automatically-determined one), which makes keys more
self-identifying.

Look bug fixed:  the sorting of the route info was affected strangely by
environment variables in some (now obsolete) Red Hat releases.

Setup now unsets MODPATH and MODULECONF before calling modprobe, to
ensure that only system modules get loaded.

Auto gives --id to whack only if an id parameter was explicitly given,
solving some subtle problems with doing Road Warrior with shared-secret
authentication.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.5:

Netlink support for user-kernel communication is gone.

Pluto's logging has been revised, although it still needs more work.

There are now manpages for the /proc files that KLIPS provides.

Pluto now avoids generating SPIs in the range 0x100-0xfff, effectively
reserving that range for manual keying.

Rsasigkey is now capable of taking old-key input from standard input.
Also, a buffer-size bug in it, which fouled up generation of keys larger
than about 2048 bits, has been fixed.

The update to the kernel configuration files is now done by copying and
renaming, which breaks hard links; this solves some problems and with luck
won't cause others... 

Some of Gerhard Gessler's mods for IPv6 support have been added.  (This
is only a very small first step; full IPv6 support is still far away.)

Barf now tries harder to find the right files in /var/log, and also makes
a first attempt at finding updown scripts.

A bug in AH hash setup has been fixed.  This breaks interoperability with
previous PF_KEY FreeS/WAN, but fixes it with other implementations.  Only
people using AH -- not many -- should be affected.

There are now prepluto and postpluto parameters in the "config setup"
section of ipsec.conf, to permit running user-supplied commands just
before and after Pluto startup (e.g., to briefly decrypt an encrypted
version of ipsec.secrets). 

The startup output about version and devices has gotten much shorter (a
somewhat more complete version is still found in the logs). 

Print a debug warning about bogus packets received by the outgoing
processing machinery only when KLIPS debugging is on.

Added configure option to shut off NO_EROUTE_PASSTHROUGH default (arcane
special requirement, most users should not have to care).

Some small changes have been made to minimize warning messages in compiles.

A bug in Pluto Road Warrior support has been fixed:  in responding to
Phase 2 / Quick Mode, once the client subnets (if any) are known, Pluto
must reselect which connection to use.  If it didn't happen to be using
the right one already, and no ID was explicitly specified for the peer,
and the right one is a Road Warrior connection, the right one would not be
found. 

Pluto now uses exponential backoff in retransmitting packets.  It also
has a special provision to attempt retransmission more times in the
case of an initiating message when an unlimited number of retries is
specified.

The ipsec_look output has changed a bit, adding more information and
revising the format slightly.

Some bugs in barf's key/secret censoring have been fixed.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.4:

A nasty bug in which a corrupted sequence number in a packet could
paralyze a connection, causing all subsequent packets to be rejected as
"duplicate", has been fixed. 

Setting DESTDIR in the top-level Makefile now puts everything under there
(and suppresses the chkconfig run), for building systems to be installed
elsewhere.  Beware, the lower-level Makefiles don't explicitly know about
this yet, the override works only from the top.

Pluto has the beginnings of DNS key fetching.  "leftrsasigkey=%dns" will
arrange for that key to be fetched.  It's a bit slow as yet.

ipsec_rsasigkey now generates a DNS KEY record as part of its output, and
has a --oldkey option that can be used to update old keys (previously
generated by it) to the current format with the new information. 

There is now an "ipsec showhostkey" command, which (given suitable
permissions, i.e. usually root) will build a DNS KEY record based on
/etc/ipsec.secrets.

In the absence of an existing /etc/ipsec.secrets, installation includes
automatic generation of an RSA host key.

Comments have been added to the default updown script, warning people that
installing a new release overwrites it.  (They should use a different name
for a locally-customized version.)

There is a new "config setup" parameter, "plutobackgroundload", which
moves initial connection loading and startup into the background.  This
is experimental, but may be of use to people who need fast system boots.

Startup and shutdown are now quieter, with less blow-by-blow narrative
from ipsec_setup.

ipsec.conf include processing has been made much more efficient, as the
first step in faster FreeS/WAN startup in large configurations.

The PFKEY2 kernel interface is now the only one supported.  Accordingly,
/dev/ipsec is no longer needed or created.

KLIPS's PMTU messages are now disabled by default, because they caused
problems for some people.

The hole that exempts IKE packets from IPSEC processing was a little too
wide -- it could let IKE packets from other machines through in clear --
and so it has been narrowed.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.3:

Pluto now uses a separate "updown" script (changeable via ipsec.conf, the
default is "ipsec _updown") to manipulate routing and firewalls.  This
should make it much easier to customize this stuff for local needs.

Pluto now supports per-connection debugging flags.

The conversion of userland-kernel communications from netlink to PFKEY2 is
nearly complete; netlink is increasingly unsupported.  PFKEY2 support is
now defaulted to y in kernel configuration.

New command, ipsec showdefaults, to show %defaultroute defaults (if any).

left/rightnexthop=%defaultroute can be used even if left/right is
specified explicitly.  (Limitation:  some cases with %defaultroute used
on one side but not the other will be rejected as errors, incorrectly.)

Left=leftnexthop, or right=rightnexthop, is now diagnosed as an error.

Fixed a bug in ipsec_look:  it didn't deal with %defaultroute properly.

Various small improvements to rsasigkey, including ensuring that the
key is exactly the specified number of bits.

Barf's secret-censoring has been fixed to censor private parts of RSA keys.

The patcher now tries to ensure that a weird user umask doesn't mess up
file permissions during patch application.  (It's hard to get this really
right, but this is a first attempt.)

The internal ipsec.conf-reader utility, and the text-to-address conversion
routine, now object to unprintable characters. 

The INSTALL file has been trimmed back severely, and is now aimed at
experts only; the HTML docs provide full install instructions for novices,
as they can do it better. 

/proc/net/ipsec_spi contents have changed, to show individual stats only
if non-zero, and shorten and clarify a number of details. 

Added inbound policy-checking code, currently experimental and temporarily
disabled, to reduce the number of packet leak paths. 

Shortened KLIPS debug output per packet.

Spigrp now has an (undocumented) --said option to use more modern syntax.

Support for 2.3.xx kernels has improved (our thanks to Marc Boucher), and
some bugs introduced by 2.3.xx kernel evolution have been fixed.

A bug in virtual interfaces (IP aliasing) has been fixed.

In general, a bunch of bugs in the hurriedly-prepared 1.2 release have
been fixed.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.2:

[Later addition:  somewhere around this release, the ESP transforms using
null encryption -- providing authentication only -- stopped being
supported, as a policy decision.]

The patcher has been improved to handle the case where a patch has gone
away (give it no key+patchfile arguments) and the old version must be
undone.  A number of the kernel patches have, in fact, gone away; for
example, all device, proc_fs and protocol registrations are now done
dynamically even for static-linked configurations.

A %defaultroute feature has been added for automatic configuration in the
simplest case (IPSEC on only one interface, the one the default route
points to); it can supply both the interfaces parameter and the address
and nexthop of one host.

The sample ipsec.conf has been simplified to exploit %defaultroute, and
has generally been cleaned up.

User-kernel communication is being converted to use PFKEY2 (RFC 2367),
although not quite everything has yet been taken care of.  The old
netlink-based code still works, for now.  There are new facilities in the
library for doing PFKEY2 communication.  All of this should produce no
user-visible changes except in log messages (which have changed a lot).
NB, Peter Onion helped out greatly in this.

Experimental facilities for RSA digital-signature authentication have been
added to Pluto and ipsec_auto, and there is an rsasigkey utility for key
generation.  This stuff is not yet well shaken down, or well documented. 

There is a new configuration parameter, spi, for ipsec_manual, simplifying
SPI assignment for FreeS/WAN-to-FreeS/WAN cases.  Standard manual-setup
keys are supplied in the sample ipsec.conf to aid testing.

The kernel now builds its own copy of the internal library, avoiding some
perennial problems with compile-option mismatches etc.  (Marc Boucher did
a lot of this.)

The KLIPS code now gets symlinked into the kernel tree file by file,
instead of with one symlink to the directory.  This has pros and cons,
but in particular it does work much better with the standard Makefiles,
and various little things have been done for better kernel integration.

The ipsec command now supplies PATH and IPSECDIR to commands under it, and
IPSECDIR is filled in at build time rather than being hardwired; also, it
can be different from where things are being installed. 

Various undocumented aspects of the /proc output have changed; be warned.
Of note are rather more per-SA statistics.

KLIPS now has IPSEC SA expiry based on reaching hard limits of
allocations, bytes, addtime, usetime, and replay counter rolling. 

A double locking bug which hit 2.0.36 (but not 2.0.38) has been fixed.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.1:

It now runs on the 2.2.xx kernels (we strongly recommend 2.2.12, not
earlier ones, for non-FreeS/WAN reasons), although there may still be
some bugs in transport mode.  Preliminary 2.3.xx support is in too.

Automatic rekeying has been heavily revised to fix some subtle bugs
(notably the "shoelacing" problem), and to vary its timing (see the new
"rekeyfuzz" parameter in ipsec.conf) so that sites with many connections
don't try to rekey all of them simultaneously. 

The bugs which made our interim Road Warrior support not work have been
(we hope) fully fixed.

type=tunnel and keyexchange=ike are now defaults in the ipsec.conf file,
cutting down the bulk of a simple connection entry.  Also, an empty value
for a parameter is now exactly equivalent to the default value (whereas
previously the meaning of this was parameter-specific and ill-defined).

The documentation now includes a permuted index.

Pluto has been fixed to use the correct length for DH values, which does
create a problem:  about one time in 256, it won't interoperate properly
with older Plutos (because the older ones got this wrong when the DH value
had a leading zero byte).  As a transition measure, there is a kludge in
place which *should* cause Pluto to retry immediately in that case;
cautious people who don't have to deal with old Plutos might want to
switch that off (look for the DODGE_DH_MISSING_ZERO_BUG macro in the
Pluto Makefile).

The kernel-patch applier has been changed so that if the patch seems to
have been applied already but there is no record of that, it assumes that
everything is okay.  THIS MEANS IT WILL NOT TRY TO BACK OUT AN OBSOLETE
PATCH FROM A PRE-1.00 RELEASE.  Anyone upgrading from a pre-1.00 release
to this release will have to start with a virgin kernel.  (The reason for
this change is that some of our kernel fixes are now showing up in the
official Linux kernel releases.)  Also, patch-applier output is now
saved in out.kpatch for later inspection, and a failed patch results in
the target file being restored to its original state (with the evidence
saved in foo.c.mangled).

The ipsec[0123] device is configured down if the attached physical device
disappears.  This is useful to prevent laptops from crashing when a PCMCIA
card is removed.

KLIPS now does data-structure locking to prevent some race conditions.

The kernel "make oldconfig" is now supported, via "make oldgo".

Variable length PPP headers are now supported (Thanks MB).

Some attempts have been made to smarten up the logic which tries to figure
out where boot scripts go.  It's still not perfect.

"ipsec look" now sorts each section of its output, and generally has had
some small format changes to make it more helpful.

ipsec --version reports the version of FreeS/WAN (even if KLIPS etc. is
not running at the moment).

There is now a default mechanism in ipsec.conf, so it's possible to set
defaults which apply for the rest of the file, to simplify repetitive
connection descriptions.  (Look for %default in the manpage.)

The machinery which reads ipsec.conf now detects unknown parameter names
and considers them an error.  (Names beginning with x- or X- are exempt,
they are permanently reserved for user customization.)

A bug in script handling of virtual interfaces (for IP aliasing) has been
fixed. 

The manual pages are now installed more intelligently, under all the
appropriate names rather than just some.

Several scripts which depend on the output of ifconfig now set environment
variables to try to ensure that the output is in English even if the user
is set up for another language.

We've begun using an ip_address type internally, to hide the details of
addresses with an eye on long-term IPv6 compatibility.

There is now a dumpdir parameter in ipsec.conf, to specify where Pluto
core dumps should occur if they are allowed at all (of relevance to
advanced developers only). 

Pluto's innards have generally been revised and cleaned up.

Devices ipsec2 and ipsec3 have been added, to increase the number of
interfaces which can have IPSEC on them.

/proc/net/ipsec_klipsdebug has been added to provide feedback about the
current KLIPS_DEBUG settings.  It is read-only.

There is much new code in the innards for PF_KEY2 support, although it
is not active by default yet, because it is still highly experimental.

As usual, there are assorted small bug fixes and improvements to docs
and messages.



New and notable in 1.00:

INSTALL procedures have changed, to require less typing by having the
Makefile do most of the dirty work.  The old procedures are still
available; see doc/impl.notes if required.  More attention is paid to the
fact that many people do not use the kernel "make install" to install
their kernels... although there are limits to how much help we can offer,
considering the complexity of the problem.  doc/kernel.notes offers some
observations on our experiences.

The default permissions on ipsec.conf are now rw-r--r--, not rw-------.

Command syntax for manual and auto has changed; for example, to bring an
auto connection up, say "ipsec auto --up name", not "ipsec auto name up".
The old syntax is still accepted, temporarily, but will draw warning
messages.

Communication to Pluto (auto+whack) now uses Unix-domain sockets, so that
permissions can be used to control access.

Configuration parameters for automatically-keyed connections have changed,
with the "encrypt" parameter gone and "auth" replacing "authenticate"
(with different values). 

A new config-file parameter, "also", permits putting a connection
description together piece by piece (with some pieces possibly in other
files, for greater security).

A new config-file parameter, "auto", cooperates with a new "%search" value
for the plutoload and plutostart setup parameters to allow connections to
be loaded and started automatically at IPSEC startup time, without having
to list all the names in plutoload or plutostart.

A new connection type, "passthrough", supports having some types of traffic
bypass IPSEC processing altogether.  (Manual "keying" only.)

Auto's --replace operation now also does --rereadsecrets.

The kernel patches are now applied by a more sophisticated script, which
in particular can undo old patches when the patches change (and can tell
when this has happened).  The downside is that everybody gets to install
from virgin kernel sources *once*, because the patcher can't undo patches
made by previous versions (they didn't leave enough information around).

Many of the more obscure examples formerly found in ipsec.conf are now
in doc/examples instead.

PMTU and fragmentation issues have been cleaned up w.r.t. RFCs.  The
kernel configuration includes a switch to shut off ICMP PMTUD messages if
hosts get confused by receiving ICMP PMTUD messages *and* ACKs.

Several of the configuration parameters for automatically-keyed connections
have changed name; notably, "lifetime" is now "keylife", and "rekeystart"
is now "rekeymargin".

Wildcard file includes are supported within ipsec.conf and ipsec.secrets.
The ipsec.conf processing has been cleaned up, made fussier about errors,
and centralized for easy changes. 

ipsec_barf output is more complete.

The censoring of keys and shared secrets in barf output is smarter:  now
it prints checksums instead of just deleting the sensitive information, so
there is some hope of being able to tell whether (for example) two keys
are identical. 

The "ipsec" wrapper command is no longer willing to run commands from
anywhere except its own directory.

The rekeytries parameter has become keyingtries, and applies to initial
setup as well as rekeying.  (Whack and ipsec_auto return after the first
try, but tries continue if keyingtries>1.)  A value of 0 means "a really
big number".

Pluto now respects the policy options of a connection (e.g., "--pfs")
even if the other end is initiating the connection.

Various rough edges in Pluto associated with disagreements between the two
ends have been cleared up.

Error messages and logging have generally been improved, and there have
been the usual assorted bug fixes.

Installation now uses "install" instead of "cp".

New in 0.92:

The biggest change is that the configuration/control files are completely
different.  /etc/sysconfig/ipsec, /etc/ipsec-manual, and /etc/ipsec-auto
have merged to become /etc/ipsec.conf, there is now a unified connection-
description format within it that either manual or auto can use, and
various other touchups have been done. 

/etc/isakmp-secrets also has changed format, and is now /etc/ipsec.secrets.
It implements the same "include" mechanism as the configuration file, and
the new format permits easier sharing of identical files between machines.

ipsec_manual's {left|right}masquerade parameters have been renamed to
{left|right}firewall, and ipsec_auto understands them too.

There are several new configuration parameters, including provisions for
asynchronous connection negotiation (in which Pluto starts negotiation
of all desired connections simultaneously, and IPSEC startup does not
wait for it to finish).

Pluto's innards have been reorganized; interoperability is much improved.
Also, Pluto now supports multiple interfaces.

The documentation has been massively improved, although there is still
much to be done.

The DES library has (finally) been updated to the latest.  The speed
improvement on x86 CPUs is especially large.

Support for single-DES (as opposed to 3DES) has been largely discontinued.
(The timing of this was a management decision which not all members of the
technical team agree with.)

KLIPS now sends all packets with different inner and outer destinations
directly to the attached physical device, rather than back through
ip_forward, preventing the "route stealing" problem (in which a route
being set up to a subnet could clobber the route to its gateway, causing
total packet loss).  The downside of this is that it is now important to
get the {left|right}nexthop parameters in the configuration file *right*.

ipsec_auto now supports transport mode.

Fragment handling has been shaken up and improved, generally for the
better, but the new stuff has not been tested well yet.

IPIP tunnels are now processed internally, not requiring the IPIP module
to be loaded or configured.

We now decrement TTL in outgoing packet and set TTL on new IPIP_TUNNEL to
default value, not from existing packet TTL value.  That is, a tunnel
looks like one hop, as it should. 

The SA ID %passthrough now signifies a magic SA which means that packets
should be passed through untouched.  (There is no ipsec_manual/auto
support for this yet.)

The '--said' command-line parameter is now accepted by the 'spi' and 'eroute'
commands to enable cut-and-paste of /proc/net/ipsec_* and debug output.

Initialization vectors (IVs) are now generated in the kernel; user-level
support for specifying particular IV values has been discontinued.

KLIPS has changed from transform switching to algorithm switching to
reduce redundancy (and accomodate PFKEYv2 switchover).  A major code
cleanup has also been done, reducing both source and binary size by 40%.

There have been many minor improvements, cleanups, and bug fixes.

New in 0.91:

Various new items of documentation, most notably doc/vpn.how, an intro to
setting up virtual private networks with FreeS/WAN.  Plus assorted updates
and improvements to old docs too.

Most of the contents of the ietf-drafts directory have been superseded by
RFCs 2401-2412 and 2451.

All the manual pages now are installed under names beginning with ipsec_,
to avoid name clashes.  Caution:  there is nothing that automatically
*removes* the older versions, if you've installed an earlier release.

The configuration file (/etc/sysconfig/ipsec) has been extensively
reworked, repeatedly.  The latest version supports multiple interfaces and
does not need to know addresses etc. 

There is an "ipsec manual" command for taking manually-keyed connections
up and down, with a corresponding control file containing some examples
(which are realistic enough to use as the basis for real ones).  There is
a corresponding "ipsec auto" command for Pluto-run connections.

The boot-time startup/shutdown script is now accessible as "ipsec setup",
and includes a "restart" facility.  It now allows for the possibility that
Klips may be a module, and clears out eroutes and spis at startup and
shutdown.  Setup errors and messages go to syslog as well as stderr. 
There are provisions for boot-time setup of multiple connections, both
manually and automatically keyed. 

There is now an optional facility for having the boot-time startup script
enable IP forwarding *after* basic IPSEC setup is done, to avoid timing
windows in which cleartext packets might leak out.

Rationalised all the klips kernel file headers.  They are much shorter
now and won't conflict under RH5.2.

"make insert" now sets up various IPSEC-related issues in the kernel
configuration right, so the sysadmin shouldn't need to make many changes
by hand. 

Discard packets for which there is no eroute if outbound on ipsec0.

Added temporary udp/500 IPSEC bypass for IKE daemons, so that they can
continue to talk "in clear" even when all other traffic gets encrypted. 

/proc/net/ipsec_* formats have been cleaned up for easy parsing by scripts.

There is a new concise format for identifying SAs, e.g. "ah0x507@1.2.3.4",
and many things now use it (and the utility functions that convert it to
and from internal forms).  Klips now has separate SPI number spaces for
AH, ESP, and tunneling internally.

The default of no replay checking can be overridden in manually-keyed ESP
xforms. 

Pluto has been substantially reworked internally, has an internal database
of potential connections (against which incoming requests are checked),
and does timed rekeying.  Whack talks to Pluto with TCP rather than UDP,
which permits Pluto to actually provide feedback on how things are going
(although the details of the feedback still need work).

Standardise on '-96' notation for AH transforms and '-128' notation for
ESP transforms in the 'spi' command.  The old notation without any
authenticator bit length still works and still refers to the '-96'
transform for AH transforms and '-128' transform for ESP transforms.

The output of "ipsec barf" has been reordered to put the more interesting
items first.  "ipsec look" has been added as a terse way to look at the
most important things.

New command, "ipsec ranbits", for generating good random bits for keys and
such.  (/dev/random does the work, but this provides a convenient scripting
interface to it.)  The sample isakmp-secrets and ipsec-manual files are now
built using this, so they no longer contain keys that everyone will know.

There is a new character (0t) key format, for weird people who like to
write keys as one ASCII character per byte.

Pluto now does PFS (Perfect Forward Secrecy), based on code contributed by
Kai Martius. 

Various output formats have been cleaned up and improved, and assorted
minor and major bugs fixed.




New in 0.90:

klips/doc/modes.html documents the setup of various possible types of
connection in a half-readable form.

Everything now runs under Red Hat 5.1 and the 2.0.35 kernel.

There is now an rc.d startup/shutdown script for Klips and Pluto, set
up during a normal installation, driven by a configuration file located
in /etc/sysconfig/ipsec.

There is a manual page for Pluto (and whack).

Pluto is now smart enough to tear down what it sets up.

The following xforms have been added and interop tested against OpenBSD
with the exception of the NULL xforms:
ESP_DES
ESP_3DES
ESP_DES_SHA1_96
ESP_3DES_SHA1_96
ESP_NULL_MD5_96
ESP_NULL_SHA1_96

All keys and IV's to the spi command must be in hexadecimal with a '0x'
prefix or in base64 with a '0s' prefix.  SPI's to the spi, spigrp and eroute
commands are hexadecimal (preferred) if preceded by '0x' or decimal if
preceded by a digit in the range 1-9.  Beware of leading '0's being
interpreted as octal.

A --clear option has been added to the eroute and spi commands to clear
the entire eroute and SA tables respectively and to the tncfg command
to clear all virtual I/Fs.

The eroute, tncfg, klipsdebug and spi commands have been converted to long
option names.  All command line parameters have been converted from
positional to long option args.  All script calls to these utils will
have to be updated.  The usage text and manpages have been updated
accordingly.

The spi and spigrp commands now accept name lookups for hosts.

The eroute command now condenses the src, srcmask and dst, dstmask arguments in 
a 'add' or 'del' call with a delimiting '/'.  It will now accept symbolic
names for hosts, nets or masks and will accept the mask as a number of 
significant bits.  Any scripts that call eroute will need to be changed.

All the klips utils now have --version and --help directives.

Klips utils cleaned up to check more thoroughly about improper arguments
and report more specific error information.  Kernel error codes made more
specific to help in debugging and identifying automatically, bad
command syntax.

Cleaned up some useless references to unused resources that prevent
compilation under RH 5.x.

Packets with more than one IPSEC wrapper will only be counted once in the
stats, before they were counted as many times as there were wrappers.  The
skb's pointer to dev is now set to the corresponding ipsecx I/F.

Make clean now does something useful in the klips/net/ipsec directory.
Dependancies have also been added to force recompile of the klips kernel
objects when the kernel config changes.

Klips is now statically linkable.  The config procedure has been changed
to allow options to a 'y' answer for CONFIG_IPSEC.  There are now more patches
to the kernel and several have changed.  It is advisable to repatch a
fresh kernel or back out the previous patches made for an earlier version
of klips.  Don't forget to remove any references to 'insmod ipsec' or
'modprobe ipsec' in any automatic or manual scripts if you use static
linking.  Depending on the size of your existing kernel, you may have to
use 'make bzImage' and install this kernel manually.

The INSTALL instructions now specify static linking, for simplicity.

The Klips sources are no longer copied into the kernel, hurrah.  Some
reshuffling of directories has made it possible to use a symlink.

Most of the utilities now go in /usr/local/lib/ipsec, with the "ipsec"
wrapper command used to access them.

Added a warning on module load if IPIP protocol is not available to
decode tunnel mode packets.  Additionally, kernel message advising of
receipt of IPIP packets if the protocol is not loaded has been added.

New in 0.85:

There is now a general-utilities directory, notably including a new
command ("barf") that dumps a bunch of debugging info on stdout.

INSTALL, and the top-level Makefile, have been simplified to do all
the user-level code in one fell swoop ("make" and "make install").
Provisions are also in for putting the user-level programs off in
their own directory and using the "ipsec" prefix command to invoke
them, but this has not been activated yet.

The manual keying utils' manpages are now installed in the default
location (/usr/local/man/man8) when the utils are installed.

'spi' utils now complains unless the exact key and iv sizes are supplied.

RX packets received and bogus are both now reported.  Note that packets
will be reported as many times as there are esp or ah headers per packet.
This will be fixed with the 2.1.x series kernel work.

Added check for self-describing padding.  It only reports possible bad
packets.  It does not discard them.  Reporting can be shut off with
debug options.

Experimental/Obsolete transforms are obvious in the kernel config and
can be disabled.

/proc/net/ipsec_version has been added which prints out the freeswan
version as well as the cvs id of each transform.

/proc/net/ipsec_spinew has been added which gives a fresh spi each time
it is read.  It increments by two each time due to proc subsystem
operation.  This counter will eventually roll over, so this needs to
be kept in mind for the long term (ie. todo: garbage collection, etc.).

There is now an organized internal mechanism for providing release version 
numbers to Klips and Pluto, so they can display them.  (Note, this is done
by symlinks made by the top-level Makefile at compile time.)

i/r specifier in 'spi' util has been removed.  It was obsolete.  Automated
commands that use spi will need to be updated.

The encr. and auth. keys have been split in the spi utility.

Version information added to all xform attach routines and klips utils.

Module releases all structures allocated at init to prevent memory
leaks from multiple insmod/rmmod operations.

All the /proc/net/ipsec_* pseudo-files now have no limit of output
data.  Previously, *very bad* things happenned if you had more than 3k
text output from ipsec_eroute and ipsec_spi.

All the /proc/net/ipsec_* interfaces have a banner to announce what it is
and blank lines to make it easier to read.

The names of the proc files have been changed to be consistent with the
rest of the files in the directory, in particular, note the change from
'-' to '_': /proc/net/ipsec-* have become /proc/net/ipsec_*.

/proc/net/ipsec_spi lists what algorithm is in use and does NOT list keys.

/proc/net/ipsec_spigrp lists all existing groups of spi's set by spigrp.

/proc/net/ipsec_tncfg lists all existing virtual IPSEC to physical network
connections.

Further debug output modifications so that klips will be much quieter
with debugging off.

Finer control of kernel debug messages from user space with subsystem
switches in klipsdebug.

All keys are zeroed after use in the manual keying utilities and in klips.

All kernel messages referring to IP's are in decimal dotted quad notation
now (they were in hex, or even in network order hex before).

Spigrp with one parameter set will ungroup an existing SA chain.

Deleting one SA will also remove all the rest in the chain.

New in 0.8:

The Klips (nee "IPSEC") and Pluto distributions have been integrated for
the first time, and some duplications cleared out.  We're also now including
the GMP library which Pluto needs.

Both Klips and Pluto have finally been updated to support separate ESP
encryption and authentication keys.  The Pluto code for this hasn't been 
tested extensively yet.

Klips is now capable of operation with devices other than Ethernet
interfaces.

Internal cleanup of Pluto is underway.  This release of Pluto supports
and uses more than one Transformation Payload within the Phase 1 SA
Payload.  One result of this is that it will not interoperate with
older versions of Pluto.

Work is underway on compatibility with later versions of Linux.

Klips's virtual ipsec devices can now be detached from the physical
device, and eroutes and sa's can now be deleted, so the last two commands
have been changed to "eroute" and "spi" from "addrt" and "setsa"
respectively.  "addrt" and "setsa" are obsolete.  Tunnel mode inside
transport mode now works with no delay (How useful this is, is debatable). 
Transmit statistics now work. 

The klips transforms: AH-HMAC-MD5-96, AH-HMAC-SHA1-96, ESP-3DES-MD5-96 and
ESP-DES-HMAC-MD5-96 have been updated from the old specs (RFC192[5-9])
to the new proposed draft standards (as of March 1998).

A second ipsec device has been hard-wired into the kernel module for use
with a second interface.  This is temporary and will change when the
kernel routing is overhauled and updated to 2.1.xx series kernels.

Kernel instrumentation was corrected, extended and added.

/proc/net/ipsec-route (originally /proc/net/ipsec-rt) is now 
/proc/net/ipsec-eroute for consistency with the command name.

A user-space utility has been added (klipsdebug) to dynamically change
klips debug output switches.  This change has removed all but one
config debug comile switch (ie. rerun kernel make {menu,x,}config).

ipsec_md5 and ipsec_sha1 files no longer have nested header files so
they can be used by userspace utilities.

tncfg no longer dumps core when invoked for usage message.

Manpages have been added for the (5) userspace klips utilities.

The klips README has been split and overhauled.

Added a tunnel mode and transport mode example based on current setup.

Added a patch for the Linux netlink code to clean up after a badly behaved
module (not likely to be significant in normal use, but having to reboot
after each test during debugging is impossibly painful).

Added a patch for the Linux kernel config utility help menus to explain
what the IPSEC option is, where to find the standards and where to find
the latest development.

RCSID $Id: CHANGES,v 1.274.2.2 2002/04/12 15:48:47 mcr Exp $