changes

ike协商阶段证书认证补丁 for freeswan

Version 1.1.4
-------------

- Extended the port and protocol selector functionality in order to make it
  coexist in a friendly way with opportunistic encryption.


Version 1.1.3
-------------

- fixed a bug in the function scan_proc_shunts() in pluto/kernel.c
  that incorrectly registererd the ports of orphaned %hold eroutes.
  Debugging output was also added to scan_proc_shunts().


Version 1.1.2
-------------

- extended the protocol and port selector functionality so that
  dynamically created %hold eroutes cannot block part of the traffic
  any more.


Version 1.1.1
-------------

- Stephen J. Bevan's protocol and port selector patch has been worked
  into the X.509 patch. The added functionality is equivalent to that of
  version 0.9.18.


Version 1.1.0
-------------

- Added dynamic CRL fetching based on cURL command line tool available
  from 'http://curl.haxx.se'. Currently 'http', 'ftp' und 'file'
  crlDistributionPoint URLs are supported.
   
- Added dynamic CRL fetching based on the OpenLDAP 2.x library
  available from 'http://www.openldap.org'. Currently a  single CRL
  query result based on an 'ldap' crlDistributionPoint URL is
  supported. Simple authentication without username/password is
  used.
  
- Periodic CRL checking and retrieval is done by an independent
  pluto thread. Therefore starting with version 1.1.0 the POSIX
  pthreads library is required, which should already be present on
  most Linux systems.
  
- The new parameter crlcheckinterval in the config setup section of
  ipsec.conf defines the interval in seconds between two CRL validity
  checks. The default crlcheckinterval=0 disables dynamic CRL fetching.

  My thanks go to Stephane Laroche <stephane.laroche@colubris.com> who
  contributed the multithreading source code I based my implementation on.
  
- the port and protocol selectors introduced with version 0.9.16 are
  not supported yet in the 1.x.x versions.
  

Version 1.0.2
-------------

- For security reasons the shell metacharacters ', ", `, $, and \
  are replaced by their octal escape values in the environment variables
  $PLUTO_MY_ID and $PLUTO_PEER_ID that are made available in the
  _updown script.

- Changed the error messages of check_validity() in x509.c to
  make clear that either a X.509 certificate is not valid yet or that
  it has expired.
  

Version 1.0.1
-------------

- Pluto sends an OpenPGP vendor ID if it has an OpenPGP certificate
  as an initiator or if it receives an OpenPGP vendor ID from the
  peer as a responder.
  
- Fixed two bugs introduced with Version 1.0.0


Version 1.0.0
-------------

- The X.509 default certifcate /etc/x509cert.der and the PGP default
  certificate /etc/pgpcert.pgp have been obsoleted and are not available
  any more. Local X.509 certificates in base64 PEM and binary DER
  format are now exclusively loaded using the leftcert/rightcert
  parameters in /etc/ipsec.conf.

- OpenPGP certificates containing RSA public keys can now directly be
  loaded in ASCII armored PGP format using the leftcert/rightcert
  parameters in /etc/ipsec.conf:
  
  conn pgp
       right=%any
       righcert=peerCert.asc
       left=%defaultroute
       leftcert=gatewayCert.asc

- PGP private keys in unencrypted form i.e. not secured by passphrase
  can now directly be loaded in ASCII armored PGP format via an entry
  in /etc/ipsec.secrets:

  : RSA gatewayKey.asc

- The command ipsec auto --listcerts now shows both X.509 and PGP
  certificates that have been loaded locally. X.509 and PGP
  connections can now be set up simultaneously.

- The default path for local end certificates has been changed
  form /etc/ipsec.d to /etc/ipsec.d/certs. The directory /etc/ipsec.d
  contains now the subdirectories private, certs, cacerts, and crls.


############################################################################


Version 0.9.40
--------------

- Fixed the PKCS#7 vulnerability which accepted end certificates
  having identical issuer and subject distinguished names in
  a multi-tier X.509 trust chain.


Version 0.9.39
--------------

- an empty ASN.1 SEQUENCE OF or SET OF object (e.g. a subjectAltName
  certificate extension which contains no generalName item)  can cause
  a pluto crash. This bug has been fixed. Additionally the ASN.1 parser has
  been hardened to make it more robust against malformed ASN.1 objects.


Version 0.9.38
--------------

- Introduced port wildcards which make l2tp interoperability
  with Mac OS X Panther possible. Configuration Example:

  conn l2tp
       right=%any
       rightprotoport=17/%any
       left=%defaultroute
       leftid=@pluto.strongsec.com
       leftprotoport=17/1701


Version 0.9.37
--------------

- Fixed a bug which did not set the destination port in
  IPsec transport mode based roadwarrior connections using
  port selectors.


Version 0.9.36
--------------

- Fixed a bug which caused the port selector not to be set
  in roadwarrior connections with a rightsubnetwithin parameter.

- Fixed a bug which caused the port selector to be erroneously
  set in OE connections to clients behind OE-enabled gateways
  causing endless Quick Mode renegotiations.


Version 0.9.35
--------------

- FreeS/WAN now supports the X.509v3 certificate extensions
  'subjectKeyIdentifier' and 'authorityKeyIdentifier'. This
  feature facilitates the traversal of X.509 trust chains and
  also makes it possible to have in simultaneous use multiple
  versions of a CA certificate with identical distinguished
  names but different RSA keys.

- Fixed a bug in the temporary_cyclic_buffer() for ID strings


Version 0.9.34
--------------

- FreeS/WAN as a responder to a road warrior can now send multiple
  certificate request payloads in IKE Main Mode, enumerating all
  available CAs. This new feature should now make full interoperability
  with Cisco boxes possible.


Version 0.9.33
--------------

- Until now only one certificate request (CR) payload could be handled.
  Now multiple CRs are collected and are taken into account when selecting
  an appropriate connection.


Version 0.9.32
--------------

- The $PLUTO_PEER_CA variable was not initialized properly for
  PSK connections.

- Fixed a port map bug which allowed all ports to be tunneled
  through an eroute set up with port selectors.


Version 0.9.31
--------------

- Raw RSA keys don't have an issuer field. Fixed a bug in kernel.c:do_command()
  that caused a Pluto crash when the issuer field contained a NULL pointer.


Version 0.9.30
--------------

- The DN wildcard bug was not completely fixed by version 0.9.29.


Version 0.9.29
--------------

- Fixed a bug causing allocation of 0 bytes of dynamic memory for
  an issuer DN in preshared.c. Occured only when loading raw RSA keys
  via whack.

- Fixed a bug that occurred when using roadwarrior connections with
  DN wildcards. If the connection was not switched after receiving
  the peer id, the wildcard id was not replaced by the actual peer id.


Version 0.9.28
--------------

- The statement rightca=%same copies the CA from leftca which by default is
  usually the issuer field extracted from the certificate loaded via leftcert.

- Created the $PLUTO_PEER_CA environment variable that makes the peer's
  CA available to the updown script.

- The support of the deprecated /etc/x509cert.der default certificate has
  been discontinued. Please use the leftcert parameter to load FreeS/WAN's
  certificate[s].

- Closest match metrics to desired CA have been extended to Quick Mode.


Version 0.9.27
--------------

- By introducing the new parameters leftca and rightca, IPsec policies
  based on issuing CAs can now be implemented. Example:

    conn sales
         right=%any
	 rightca="C=CH, O=ACME, OU=Sales, CN=Sales CA"
	 rightsubnetwithin=10.1.0.0/24  # Sales DHCP range
	 leftsubnet=10.0.0.0/24         # Sales subnet

  This means that the connection sales can only be used by peers presenting
  a certificate that has been issued by the Sales CA.

- Additionally if a rightca statement is present, then the CA defined by
  it will  be sent to the peer as part of a certificate request message
  (this should help with some Cisco implementations that require a 
  specific CA in the CR message). The sending of CR messages can be
  disabled by using the existing nocrsend=yes parameter.

- Automated the error-prone generation of the table coding the OID tree
  used by the X.509 patch. The perl script oid.pl now generates the new
  files oid.h and oid.c based on a common text file oid.txt. New OIDs
  can now be added to oid.txt with ease.

- In order to increase the interoperability with OpenSSL 0.9.7
  the following two attributes were added that could be use
  as relative distinguished names:

  emailAddress   long form of E and Email
  serialAddress: long form of SN


Version 0.9.26
--------------

- A little bug in connections.c:default_end() caused that connections
  without a rightid parameter (defaulting to right) could not be initiated
  ("cannot initiate connection without knowing peer IP address")


Version 0.9.25
--------------

- A stupid bug caused pluto to crash while establishing
  non-roadwarrior connections.

- Corrected a couple of wrong cross-references in the README.


Version 0.9.24
---------------

- Wildcard based templates for ID_DER_ASN1_DNs can be used to enforce
  complex IPsec  policies are now supported. Example:

    rightid="C=CH, O=strongSec GmbH, OU=Sales, CN=*"

  matches any VPN user or host belonging to the Sales department.


Version 0.9.23
--------------

- Due to a single source code line that got lost while back-porting
  the changes from x509-1.1.6 to x509patches-0.9.22, the "E=", "Email="
  and "TCGID" attributes in distinguished names could not be parsed
  anymore in the rightid/leftid parameters of ipsec.conf.


Version 0.9.22
--------------

- Added the following attributes that could be used as relative
  distinguished names:

  short  long			OID

  UID    userId			0.9.2342.19200300.100.1.1
  DC     domainComponent	0.9.2342.19200300.100.1.25
  ID     x500UniqueIdentifier	2.5.4.45
  
- Ported the improved RSA private key selection mechanism
  from version 1.x.x for freeswan-2.00 back to freeswan-1.99.
  Using the public key contained in a loaded certificate
  the corresponding private key is always correctly found.


Version 0.9.21
--------------

- Extended the port and protocol selector functionality in order to make it
  coexist in a friendly way with opportunistic encryption.


Version 0.9.20
--------------

- fixed a bug in the function scan_proc_shunts() in pluto/kernel.c
  that incorrectly registererd the ports of orphaned %hold eroutes.
  Debugging output was also added to scan_proc_shunts().


Version 0.9.19
--------------

- extended the protocol and port selector functionality so that
  dynamically created %hold eroutes cannot block part of the traffic
  any more.


Version 0.9.18
--------------

- fixed a bug in the function route_owner() in connections.c. Protocol
  selectors were not considered when finding existing eroutes. This
  deficiency made it impossible to set up simultaneous IPsec SAs for 
  multiple protocols (e.g. tcp, udp and icmp).

- fixed a bug in the function find_client_connection() in connections.c.
  When refining the connection during quick mode, protocol and port
  selectors set to zero could be used as wild cards. This feature caused
  IPsec SAs with active protocol and/or port selectors to be bound to
  a connection definition having no selectors at all. With the fix in
  place an exact protocol/port match is required.
  
- added protocol/port debugging output during quick mode in ipsec_doi.c.


Version 0.9.17
--------------

- fixed a bug that under certain circumstances caused eroutes without
  port and protocol selectors to be restricted to port 500.


Version 0.9.16
--------------

- The selector patch developed by Stephen J. Bevan's <stephen@dino.dnsalias.com>
  has been integrated into the X.509 patch. Port and protocol selectors in
  eroutes allow outbound traffic selection. Inbound traffic selection must
  still be based on firewall rules activated by an updown script. If you want
  e.g. to tunnel http traffic and icmp messages only then you can do this by
  defining the following two IPsec SAs:

    conn icmp
         right=%any
         rightprotoport=icmp
         left=%defaultroute
         leftid=@pulpo.strongsec.com
         leftprotoport=icmp

    conn http
         right=%any
         rightprotoport=6
         left=%defaultroute
         leftid=@pulpo.strongsec.com
         leftprotoport=tcp/http

  The command

   ipsec auto --status

  will show the following connection definitions:

    "icmp": 160.85.106.10[@pulpo.strongsec.com]:1/0...%any:1/0