OpenSWan是Linux下IPsec的最佳实现方式,其功能强大,最大程度地保证了数据传输中的安全性、完整性问题。
OpenSWan支持2.0、2.2、2.4以及2.6内核,可以运行在不同的系统平台下,包括X86、X86_64、IA64、MIPS以及ARM。
OpenSWan是开源项目FreeS/WAN停止开发后的后继分支项目,由三个主要组件构成:
1. 配置工具(ipsec命令脚本)
2. Key管理工具(pluto)
3. 内核组件(KLIPS/26sec)
OpenSWAN基本是Linux上最常用的IpSEC VPN.2014-02-22发布2.6.41版本。修复了2014-02-14 2.6.40的两个Bug.而之前的常用版本2.6.39已经是May 31, 2013的事了。
完全改进:v2.6.41 (February 21, 2014)
This version specifically addresses CVE 2014-2037
This CVE is a continuation of CVE 2013-6466. We missed some cases.
* SAREF: kernel patches updated to linux 3.11.0 (Simon Deziel)
* Fix for CVE-2014-2037 (Paul Wouters, Hugh Redelmeier)
v2.6.40 (February 14, 2014)
This version specifically addresses CVE 2013-6466.
Big changes are coming for the testing subsystem.
From this version on, we are disengaging the testing subsystem from
the Openswan source tree. You can still get a copy at
git@github.com:xelerance/old-openswan-testing.git
Some parts of an RFC4306/5996 patch were removed due to it
introducing a few IKEv2 specific crashers.
We will introduce a greater IKEv2 functionality upgrade in
the next version.
* CVE-2013-6466 fix: Integrated fix from Steve Lanser [Patrick Naubert]
* KLIPS: Fix for crashes in ipsec_xmit_ipip() for 3.4.65+ kernels [Thomas Geulig]
* Revert "relpath changes" [Brenda J. Butler]
* Add xmlto as Debian build dependency to have fresh man pages. [Simon Deziel]
* Avoid dns(sec) lookups for numerical sourceip= values [Paul Wouters]
* Updated FSF address on the GPLv2 COPYING file [Paul Wouters]
* Removed some obsoleted files in docs/ [Paul Wouters]
* Added "ipsec initnss" command [Paul Wouters]
* XAUTH: Use incoming XAUTH VID when picking best connection [Andrey Alexandrenko]
* XAUTH: fix pam race condition and contrib/pam.d file [Paul Wouters]
* Do not perform XAUTH/ModeCfg during rekey when using Cisco compatibility [Avesh Agarwal]
* v1phase2tov2child_integ() addition [Avesh Agarwal]
* Changed related to bz#703985 for Secure Labeling [Avesh Agarwal]
* Added Avesh's additional labeled ipsec logging to starterwhack [Paul Wouters]
* Support reading NSS password from file [Paul Wouters]
* Restore postpluto functionaliy which was missing [Tuomo Soini]
* Don't refer to NETKEY as "2.6" or "experimental code" [Paul Wouters]
* Added AH_SHA2_256_TRUNC to ah_transform_name_private_use [Paul Wouters]
* helper: helper_passert_fail no longer used. Fix two string format warnings [Paul Wouters]
* Put rpmbuild values used to compile in Makefile.inc as commented examples [Paul Wouters]
* X509: fetch_ocsp should return void, not void * [Paul Wouters]
* gen_reqid() can call exit_log() but confuses compiler [Paul Wouters]
* XAUTH: fixup previous maxlength fix. mova hardcoded to defines [Paul Wouters]
* Support /etc/sysconfig/ipsec and /etc/default/ipsec (rhbz#789917) [Paul Wouters]
* Backporting proc_subdir_remove with Al Viro's code.
There must a better way than me backporting something... [Patrick Naubert]
* Added package to load dependancy for developers [Michael Richardson]
* Make ls command explicitely avoid columns, and search both regular
directory and execdir [Michael Richardson]
* When logging ESP keys, be clear about which direction is which [Michael Richardson]
* inet6 protocol does not have netns_ok flag [Michael Richardson]
* Added netns_ok lie to get regression tests to pass [Michael Richardson]
* Changes to work with linux 3.9 [Michael Richardson]
* Fix a typo reported by someone to the dev@lists.openswan.org (https://lists.openswan.org/pipermail/dev/2013-September/003104.html) [Simon Deziel]
* Update links in the README and mention that Python is a dependancy
for ipsec verify now [Patrick Naubert]
* Log if we send non-default PLUTO_*_RETRANSMIT_* values via env variables [Paul Wouters]
* NETKEY: linux_pfkey_add_aead() left alg.sadb_alg_reserved uninitialised [Paul Wouters]
* starter: remove prototypes for static functions [Paul Wouters]
* Remove duplicate include of oswlog.h in x509dn.c [Paul Wouters]
* Merge virtif.c header change [Paul Wouters]
* _updown.netkey: fix route to be inserted on correct interface when
nexthop is used [Tuomo Soini]
* Added new option plutostderrlogtime= (default=no) [Paul Wouters]
* Cap xauthpasslen and xauthnamelen at 128 (their buffer size) [Paul Wouters]
* fmt_log() fix similar to previous strncat() use [Paul Wouters]
* xauth: in theory, in xauth_inI0() it could attempt to memcpy NULL [Paul Wouters]
* Ensure not to call same_chunk on a null pointer [Paul Wouters]
* Simplified functions around strncat/snprintf [Paul Wouters]
* Fixup format_end(), do not use strncat but snprintf [Paul Wouters]
* Move the close() call for the sock to the function that created it. [Paul Wouters]
* Undo the close on whack_sock, as it is placed in the state. [Paul Wouters]
* Close dup()ed whack_sock in ipsecdoi_replace() to avoid leaking fd [Paul Wouters]
* Remove other half of ipsec_copyright_notice() [Paul Wouters]
* Include "sysdep.h" in udpfromto.c [Paul Wouters]
* Close socket fd of the interface in _iface_down() [Paul Wouters]
* Fix potential strncat() failure in format_end() [Paul Wouters]
* More strnat() safety checks [Paul Wouters]
* Additional safety checks to alg_info_snprint_esp() and
alg_info_snprint_ah() [Paul Wouters]
* Additional safety checks to addrtot(), inet_addrtot() and sin_addrtot() [Paul Wouters]
* Block rules created by openswan remain even after tunnel establishment [Panagiotis Tamtamis]
* Remove KLIPS define in initiate.c [Paul Wouters]
* DNSSEC: added root and DLV (dlv.isc.org) key for dnssec validation [Paul Wouters]
* ipsec-tools 0.8.0 mistakenly sets some NAT-OA fields that are defined
in RFC1374 as "always zero". We define these as "ft_mbz" (Must Be Zero) [Paul Wouters]
* Fixup some credits. Remove merged contrib code for selinux [Brenda J. Butler]
* Redone and simplified functions around strncat/snprintf for addrtot.c [Paul Wouters]
* Fix addrtot() with a passert and off-by-one [Paul Wouters]
* Move the close() call for the sock to the function that created it. [Paul Wouters]
* Close socket fd of the interface in _iface_down() [Paul Wouters]
* Change name from libreswan.h to openswan.h [Brenda J. Butler]
* Fixup IPSECKEY support with ipv4/ipv6 family and support --precedence [Paul Wouters]
* Updated vendorID to be Openswan specific. Print it with --version [Michael Richardson]
* Remove support for kernels without snprintf [Paul Wouters]
* Remove support for kernels not supporting MALLOC_SLAB [Paul Wouters]
* Remove remaining pre 2.4.4 kernel support [Paul Wouters]
* Remove pre 2.4.4 IP_FRAGMENT_LINEARIZE compat code [Paul Wouters]
* Remove pre 2.4.4 kernel compat for PROTO_HANDLER_SINGLE_PARM [Paul Wouters]
* Remove compat code for SKB_COW_NEW for < 2.4.4. kernels [Paul Wouters]
* Remove compat old/broken IP_SELECT_IDENT for < 2.4.2 kernels [Paul Wouters]
* Remove SKB_COPY_EXPAND for < 2.3 kernels [Paul Wouters]
* Remove /proc dummy code for old kernels (PROC_NO_DUMMY) [Paul Wouters]
* Always add support for alias capability (CONFIG_IP_ALIAS) [Paul Wouters]
* Remove support for NET_23 (kernels before 2.3) [Paul Wouters]
* Remove kernel support predating NETLINK [Paul Wouters]
* Remove /proc support pre-2.4 kernels (PROC_FS_2325/PROC_FS_21) [Paul Wouters]
* Remove more old 2.1 and 2.3 kernel code [Paul Wouters]
* Remove support for kernels without SPINLOCK and SPINLOCK_23 [Paul Wouters]
* Remove support for Linux kernels < 2.1.0 via NET_21 define [Paul Wouters]
* Fixup IPSECKEY support with ipv4/ipv6 family and support --precedence [Paul Wouters]
* Updated ipsec showhostkey to support IPSECKEY [Paul Wouters]
* Fix generating libreswan versions based of git [Paul Wouters]
* Typo fix in man 5 ipsec.conf [Simon Deziel]
* Handle NULL returns from glibc 2.17+ crypt(). [mancha]
* Only use -Wno-error=cpp when GCC's version is >= 4.6 [Simon Deziel]
* Remove debug code [Simon Deziel]
* Call "ss" without using the fully qualified path as this binary is installed in different place depending on the distro [Simon Deziel]
* Removed some /testing links in Makefile.top [Patrick Naubert]
* DPD typo fix: Dectection -> Detection [Simon Deziel]
* Redone and simplified functions around strncat/snprintf for addrtot.c [Paul Wouters]
* Fix addrtot() with a passert and off-by-one [Paul Wouters]
* Move the close() call for the sock to the function that created it. [Paul Wouters]
* Close socket fd of the interface in _iface_down() [Paul Wouters]
* Additional safety checks to addrtot(), inet_addrtot() and sin_addrtot() [Paul Wouters]
* Sync patches with variables names [Paul Wouters]
* Log a warning for NETKEY/XFRM breaking RFC 4301, Section 5.2 [Paul Wouters]
* Always assume UDPFROMTO works on Linux and BSD [Paul Wouters]
* Only set MODP768_MODULUS with USE_VERYWEAK_DH1 [Paul Wouters]
* updown: Delete the source ip addres on down only for Cisco peer [Paul Wouters]
下载:https://download.openswan.org/openswan/openswan-2.6.41.tar.gz
来自:开源中国社区
