X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=NEWS;h=8094c3e79c448870a606cd3aca1224a4fd58b9bc;hb=9eba4abfe44617aa78f625d900fe6bc2c58bb4cb;hp=98dbf2289e8e76a5dcfeedd58b30faa13b2465bb;hpb=c4ccd63b1f4d8a556c4ad764a23364e4b7424338;p=secnet.git diff --git a/NEWS b/NEWS index 98dbf22..8094c3e 100644 --- a/NEWS +++ b/NEWS @@ -1,64 +1,331 @@ -[0.6.0] 2006-11-01 -* basE91 encoding/decoding routines restructured to be thread-safe -* lots of type fixes -* new core utility is `base91', with a behaviour similar to GNU base64 -* introduce `-w' switch for wrapping encoded output lines after given length -* long option handling -* use standard I/O functions for better portability -* MinGW compatibility code added -* minor extensions to `make check' -* Java-tool wraps output lines by default; can be avoided with the `-u' switch -* license changed to BSD - -[0.5.2] 2006-08-25 -* code cleanup -* encoder for DOS rewritten to be faster and compatible down to Intel 8086 - -[0.5.1] 2005-10-05 -* Java-b91enc now handles file extensions case insensitively -* native DOS version of basE91 encoder added - -[0.5.0] 2005-06-24 -* ATTENTION: this version breaks backward compatibility because the basE91 - alphabet was changed to reduce the occurrence of double quotes - sorry, I - should have done this long before -* b91dec is installed as a link to b91enc -* `-e' option added (complement to `-d') -* build system should be more portable now - -[0.4.2] 2005-05-16 -* AWK basE91 decoder no longer depends on GNU extensions -* Java byte code removed (distributed separately in a jar file) - -[0.4.1] 2005-05-07 -* some code cleanup -* Java-b91enc can break encoded output to lines of 76 characters (`-b' switch) - -[0.4.0] 2005-04-26 -* improved encoder behaviour on stream ends (can save one byte sometimes) -* allocate buffer memory dynamically; use overlapping buffers -* new `-m' switch can be used for testing -* verbose mode extended: `-vv' shows memory statistics -* `make check' implemented - runs some basic tests - -[0.3.1] 2005-04-19 -* b91enc has a verbose mode now (`-v' switch) -* Java-b91enc accepts command line syntax with only one FILE argument again - -[0.3.0] 2005-04-17 -* the code was restructured to allow a more universal use of the basE91 backend -* version switch changed to `-V' which is more common - sorry for that -* `make install' is possible now -* changed Java-b91enc to be a bit more similar to the C version -* implementation in PHP added - -[0.2.3] 2005-04-11 -* man page included (thanks to Kei!) -* version (-v) switch added - -[0.2.2] 2005-04-10 -* fixed a bug in decoder that could result in corrupt output on 64-bit systems -* Java class files included - -[0.2.1] 2005-04-09 -* first public release +* Planned for the future + +Please note that the 0.1 series of secnet releases is now 'maintenance +only'; further development continues in secnet-0.2. + +Debconf support - if you are using the Debian packaged version and +your secnet configuration is autogenerated using debconf then the +upgrade to version 0.2.0 should just involve installing the package; +an appropriate 0.2-style configuration file will be generated +automatically. + +* New in version 0.1.18 + +ipaddr.py now declares its character encoding; required by recent +versions of Python + +* New in version 0.1.17 + +autoconf updates for cross-compilation / more modern autoconf from +Ross Younger + +MacOS X support from Richard Kettlewell + +Makefile fix: Update bison pattern rule to indicate that both the +.tab.c and .tab.h files are generated by the same command. + +i386 ip_csum implementation updated to work with modern gcc + +Rename global 'log' to 'slilog' to avoid conflict with gcc built-in +log() function. + +* New in version 0.1.16 + +XXX XXX PROTOCOL COMPATIBILITY IS BROKEN BETWEEN VERSION 0.1.16 AND +XXX XXX ALL PREVIOUS VERSIONS. + +Bugfix: rsa.c private-key now works properly when you choose not to +verify it. + +Bugfix: serpent key setup was only using the first 8 bytes of the key +material. (Oops!) Ian Jackson contributed a fix so the full 32 bytes +are used, in big-endian mode. + +Debatable-bugfix: RSA operations now use PKCS1 v1.5-style padding + +"Hacky parallelism" contributed by Ian Jackson; this permits +public-key operations to be performed in a subprocess during key +exchange, to make secnet more usable on very slow machines. This is +not compiled in by default; if you find you need it (because key +exchanges are taking more than a second or two) then add +-DHACKY_PARALLEL to FLAGS in the Makefile.in and recompile. + +udp module updates from Peter Benie: + 1) Handle the case where authbind-helper terminates with a signal + 2) Cope with signals being delivered during waitpid + 3) Add 'address' (optional) to the udp settings. This is an IP address + that the socket will be bound to. + 4) Change the endianess of the arguments to authbind-helper. + sprintf("%04X") already translates from machine repesentation to most + significant octet first so htons reversed it again. + +All uses of alloca() expunged by Peter Benie. + +make-secnet-sites now supports configurations where each tunnel gets +its own interface on the host, and the IP router code in secnet is +disabled. make-secnet-sites has been rewritten for clarity. For +information on how to configure secnet for one-interface-per-tunnel, +see the example.conf file. + +* New in version 0.1.15 + +Now terminates with an error when an "include" filename is not +specified in the configuration file (thanks to RJK). + +RSA private key operations optimised using CRT. Thanks to SGT. + +Now compiles cleanly with -Wwrite-strings turned on in gcc. + +Anything sent to stderr once secnet has started running in the +background is now redirected to the system/log facility. + +* New in version 0.1.14 + +The --help and --version options now send their output to stdout. + +Bugfix: TUN flavour "BSD" no longer implies a BSD-style ifconfig and +route command invocation. Instead "ioctl"-style is used, which should +work on both BSD and linux-2.2 systems. + +If no "networks" parameter is specified for a netlink device then it +is assumed to be 0.0.0.0/0 rather than the empty set. So, by default +there is a default route from each netlink device to the host machine. +The "networks" parameter can be used to implement a primitive +firewall, restricting the destination addresses of packets received +through tunnels; if a more complex firewall is required then implement +it on the host. + +* New in version 0.1.13 + +site.c code cleaned up; no externally visible changes + +secnet now calls setsid() after becoming a daemon. + +secnet now supports TUN on Solaris 2.5 and above (and possibly other +STREAMS-based systems as well). + +The TUN code now tries to auto-detect the type of "TUN" in use +(BSD-style, Linux-style or STREAMS-style). If your configuration file +specifies "tun-old" then it defaults to BSD-style; however, since +"tun-old" will be removed in a future release, you should change your +configuration file to specify "tun" and if there's a problem also +specify the flavour in use. + +Example: +netlink tun-old { + ... +}; +should be rewritten as +netlink tun { + flavour "bsd"; + ... +}; + +The flavours currently defined are "bsd", "linux" and "streams". + +The TUN code can now be configured to configure interfaces and +add/delete routes using one of several methods: invoking a +"linux"-style ifconfig/route command, a "bsd"-style ifconfig/route +command, "solaris-2.5"-style ifconfig/route command or calling ioctl() +directly. These methods can be selected using the "ifconfig-type" and +"route-type" options. + +Example: +netlink tun { + ifconfig-type "ioctl"; + route-type "ioctl"; + ... +}; + +The ioctl-based method is now the default for Linux systems. + +Magic numbers used within secnet are now collected in the header file +"magic.h". + +netlink now uses ICMP type=0 code=13 for 'administratively prohibited' +instead of code 9. See RFC1812 section 5.2.7.1. + +The UDP comm module now supports a proxy server, "udpforward". This +runs on a machine which is directly accessible by secnet and which can +send packets to appropriate destinations. It's useful when the proxy +machine doesn't support source- and destination-NAT. The proxy server +is specified using the "proxy" key in the UDP module configuration; +parameters are IP address (string) and port number. + +Bugfix: ipset_to_subnet_list() in ipaddr.c now believed to work in all +cases, including 0.0.0.0/0 + +* New in version 0.1.12 + +IMPORTANT: fix calculation of 'now' in secnet.c; necessary for correct +operation. + +(Only interesting for people building and modifying secnet by hand: +the Makefile now works out most dependencies automatically.) + +The netlink code no longer produces an internal routing table sorted +by netmask length. Instead, netlink instances have a 'priority'; the +table of routes is sorted by priority. Devices like laptops that have +tunnels that must sometimes 'mask' parts of other tunnels should be +given higher priorities. If a priority is not specified it is assumed +to be zero. + +Example usage: +site laptop { ... + link netlink { + route "192.168.73.74/31"; + priority 10; + }; +}; + +* New in version 0.1.11 + +Lists of IP addresses in the configuration file can now include +exclusions as well as inclusions. For example, you can specify all +the hosts on a subnet except one as follows: + +networks "192.168.73.0/24","!192.168.73.70"; + +(If you were only allowed inclusions, you'd have to specify that like +this: +networks "192.168.73.71/32","192.168.73.68/31","192.168.73.64/30", + "192.168.73.72/29","192.168.73.80/28","192.168.73.96/27", + "192.168.73.0/26","192.168.73.128/25"; +) + +secnet now ensures that it invokes userv-ipif with a non-overlapping +list of subnets. + +There is a new command-line option, --sites-key or -s, that enables +the configuration file key that's checked to determine the list of +active sites (default "sites") to be changed. This enables a single +configuration file to contain multiple cofigurations conveniently. + +NAKs are now sent when packets arrive that are not understood. The +tunnel code initiates a key setup if it sees a NAK. Future +developments should include configuration options that control this. + +The tunnel code notifies its peer when secnet is terminating, so the +peer can close the session. + +The netlink "exclude-remote-networks" option has now been replaced by +a "remote-networks" option; instead of specifying networks that no +site may access, you specify the set of networks that remote sites are +allowed to access. A sensible example: "192.168.0.0/16", +"172.16.0.0/12", "10.0.0.0/8", "!your-local-network" + +* New in version 0.1.10 + +WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT +THAT IS NOT BACKWARD COMPATIBLE. However, in most configurations the +change only affects the sites.conf file, which is generated by the +make-secnet-sites script; after you regenerate your sites.conf using +version 0.1.10, everything should continue to work. + +Netlink devices now interact slightly differently with the 'site' +code. When you invoke a netlink closure like 'tun' or 'userv-ipif', +you get another closure back. You then invoke this closure (usually +in the site definitions) to specify things like routes and options. +The result of this invocation should be used as the 'link' option in +site configurations. + +All this really means is that instead of site configurations looking +like this: + +foo { + name "foo"; + networks "a", "b", "c"; + etc. +}; + +...they look like this: + +foo { + name "foo"; + link netlink { routes "a", "b", "c"; }; + etc. +}; + +This change was made to enable the 'site' code to be completely free +of any knowledge of the contents of the packets it transmits. It +should now be possible in the future to tunnel other protocols like +IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code +at all. + +Point-to-point netlink devices work slightly differently; when you +apply the 'tun', 'userv-ipif', etc. closure and specify the +ptp-address option, you must also specify the 'routes' option. The +result of this invocation should be passed directly to the 'link' +option of the site configuration. You can do things like this: + +sites site { + name "foo"; + link tun { + networks "192.168.73.76/32"; + local-address "192.168.73.76"; # IP address of interface + ptp-address "192.168.73.75"; # IP address of other end of link + routes "192.168.73.74/32"; + mtu 1400; + buffer sysbuffer(); + }; + etc. +}; + +The route dump obtained by sending SIGUSR1 to secnet now includes +packet counts. + +Point-to-point mode has now been tested. + +tun-old has now been tested, and the annoying 'untested' message has +been removed. Thanks to SGT and JDA. + +secnet now closes its stdin, stdout and stderr just after +backgrounding. + +Bugfix: specifying network "0.0.0.0/0" (or "default") now works +correctly. + +* New in version 0.1.9 + +The netlink code may now generate ICMP responses to ICMP messages that +are not errors, eg. ICMP echo-request. This makes Windows NT +traceroute output look a little less strange. + +configure.in and config.h.bot now define uint32_t etc. even on systems +without stdint.h and inttypes.h (needed for Solaris 2.5.1) + +GNU getopt is included for systems that lack it. + +We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris +2.5.1 doesn't have it.) + +Portable snprintf.c from http://www.ijs.si/software/snprintf/ is +included for systems that lack snprintf/vsnprintf. + +make-secnet-sites.py renamed to make-secnet-sites and now installed in +$prefix/sbin/make-secnet-sites; ipaddr.py library installed in +$prefix/share/secnet/ipaddr.py. make-secnet-sites searches +/usr/local/share/secnet and /usr/share/secnet for ipaddr.py + +* New in version 0.1.8 + +Netlink devices now support a 'point-to-point' mode. In this mode the +netlink device does not require an IP address; instead, the IP address +of the other end of the tunnel is specified using the 'ptp-address' +option. Precisely one site must be configured to use the netlink +device. (I haven't had a chance to test this because 0.1.8 turned into +a 'quick' release to enable secnet to cope with the network problems +affecting connections going via LINX on 2001-10-16.) + +The tunnel code in site.c now initiates a key setup if the +reverse-transform function fails (wrong key, bad MAC, too much skew, +etc.) - this should make secnet more reliable on dodgy links, which +are much more common than links with active attackers... (an attacker +can now force a new key setup by replaying an old packet, but apart +from minor denial of service on slow links or machines this won't +achieve them much). This should eventually be made configurable. + +The sequence number skew detection code in transform.c now only +complains about 'reverse skew' - replays of packets that are too +old. 'Forward skew' (gaps in the sequence numbers of received packets) +is now tolerated silently, to cope with large amounts of packet loss.