Tags

libreswan Debian release 5.2-2.1

libreswan Debian release 5.2-2

libreswan Debian release 5.2-1

libreswan Debian release 4.15-1

libreswan Debian release 4.14-1.1

v5.2 (Feb 26, 2025)

* IKEv2:
  - add PPK in INTERMEDIATE exchange, draft-ietf-ipsecme-ikev2-qr-alt-04 [Vukasin]
  - add initial support for RFC 5723 IKE_SESSION_RESUME [Nupur Agrawal, Andrew]
  - fix crash in <<ipsec rereadsecrets>> [Andrew, Ilya Maximets #1894]
  - fix bogus ERROR when deleting connection [Andrew, Ilya Maximets #1914]
* IPsec Interface:
  - add support on FreeBSD, NetBSD and OpenBSD [Andrew]
  - add ipsec-interface-managed=no for namespaces [Andrew]
* IKEv1:
  - removed compile-time SOFTREMOTE_CLIENT_WORKAROUND [Andrew]
  - fix INVALID_ID_INFORMATION response using corrupt IV [Andrew #1830]
  - fix reconnect with addresspool after restart [Andrew #1790]
  - fix padding of modecfg payloads [Andrew wmasilva #2023]
  - update ikepad= to allow {yes,no,auto} [Andrew]
* Linux:
  - packet offload counters supported in 6.7+ [Paul]
  - Add IPTFS support (RFC 9347) [Paul / Antony / Andrew]
  - 6.10+ need replay-window 0 on OUTBOUND SA [Paul]
  - Do not set nopmtudisc on inbound SA [Paul]
  - Set DSCP options only on the relevant direction SA [Paul]
* updown:
  - Use half-routes for IPv6 to cover whole address space #1994 [Tuomo]
  - Use sourceip= for all remote subnets when set [Tuomo]
* whack/addconn:
  - fix "duplicated flag ctlsocket" regression in 5.0 #1840 [Andrew, Ilya Maximets #1840]
  - orders of magnitude speedup of 'ipsec add' w/ protoports= [Ilya Maximets #1987]
* building:
  - fix build with USE_LIBCURL=false [Hans de Graaff #1845, Andrew]
  - fix build on OpenBSD 7.6 [Andrew]
  - fix build with GCC 15 / C 23 [Daiki Ueno]
  - fix init script on Alpine [Andrew #2042]
* testing:
  - update OpenBSD: 7.6; NetBSD: 10.1; FreeBSD: 14.2; Alpine: 3.21 [Andrew]
  - eliminate pyOpenSSL dependency when generating CRLs and PKCS12 files [Andrew #1990 #1996]

v5.1 (Oct 8, 2024)
* IKEv2:
  - fix race when initiator-responder cross rekey requests [Andrew]
  - don't ignore Delete IKE SA request while waiting for Delete IKE SA response [Andrew]
  - log arrival of first IKE_AUTH request that triggers DH [Andrew]
  - rate limit logging of packets with invalid payloads
* IKEv1:
  - fix Quick mode installing 0.0.0.0/0 when no MSG_CONFIG exchange [Andrew, Tuomo]
  - fix iOS Quick mode request needing to re-recover lease [Andrew, Tuomo]
  - fix regression where deleting ISAKMP deleted IPsec [Andrew, Tuomo]
  - add config options of ah=sha2{256,512} [Andrew]
  - add DH29,DH31 to default proposals [Andrew]
  - reject ESP AEAD combined with non-NULL integrity [Andrew]
* Crypto:
  - update IKE to use NSS's FIPS compliant PK11_AEADOp() [Andrew, Robert Relyea]
  - support ESP with CHACHA20POLY1305 on FreeBSD and OpenBSD [Andrew]
* IPsec Interface:
  - fix check for an existing IPsec Interface address (Linux) [Wolfgang]
  - add IPsec Interface address when connection establishes [Wolfgang]
  - fix adding IPv6 address to IPsec interface [Wolfgang]
  - delete Ipsec Interface address when connection unroutes [Wolfgang]
  - fix setting metric on IPsec Interface [Wolfgang]
  - add IPsec Interface device when connection orients [Andrew]
  - support existing IPsec interface on FreeBSD and OpenBSD [Andrew]
  - log addition of IPsec Interface or Address [Andrew]
  - don't delete existing ipsec1 interface (Linux) [Andrew]
  - handle repeated connection adds [Wolfgang]
* Linux:
  - handle NLMSG_DONE at end of response for > 6.9.0 kernels [Andrew]
  - fix hang because of unhandled NLMSG_DONE at end of response (6.9.0-rc1) [Andrew, Ilya, github/1675]
  - fix hang when initiating an on-demand TCP connection [Daiki, github/1156]
* updown:
  - restore 4.x behaviour of running "updown unroute|down" when initiate fails [Wolfgang, Andrew]
  - add test demonstrating redundant tunnels [Wolfgang]
  - add plutodebug=updown for debugging updown scripts [Andrew]
* config:
  - verbosely ignore x-* style comments in ipsec.conf [Andrew, github/1725]
* whack:
  - ignore older whack as could trigger core dump [Andrew, github/1709]
  - add --narrowing {yes,no}, retain undocumented --allow-narrowing [Andrew]
* building:
  - replace calloc(size,nr) with alloc_things(), fixing compile error [Daiki]
  - remove USE_NSS_AVA_COPY and copy of nss source, remove license exception [Tuomo]
  - fix syntax error in ckaid.c allowed by GCC [yuncang123]

v4.15 (April 15, 2024)
* Security: Fixes http://libreswan.org/security/CVE-2024-3652
* Linux: remove dependency on libxz via libsystemd [Tuomo Andrew]
* IKEv1: set default proposals to ESP aes-sha1 and AH sha1 [Andrew]
* IKEv1: reject ESP proposal combining AEAD and non-empty INTEG [Andrew]
* IKEv1: reject exchange when connection has no proposals [Andrew]
* IKEv1: limit default cryptosuite [Andrew, Paul, Tuomo]
  IKE={AES_CBC,3DES_CBC}-{HMAC_SHA2_256,HMAC_SHA2_512HMAC_SHA1}-{MODP2048,MODP1536,DH19,DH31}
  ESP={AES_CBC,3DES_CBC}-{HMAC_SHA1_96,HMAC_SHA2_512_256,HMAC_SHA2_256_128}-{AES_GCM_16_128,AES_GCM_16_256}
  AH=HMAC_SHA1_96+HMAC_SHA2_512_256+HMAC_SHA2_256_128

libreswan Debian release 5.0~rc2-2

libreswan Debian release 4.10-2+deb12u3

libreswan Debian release 4.14-1

libreswan Debian release 5.0~rc2-1

* Fix compile error in 4.13 in gntoid() [Andrew]
* testing: fixup ikev2-tfc-03 for padded packets [Andrew/Paul]

libreswan Debian release 4.12-3

v5.0rc2

libreswan Debian release 4.12-2

* Security: Fixes http://libreswan.org/security/CVE-2024-2357
* Linux: make libcap-ng failures non-fatal [Andrew]
* BSD: fix esp=aes_gcm [Andrew]
* NetBSD: fix compiler warning in lib/libswan/x509.c [Andrew]
* x509: unpack IPv6 general names based on length [Andrew]
* pluto: TFC padding was not set for AEAD algorithms [SaiKumarCholleti@github]

4.13rc1

v5.0rc1 (Unreleased)

* BSD: fix esp=aes_gcm [github/1220, Igor V. Gubenko, Andrew]
* ipsec: deprecate ipsec auto sub-command [Tuomo]
  - ipsec auto --{cmd} connection -> ipsec {cmd} connection
* IKEv1: globally disabled by default (ikev1-policy=drop) See RFC9395
* IKEv1: drop support for Labeled IPsec [Andrew]
* IKEv2: warn that fragmentation=force is ignored [Andrew]
* whack: add --fragmentation option; change default to yes [Andrew]
* config: fix keyexchange={ikev1,ikev2}; deprecate ikev2= [Andrew]
* pluto: retry and revival code merged (dpdaction=, keyingtries= ignored) [Andrew]
* pluto: avoid post-authentication crash on corrupt TS payload [Andrew]
* pluto: Support addresspool=v4/mask,v6/mask [Andrew]
* pluto: Support multiple TSes per Child SA [Andrew]
* pluto: HW packet offload support [Raed Salem <raeds@nvidia.com>]
* pluto: XFRM interface IP management with ref-counting [Brady Johnson]
* pluto: Check return values of libcap-ng functions [Paul]
* pluto: Fix IPcomp with XFRM interfaces [Wolfgang]
* building: remove old copy of unbound headers [Andrew]
* building: Use DESTDIR instead of FINAL* env vars [Andrew]
* building: Fix "make git-rpm" [Paul/Tuomo]
* install: overhaul [Andrew]
  - use INSTALL_INITSYSTEM=false to prevent update of /etc/<initsystem>
  - use INSTALL_CONFIGS=false prevents update of /etc/ipsec.d et.al.
  - drop FINAL* make variables; see mk/config.mk for alternatives
* show/verify: drop these ipsec subcommands (old, incomplete) [Paul]
* packaging: Fix debian systemd service install [Antonio Silva]
* testing: Fix namespace tests for super long dir names [Paul]
* initsystem: Use documented ipsec sub-commands [Tuomo]
* initsystem: Stop using _stackmanager [Tuomo]
* documentation: update to docbook xml 4.5 [Tuomo]
* output: drop NNN_ prefix from all output [Andrew]
* ipsec look: script moved to contrib/; use ip xfrm et.al. [Andrew]
* ipsec portexcludes: script moved to contrib/ [Andrew]
* ipsec barf: script moved to contrib/ [Andrew]
* ipsec _secretsensor: script moved to contrib/ [Andrew]

libreswan Debian release 4.12-1