v5.1 · Tags · Debian / libreswan

v5.1
6f13205d · documentation: update CHANGES · Oct 08, 2024
v5.1 (Oct 8, 2024)
* IKEv2:
  - fix race when initiator-responder cross rekey requests [Andrew]
  - don't ignore Delete IKE SA request while waiting for Delete IKE SA response [Andrew]
  - log arrival of first IKE_AUTH request that triggers DH [Andrew]
  - rate limit logging of packets with invalid payloads
* IKEv1:
  - fix Quick mode installing 0.0.0.0/0 when no MSG_CONFIG exchange [Andrew, Tuomo]
  - fix iOS Quick mode request needing to re-recover lease [Andrew, Tuomo]
  - fix regression where deleting ISAKMP deleted IPsec [Andrew, Tuomo]
  - add config options of ah=sha2{256,512} [Andrew]
  - add DH29,DH31 to default proposals [Andrew]
  - reject ESP AEAD combined with non-NULL integrity [Andrew]
* Crypto:
  - update IKE to use NSS's FIPS compliant PK11_AEADOp() [Andrew, Robert Relyea]
  - support ESP with CHACHA20POLY1305 on FreeBSD and OpenBSD [Andrew]
* IPsec Interface:
  - fix check for an existing IPsec Interface address (Linux) [Wolfgang]
  - add IPsec Interface address when connection establishes [Wolfgang]
  - fix adding IPv6 address to IPsec interface [Wolfgang]
  - delete Ipsec Interface address when connection unroutes [Wolfgang]
  - fix setting metric on IPsec Interface [Wolfgang]
  - add IPsec Interface device when connection orients [Andrew]
  - support existing IPsec interface on FreeBSD and OpenBSD [Andrew]
  - log addition of IPsec Interface or Address [Andrew]
  - don't delete existing ipsec1 interface (Linux) [Andrew]
  - handle repeated connection adds [Wolfgang]
* Linux:
  - handle NLMSG_DONE at end of response for > 6.9.0 kernels [Andrew]
  - fix hang because of unhandled NLMSG_DONE at end of response (6.9.0-rc1) [Andrew, Ilya, github/1675]
  - fix hang when initiating an on-demand TCP connection [Daiki, github/1156]
* updown:
  - restore 4.x behaviour of running "updown unroute|down" when initiate fails [Wolfgang, Andrew]
  - add test demonstrating redundant tunnels [Wolfgang]
  - add plutodebug=updown for debugging updown scripts [Andrew]
* config:
  - verbosely ignore x-* style comments in ipsec.conf [Andrew, github/1725]
* whack:
  - ignore older whack as could trigger core dump [Andrew, github/1709]
  - add --narrowing {yes,no}, retain undocumented --allow-narrowing [Andrew]
* building:
  - replace calloc(size,nr) with alloc_things(), fixing compile error [Daiki]
  - remove USE_NSS_AVA_COPY and copy of nss source, remove license exception [Tuomo]
  - fix syntax error in ckaid.c allowed by GCC [yuncang123]