-
v4.8be225bf0 · ·
v4.8 (October 2, 2022) * release: remove SHA1 bindings from LIBRESWAN OpenPGP key [dkg/Paul] * pluto: ignore obsoleted unused interfaces= / --iface [Paul/Andrew] * pluto: various internal crypto struct changes [Andrew] * pluto: fix traffic counters for AH and IPCOMP [Andrew] * pluto: improve logging of duplicate serial cert error [Andrew] * pluto: support for maxbytes/maxpacket counters [Antony/Paul] * pluto: handle HW tokens using strange CKAIDs; github/815 [Andrew] * pluto: added --ipsec-max-bytes / --ipsec-max-packets support [Antony] * libipsecconf: added ipsec-max-bytes= and ipsec-max-packets= options [Paul] * IKEv2: emit one CERTREQ payload with all the hashes [Andrew] * addconn/whack: add support for {left,right}pubkey= [Andrew] * showhostkey: add support for ECDSA pubkeys [Andrew] * Crypto: add KDF self tests [Daiki Ueno] * IPv6: open IPv6 IKE port 4500; github/800 [Andrew] * showhostkey: add --pem option to print PEM encoded public key [Andrew] * unbound: _unbound-hook converted from python to shell [Andrew] * BSD: delete old BSDKAME code replaced by PFKEYV2 code [Andrew] * BSD: fix replay window byte vs bit math [Andrew] * BSD: fix code finding interfaces; github/728 [Andrew] * FreeBSD: support large replay window; github/756 [Andrew] * FreeBSD: support ESN; github/721 [Andrew] * linux: update copy of xfrm.h header [Paul] * packaging: update fedora spec file [Paul/Tuomo] * building: on BSD, always use GCC; freebsd/264288 llvm/55963 [Andrew] * building: enable LTO when USE_LTO=true; github/836 github/834 [Andrew] * building: dropped default build and packaging support for: Fedora 22, 28, 29, 30 Debian stretch Ubuntu cosmic, xenial RHEL6 was removed in v4.5 Add SUSE, Arch, Mint
-
v4.719eabcd8 · ·
v4.7 (May 24, 2022) * IKEv2: EAPTLS support [Timo Teräs / Andrew] * IKEv2: EAPONLY support [Andrew] * IKEv2: fix interop when IPCOMP+transport-mode [Andrew] * IKEv2: fix race between new IKE SA and liveness [Andrew] * IKEv2: fix interop with Android 12 + certificates [Andrew] * IKEv1: reject IKEv2 only authby=secret+rsasig [Andrew] * config: end keywords with no left/right prefix are applied to both ends * kernel: fix double delete of kernel policy when tearing down SA [Andrew] * kernel: fix deleting policy when an XFRMi FD ID; github/618 [Andrew] * kernel: general cleanups [Andrew] * _stackmanager / pluto: support Ubuntu 18.04 LTS kernels [Paul] * FreeBSD: libreswan builds out-of-the-box [Andrew] * BSD: Add IPv6 support (tested on NetBSD) * building: fix build on fedora rawhide [Paul] * internals: initiate IKEv2 CREATE_CHILD_SA exchange using IKE SA [Andrew] * internals: _updown.bsdkame renamed to _updown.bsd
-
v4.65cb4ea71 · ·
v4.6 (January 11, 2022) * SECURITY: Fixes CVE-2022-23094 https://libreswan.org/security/CVE-2022-23094 * IKEv2: aggressively check incoming fragments [Andrew] * IKEv2: when rekeying and PFS, only propose/allow original crypt-suite [Andrew] * IKEv2: when PFS, don't repeatedly log all proposals [Andrew] * IKEv2: Labeled IPsec improvements [Andrew] * IKEv1: support for ISAKMP_N_CISCO_LOAD_BALANCE removed [Andrew] * pluto: Revamp the host connection lookup mechanism [Andrew] * pluto: Change default replay-window from 32 to 128 [Paul] * pluto: Change default esn= to "either" and prefer "yes" [Paul] * pluto: Disable esn when replay-window=0 [Paul] * pluto: Drop obsolete debug options such as crypto-low [Andrew] * seccomp: Updated syscall allow-list [Paul] * packaging: replace old SUSE packaging with pointer to downstream [Andrew] * NetBSD: Don't use ESN - not supported by kernel [Andrew] * letsencrypt: Fix bashisms in letsencrypt script [dkg] * libipsecconf: allow leftauth=ecdsa|rsa (match authby= values) [Paul] * testing: significantly improved testing [Andrew, Paul]
-
v4.5f36ab1b1 · ·
v4.5 (August 20, 2021) * IKEv1: multiple subnets could lead to crossed wires, failures [Paul/Andrew] * IKEv2: don't tear down IKE SA on TS_UNACCEPTABLE [Paul] * IKEv2: unpend/delete Child SA when rejected by IKE_AUTH response [Andrew] * IKEv2: mobike: resolve_defaultroute_one() updates [Andrew] * IKEv2: mobike: prevent sending duplicate mobike response [Andrew] * IKEv2: Support for Childless IKE SA [Andrew] * IKEv2: redirect: make peer redirecting in IKE_AUTH childless [Vukasin] * IKEv2: Labeled IPsec --up causes Childless IKE SA [Andrew/Paul] * IKEv2: Labeled IPsec conns share SPD policies (as IKEv1) [Andrew/Paul/Kavinda] * IKEv2: Performance; eliminate more O(#CONNECTIONS) code [Andrew] * IKEv2: Immediately delete replaced Child from new (IC) IKE SA [Andrew/Paul] * pluto: mismatched subnets= could take down all conns [Paul] * pluto: Don't delete existing IKE SA of connection instance [Paul] * pluto: fail better on parse errors in subnet= clause [Paul] * libswan: use getaddrinfo(3) instead of gethostbyname2(3) [Hugh] * libipsecconf: fail to load conn if no right= or left= set [Paul] * libipsecconf: change default of initial-contact= to yes [Paul] * X509: directly append new CRL requests to the fetch queue [Andrew] * whack: implement --impair trigger:<global-event> [Andrew] * ipsec.service: remove reload which did not work as expected [Tuomo] * portexcludes: update to use python3 [Kim] * building: fix NetBSD build [Andrew] * building: fix arm / aarch64 build [kekePower@github] * building: Remove support for RHEL6 USE_OLD_SELINUX [Paul] * packaging: handle properly rpm sysctl config [Tuomo] * packaging: rhel7: fix python2 shebang [Tuomo]
-
v4.4383a28eb · ·
v4.4 (April 22, 2021) * IKEv2: Fixes for TCP encap in Transport Mode and host-to-host [Paul/Sabrina] * IKEv2: Fixes to Labeled IPsec policies [Kavinda Wewegama/Paul] * IKEv2: Add redirect statistics to whack --globalstatus [Clive Zagno] * IKEv2: Connections would not always switch when needed [Andrew/Paul] * pluto: Fix for host-to-host connections use non-standard IKE ports [Paul] * pluto: Use peer ID (IKEv2 IDr, IKEv1 Aggr) to select best initial conn [Paul] * pluto: Disable interface-ip= as the feature is not yet implemented [Paul] * pluto: Fix PLUTO_PEER_CLIENT* in updown for NAT + Transport Mode [Paul] * pluto: Remove never updated PLUTO_VERSION for updown scripts [Paul] * pluto: Actually set PLUTO_CONNECTION_TYPE= to transport or tunnel [Paul] * pluto: Allow non-templated wildcard ID connections to match [Paul] * pluto: Reduce and merge various logging messages [Andrew] * libipsecconf: Do not allow vhost/vnet in IKEv2 connections [Paul] * XFRM: Restarting pluto when using ipsec-interface= could fail [Paul] * contrib/munin: Update plugin to use python3 and update doc header [Tuomo] * testing: Enable OpenBSD interop tests [Paul/Ravi] * testing: Make tests more reliable on KVM [Andrew]
-
v4.38a6ccf7c · ·
v4.3 (February 21, 2021) * pluto: Restore range checking on Labeled IPsec [Paul/Andrew] * pluto: Higher state serialno does not imply newest state [Paul] * pluto: Cleanup ip_address vs ip_endpoint (protoport dropping) [Andrew] * pluto: Revival of code could accidentally fallback to IKEv1 [Andrew] * newhostkey: Add support for generating ECDSA keys [Daiki Ueno] * libipsecconf: Ignore empty option at end of config (rhbz#1685653) [Andrew] * whack: Add --global-redirect and --global-redirect-to options [Pietro Monteiro]
-
v4.289eab903 · ·
v4.2 (February 2, 2021) * IKEv2: Support for IKEv2 Labeled IPsec [Hugh, Sahana, Paul, Kavinda Wewegama] * IKEv2: MOBIKE could cause assertion failure due to eroute ownership [Paul] * IKEv2: MOBIKE and NAT port update code interfered with each other [Andrew] * IKEv1: Re-enable questionable Microsoft proposals to fix L2TP/IPsec [Paul] * IKEv1: Do not load IKEv1 conns when IKEv1 support not compiled in [Paul] * IKEv1: Fix XAUTH: re-transmit when sending CFG request [Andrew] * pluto: New config setup option ikev1-policy=<accept|drop|reject> [Paul] * pluto: Change default ikelifetime from 1h to 8h [Paul] * pluto: Add ignore-peer-dns=yes|no and whack --ignore-peer-dns [Paul] * pluto: Startup could take long time closing fd's (github#373) [Andrew] * pluto: IKEv2 connection could accidentally retry as IKEv1 [Andrew] * pluto: change default IKE SA lifetime from 1h to 8h [Paul] Resolves: github#362, github#405, hwdsl2/setup-ipsec-vpn#912 * pluto: Revived conns can try to quickly re-use existing NAT mapping. Can be used with new auto=keep [Paul, Andrew] * pluto: Don't complain about DNS names starting with number [Paul] * pluto: Re-implement Labeled IPsec for IKEv1 [Paul, Sahana] * pluto: Support for --shutdown --leave-state [Paul] * whack: add very raw --processstatus [Andrew] * whack: no longer require --ipv6 when specifying raw IPv6 host addresses * libswan: Re-introduce xauthusername/remote_peer_type for NM-libreswan [Paul] * initsystem: fix docker/podman startup with sysvinit [Paul] * initsystem: ensure non-testing namespaces work with systemd [Paul] * initsystem: systemd support for ipsec whack --shutdown --leave-state [Paul] * pluto: prefer IPv4 over IPv6 when performing DNS lookups [Andrew] * building: Support for compiling without IKEv1 via USE_IKEv1=false [Paul] * building: Various clang compiler related fixes [Timm Baeder] * building: fix NetBSD arm64 build [Andrew] * testing: many updates [Andrew, Paul]