Tags

Tags give the ability to mark specific points in history as being important

debian/4.5-2

d36f62e6 · prepare release to debian unstable · Jan 07, 2022
```
libreswan Debian release 4.5-2
```
Unverified
debian/4.5-1

8aa8eaa8 · prepare debian release · Dec 28, 2021
```
libreswan Debian release 4.5-1
```
Unverified

v4.5

f36ab1b1 · documentation: set version to 4.5 · Aug 20, 2021

v4.5 (August 20, 2021)

* IKEv1: multiple subnets could lead to crossed wires, failures [Paul/Andrew]
* IKEv2: don't tear down IKE SA on TS_UNACCEPTABLE [Paul]
* IKEv2: unpend/delete Child SA when rejected by IKE_AUTH response [Andrew]
* IKEv2: mobike: resolve_defaultroute_one() updates [Andrew]
* IKEv2: mobike: prevent sending duplicate mobike response [Andrew]
* IKEv2: Support for Childless IKE SA [Andrew]
* IKEv2: redirect: make peer redirecting in IKE_AUTH childless [Vukasin]
* IKEv2: Labeled IPsec --up causes Childless IKE SA [Andrew/Paul]
* IKEv2: Labeled IPsec conns share SPD policies (as IKEv1) [Andrew/Paul/Kavinda]
* IKEv2: Performance; eliminate more O(#CONNECTIONS) code [Andrew]
* IKEv2: Immediately delete replaced Child from new (IC) IKE SA [Andrew/Paul]
* pluto: mismatched subnets= could take down all conns [Paul]
* pluto: Don't delete existing IKE SA of connection instance [Paul]
* pluto: fail better on parse errors in subnet= clause [Paul]
* libswan: use getaddrinfo(3) instead of gethostbyname2(3) [Hugh]
* libipsecconf: fail to load conn if no right= or left= set [Paul]
* libipsecconf: change default of initial-contact= to yes [Paul]
* X509: directly append new CRL requests to the fetch queue [Andrew]
* whack: implement --impair trigger:<global-event> [Andrew]
* ipsec.service: remove reload which did not work as expected [Tuomo]
* portexcludes: update to use python3 [Kim]
* building: fix NetBSD build [Andrew]
* building: fix arm / aarch64 build [kekePower@github]
* building: Remove support for RHEL6 USE_OLD_SELINUX [Paul]
* packaging: handle properly rpm sysctl config [Tuomo]
* packaging: rhel7: fix python2 shebang [Tuomo]

Unverified

v4.4

383a28eb · bump version to 4.4 · Apr 22, 2021

v4.4 (April 22, 2021)
* IKEv2: Fixes for TCP encap in Transport Mode and host-to-host [Paul/Sabrina]
* IKEv2: Fixes to Labeled IPsec policies [Kavinda Wewegama/Paul]
* IKEv2: Add redirect statistics to whack --globalstatus [Clive Zagno]
* IKEv2: Connections would not always switch when needed [Andrew/Paul]
* pluto: Fix for host-to-host connections use non-standard IKE ports [Paul]
* pluto: Use peer ID (IKEv2 IDr, IKEv1 Aggr) to select best initial conn [Paul]
* pluto: Disable interface-ip= as the feature is not yet implemented [Paul]
* pluto: Fix PLUTO_PEER_CLIENT* in updown for NAT + Transport Mode [Paul]
* pluto: Remove never updated PLUTO_VERSION for updown scripts [Paul]
* pluto: Actually set PLUTO_CONNECTION_TYPE= to transport or tunnel [Paul]
* pluto: Allow non-templated wildcard ID connections to match [Paul]
* pluto: Reduce and merge various logging messages [Andrew]
* libipsecconf: Do not allow vhost/vnet in IKEv2 connections [Paul]
* XFRM: Restarting pluto when using ipsec-interface= could fail [Paul]
* contrib/munin: Update plugin to use python3 and update doc header [Tuomo]
* testing: Enable OpenBSD interop tests [Paul/Ravi]
* testing: Make tests more reliable on KVM [Andrew]

Unverified

debian/4.3-1

76874dac · prepare new upstream release for debian · Feb 28, 2021
```
libreswan Debian release 4.3-1
```
Unverified

v4.3

8a6ccf7c · bump version to 4.3 · Feb 21, 2021

v4.3 (February 21, 2021)
* pluto: Restore range checking on Labeled IPsec [Paul/Andrew]
* pluto: Higher state serialno does not imply newest state [Paul]
* pluto: Cleanup ip_address vs ip_endpoint (protoport dropping) [Andrew]
* pluto: Revival of code could accidentally fallback to IKEv1 [Andrew]
* newhostkey: Add support for generating ECDSA keys [Daiki Ueno]
* libipsecconf: Ignore empty option at end of config (rhbz#1685653) [Andrew]
* whack: Add --global-redirect and --global-redirect-to options [Pietro Monteiro]

Unverified

debian/4.2-1

d0abdc48 · prepare new debian release · Feb 03, 2021
```
libreswan Debian release 4.2-1
```
Unverified

v4.2

89eab903 · bump version to 4.2 · Feb 02, 2021

v4.2 (February 2, 2021)
* IKEv2: Support for IKEv2 Labeled IPsec [Hugh, Sahana, Paul, Kavinda Wewegama]
* IKEv2: MOBIKE could cause assertion failure due to eroute ownership [Paul]
* IKEv2: MOBIKE and NAT port update code interfered with each other [Andrew]
* IKEv1: Re-enable questionable Microsoft proposals to fix L2TP/IPsec [Paul]
* IKEv1: Do not load IKEv1 conns when IKEv1 support not compiled in [Paul]
* IKEv1: Fix XAUTH: re-transmit when sending CFG request [Andrew]
* pluto: New config setup option ikev1-policy=<accept|drop|reject> [Paul]
* pluto: Change default ikelifetime from 1h to 8h [Paul]
* pluto: Add ignore-peer-dns=yes|no and whack --ignore-peer-dns [Paul]
* pluto: Startup could take long time closing fd's (github#373) [Andrew]
* pluto: IKEv2 connection could accidentally retry as IKEv1 [Andrew]
* pluto: change default IKE SA lifetime from 1h to 8h [Paul]
         Resolves: github#362, github#405, hwdsl2/setup-ipsec-vpn#912
* pluto: Revived conns can try to quickly re-use existing NAT mapping.
         Can be used with new auto=keep [Paul, Andrew]
* pluto: Don't complain about DNS names starting with number [Paul]
* pluto: Re-implement Labeled IPsec for IKEv1 [Paul, Sahana]
* pluto: Support for --shutdown --leave-state [Paul]
* whack: add very raw --processstatus [Andrew]
* whack: no longer require --ipv6 when specifying raw IPv6 host addresses
* libswan: Re-introduce xauthusername/remote_peer_type for NM-libreswan [Paul]
* initsystem: fix docker/podman startup with sysvinit [Paul]
* initsystem: ensure non-testing namespaces work with systemd [Paul]
* initsystem: systemd support for ipsec whack --shutdown --leave-state [Paul]
* pluto: prefer IPv4 over IPv6 when performing DNS lookups [Andrew]
* building: Support for compiling without IKEv1 via USE_IKEv1=false [Paul]
* building: Various clang compiler related fixes [Timm Baeder]
* building: fix NetBSD arm64 build [Andrew]
* testing: many updates [Andrew, Paul]

Unverified

debian/4.1-4

ca6b376f · prepare another debian release · Jan 14, 2021
```
libreswan Debian release 4.1-4
```
Unverified
debian/4.1-3

eebd40de · prepare debian release · Jan 13, 2021
```
libreswan Debian release 4.1-3
```
Unverified
debian/4.1-2

d4dfab69 · prepare debian release · Jan 12, 2021
```
libreswan Debian release 4.1-2
```
Unverified
debian/4.1-1

842d8e1f · prepare debian release · Jan 12, 2021
```
libreswan Debian release 4.1-1
```
Unverified

v4.1

a5c79294 · packaging: For now add Fedora GCC lto-type-mismatch workaround. · Oct 18, 2020

v4.1 (October 18, 2020)
* IKEv2: Fix Notify protocol ID interop with Cisco introduced in 4.0 [Antony]
* addconn: Fix resolving with %defaultroute plus peer with A + AAAA [Antony]
* building: minor cleanups [Andrew/Tuomo]

Unverified

v4.0

a536c094 · building: bump version to 4.0 · Oct 14, 2020

v4.0 (October 14, 2020)
* KLIPS: Support for KLIPS completely removed [Paul]
* pluto: Removed support for deprecated algos: serpent, twofish, cast [Paul]
* IKEv2: EXPERIMENTAL: Support for RFC 8229 IKE/ESP over TCP [Andrew]
         New per-conn keywords: listen-tcp=yes|no, tcponly=yes|no, tcp-remoteport=
         Requires: Linux kernel >= 5.8
* IKEv2: Support for leftikeport= / rightikeport= [Andrew/Paul]
* IKEv2: EXPERIMENTAL: Support for INTERMEDIATE Exchange [Yulia Kuzovkova/GSoC]
         New keyword: intermediate=yes
* FIPS: Remove DH 23/24 from FIPS allowed list as per SP 800 56A Rev 3 [Paul]
* pluto: Support for rereading configured certificates from NSS [Myungjin Lee]
* pluto: plutodebug= keywords are now: base,cpu-usage,crypt,tmi,private [Andrew]
* pluto: find_pluto_xfrmi_interface() would only check first interface [Paul]
* pluto: ddos cookies-threshold and max-halfopen output was swapped [John Mah]
* pluto: Fix leased IP address leak [Andrew/Paul]
* pluto: Fix displaying PLUTO_BYTES_ counters [Paul]
* pluto: Replace/remove deprecated libselinux functions [Eduardo Barretto]
* pluto: Update selinux calls for Labeled IPsec support [Richard Haines]
* pluto: Memory leak fixes [Hugh]
* pluto: Remove unused per peer logging [Andrew]
* pluto: Cleanup logging code for minimal logging support [Andrew]
* pluto: Cleanup netlink / XFRM code [Hugh]
* pluto: xfrmi used mark-out for XFRMA_SET_MARK [Antony/Wolfgang]
* pluto: Support for ipsec0 interface to help migrate from KLIPS to XFRM [Paul]
* pluto: Fix logging some IKE messages to proper IKE SA state [Andrew]
* pluto: Remove global ikeport/nat-ikeport, add listen-udp/listen-tcp [Paul]
* pluto: Connections now have serial numbers which are logged [Paul/Andrew]
* pluto: No longer require :RSA sections in ipsec.secrets [Andrew]
* pluto: pluto chooses wrong raw RSA key (github#352) [Andrew]
* seccomp: Update syscall allowlist for pluto and addconn [Paul]
* whack: Support for ipsec whack --rereadcerts [Paul]
* whack: Rename --ikev1-allow and --ikev2-allow to --ikev1 and --ikev2 [Paul]
* whack: Clear inherited defaults for IKEv2 from IKEv1 connections [Paul]
* show: Fixup for python3 version of ipaddress module [Paul]
* IKEv2: Fix Windows 10 rekey being rejected [Antony/Paul]
* IKEv2: Remove duplicaes from proposals using "+" [Andrew]
* IKEv2: CERTREQ payload was not sent for authby=ecdsa [Paul]
* IKEv2: Decode notify payloads into the message digest [Andrew]
* IKEv2: Don't use NAT-T port when no NAT DETECTION payloads received [Andrew]
* IKEv2: Add load-balance support (multiple targets) to redirect [Vukasin]
* IKEv2: Only sent REDIRECTs to established IKE SA's (not IPsec SAs) [Paul]
* IKEv2: Fix AUTH failure if ID payload reserved fields != 0 [Paul/Andrew/Hugh]
* IKEv2: A delete(IKE SA) request should not trigger a delete request [Andrew]
* IKEv2: Ignore, not abort when receiving unknown type transforms [Andrew]
* IKEv2: Don't switch NAT port on receiving non-NAT notify payloads [Andrew]
* IKEv1: Prevent crashing in Quick Mode on unused NAT payload [Daniel Wendler]
* libipsecconf: Fix config handling of policy-label [bauen1]
* libipsecconf: Promote ah= / esp= as desired keywords over phase2alg= [Paul]
* libipsecconf: Remove most obsoleted option names with undersscore(_) [Paul]
* rsasigkey/newhostkey: Remove obsoleted --output option [Paul]
* building: Add NetBSD support [Andrew]
* building: Remove support for SINGLE_CONF_DIR, EMIT_ISAKMP_SPI, [Paul]
            USE_KEYRR and TEST_INDECENT_PROPOSAL
* building: Merge userland.mk into config.mk to simplify makefiles [Tuomo]
* building: Deprecate INC_ variables [Tuomo]
* building: Remove all support for SERPENT, TWOFISH, CAST and RIPEMD [Paul]
* building: Remove -DALLOW_MICROSOFT_BAD_PROPOSAL [Tuomo]
* building: The define USE_NSS_PRF was renamed to USE_NSS_KDF [Tuomo]
* building: Rename master branch to main branch [Paul]
* building: Fix finding ipsec command in non-standard bin dirs [Tuomo]
* building: Introduce USE_OLD_SELINUX to support libselinux < 2.1.9 [Paul]
* building: NETKEY options changed to XFRM options [Paul]
* building: NSS database (*.db) are now expected in /var/lib/ipsec/nss [Tuomo]
            ipsec checknss called in initsystem will migrate files
            Use FINALNSSDIR=/etc/ipsec.d to use the pre-4.0 location
* packaging: Debian: remove runtime dependency on systemd [Stephen Kitt]
* packaging: Fedora: add missing build dependency for certutil [Stephen Kitt]
* packaging: Debian switched to using /usr/libexec/ [dkg]
* testing: Support Fedora32, Ubuntu, improved namespaces support [Paul/Others]
* testing: Work around kernel ICMP Acquire bug [Paul]
* testing: Added interop testing with OpenBSD iked [Ravi Teja]
* documentation: friendler ipsec cmd output [Paul]

Unverified

debian/3.32-3

3d6eb974 · prepare debian release · May 28, 2020
```
libreswan Debian release 3.32-3
```
Unverified
debian/3.32-2

387159e8 · prepare debian release · May 26, 2020
```
libreswan Debian release 3.32-2
```
Unverified
debian/3.32-1

bc4348c9 · prepare debian release · May 22, 2020
```
libreswan Debian release 3.32-1
```
Unverified

v3.32

a0d37f5f · documenation: remove security patches from security/ directory · May 11, 2020

v3.32 (May 11, 2020)
* SECURITY: Fixes CVE-2020-1763 https://libreswan.org/security/CVE-2020-1763
* IKEv2: Support non-narrowed child rekey for narrowing (regression in 3.31)
* FIPS: ECDSA keys were mistakenly rejected as "too weak" [Paul]
* FIPS: Minimum RSA key size is 2048, not 3072 [Paul]
* FIPS: Use NSS to check FIPS mode instead of manually checking fips=1 [Paul]
* IKEv2: Do not use fragments if not appropriate (regression from v3.30) [Paul]
* IKEv1: Add NSS KDF support for the Quick Mode KDF [Andrew/Paul]
* libipsecconf: support old-style ",," to mean "\," in specifying id [Paul]
* libipsecconf: left/rightinterface-ip= are not kt_obsolete [Paul]
* whack: Add missing ecdsa/sha2 and compat rsa policy options to whack [Paul]
* Fix left=%iface syntax due to string length miscalculation [Antony]
* X509: don't try to match up ID on SAN when ID type is ID_DER_ASN1_DN [Paul]
* packaging: debian fixes [Antony]
* building: USE_NSS_KDF=true now uses NSS for all KDF functions
            Using this option, libreswan no longer needs FIPS certification

Unverified

v3.31

f54f5858 · * bump to 3.31 · Mar 03, 2020

v3.31 (March 3, 2020)
* IKEv2: Opportunistic conns specifying keyingtries=0 are changed to 1 [Paul]
* IKEv2: Fix ikev2 rekey failures due to bad Traffic Selector proposa [Antony]
* IKEv2: Verify (not ignore) expected TSi/TSr payloads for IPsec rekeys [Paul]
* IKEv1: Support for XFRMi interfaces [Paul]
* pluto: Disable log_to_audit if kernel does not support audit [Paul]
* addconn: Do not assert on ipsec-interface=no [Paul]
* nat_traversal: Fix not to send nat-t keepalives when there is no nat [Tuomo]
* KLIPS: Fix _updown.klips (regression introduced in 3.30) [Wolfgang]
* pluto: Increase max IKEv2 fragments to 32 to support Windows [John Mah]

Unverified

v3.30

d95ef3f2 · * bump to version 3.30 · Feb 13, 2020

v3.30 (February 2020)
* WARNING: This is the last release that supports the KLIPS stack,
           use the new ipsec-interface= virtual interfaces instead.
* XFRM: Fix detection on kernels without xfrm_stat (debian et all) [Paul]
* XFRM: XFRMi interface support using ipsec-interface= and iface-ip= [Antony]
* IKEv2: Message ID handling: remove a O(#STATES) lookup [Andrew]
* IKEv2: OE previous half-open state overwrites IPsec policy [Paul/Stepan]
* IKEv2: On initiator, do not retransmit on IKE_AUTH processing failure [Paul]
* IKEv2: Prevent leak in ikev2_send_certreq() on sending error [Paul]
* IKEv2: Remove SHA1 from default proposal list [Paul]
* IKEv2: On PPK failure with insist, return AUTHENTICATION_FAILED [Vukasin]
* IKEv2: Do not try to delete (replaced) bare shunts [Paul]
* IKEv2: Delete pending outgoing bare shunts if incoming IPsec happened [Paul]
* IKEv2: Allow CP payload in CREATE_CHILD_SA (RFC 7296 Appendix C.4) [Paul]
* IKEv2: calculate_sa_prio() now allows OE shunt to override priority [Paul]
* IKEv2: calculate_sa_prio() support for /32 template vs instance [Hugh/Paul]
* IKEv2: IPv6 support for addresspool= option [Antony]
* IKEv2: Updated support for MOBIKE triggered events [Antony]
* IKEv2: Support reconnecting authnull clients [Paul]
* IKEv2: New whack commands --rekey-ike and --rekey-ipsec [Antony]
* IKEv2: Prefer RFC 7427 Digital Signatures for default authby=rsasig [Sahana]
* IKEv2: Refuse SHA1 for RFC 7427 Digital Signatures as per RFC 8247 [Sahana]
* IKEv2: Use IKEv2 fragment size values (not IKEv1) [Andrew]
* IKEv2: On initiator, do not retransmit on IKE_AUTH processing failure [Paul]
* IKEv1: Re-implement CVE-2019-10155 fix to prevent future occurances [Andrew]
* IKEv1: do not assert on bad virtual private entry [Paul]
* pluto: Simplify plutodebug= options to: base, cpu-usage, crypt, private and tmi
         (maps old values to new ones for compatibility) [Andrew]
* pluto: non-default ipsec.conf did not load auto=add connections [Paul]
* pluto: fix %defaultroute for link-local and non-link-local gateway [Antony]
* pluto: Improve whackfd handling (prevent console hangs/omissions) [Andrew]
* pluto: Support to disable SAN checks (require-id-on-certificate=no) [Paul]
* pluto: Audit log IKE SA and IPsec SA failures for Common Criteria (CC) [Paul]
* pluto: Disable support for DH2/modp1024 at compile time [Paul]
* pluto: Add audit-log=yes|no (default yes) [Paul]
* pluto: DDNS event should not cause connection initialization [Paul]
* pluto: Various O(STATE) optimializations [Andrew]
* pluto: Fixup reporting of esp-hw-offload capabilities in kernel/nic [Paul]
* pluto: Add chacha20_poly1305 and curve25519 to default proposals [Paul]
* pluto: Updated SECCOMP syscall whitelist [Paul]
* pluto: With non-default config file, connections loading was skipped [Paul]
* pluto: Fix Opportunistic Encryption with Transport Mode policies [Paul]
* pluto: Fix various memory leaks in IKE and X.509 code [Andrew]
* pluto: netlink: increase the additional bufferspace to 32KiB [Antony]
* pluto: pluto --selftest no longer logs to stderr with timestamps [Paul]
* pluto: fix for redirect-to type when it is FQDN [John Mah]
* pluto: addresspool: give new lease to different (xauth)usernames [Paul]
* pluto: addresspool: reduce complexity from O(#LEASES) to O(1) [Andrew]
* whack: Remove obsoleted --whackrecord and --whackstoprecord options [Andrew]
* whack: Added whack --ddns to trigger DNS refresh event manually [Paul]
* X509: Offload most code to helpers for significant performance boost [Andrew]
* X509: Simplify code, cut redundant calculations, speed improvements [Andrew]
* X509: SAN checks should confirm IKE peer ID on responder too [Paul]
* letsencrypt: new command "ipsec letsencrypt" [Rishabh]
* _updown.netkey: PLUTO_VIRT_INTERFACE replaces PLUTO_INTERFACE [Antony]
* _updown.netkey: add IPv6 routing support [Tuomo]
* _updown.netkey: don't remove old resolv.conf, just update it [Tuomo]
* _updown.netkey: fix for iproute2 >= 5.1 which no longer ignores /mask [Paul]
* libswan: Don't leak ECDSA pubkey on form_ckaid_ecdsa() failure [Paul]
* libswan: Close netlink socket on send error in netlink_query() [Paul]
* libipsecconf: don't throw error for not finding a wildcarded include [Paul]
* verify: improve support for python2 and python3 [Anand Bibhuti/Paul]
* KLIPS: Support for kernels >= 4.20 with SYNC_SKCIPHER_REQUEST_ON_STACK [Paul]
* KLIPS: Userland tools compile fixes [Hugh/Paul]
* building: No longer build with DH2(modp1024) support (see RFC 8247) [Paul]
* building: Add config for PYTHON_BINARY, default being /usr/bin/python3 [Tuomo]
* building: Add new USE_NSS_PRF, to use KDF from NSS [Robert Relyea/Andrew]
* building: Add USE_PRF_AES_XCBC, replaces USE_XCBC [Paul]
* building: Fixes for NetBSD build [Andrew]
* building: Fixes for gcc10 [Paul]
* packaging: fedora30 requires gcc to be listed as BuildRequires: [Paul]
* packaging: Add Debian stretch specific configs and more cleanup [Antony]
* packaging: make deb jessie and xenial config detection [Antony]
* packaging: update python she-bang handling [Tuomo]
* testing: Added a new namespaces based testrun method [Antony]
* testing: setup: namespace based ipsec stop needs ip xfrm flush state [Paul]
* testing: setup: namespace based ipsec skips initsystem [Paul]

Unverified