Tags

libreswan Debian release 3.27-4

libreswan Debian release 3.27-3

libreswan Debian release 3.27-2

libreswan Debian release 3.27-1

v3.27 (October 7, 2018)
* XFRM: SA marks must be included for delete operation [Tijs Van Buggenhout]
* pluto: Resolve a crasher in ECDSA freeing code [Hugh/Sahana]
* pluto: Resolve a hang when recursively loading same config file [Hugh]
* pluto: Refuse to load conns with different subnet address families [Paul]
* IKEv2: Fix regression on ID_NULL causing a new conn instance [Paul]
* IKEv1: Drop duplicates when not a reply [Andrew]
* IKEv1: Don't respond with errors to invalid encrypted packets [Andrew]
* IKEv1: Don't print empty informational warning on delete payload [Paul]
* IKEv1: Don't add spurious ESP-NULL proposal to AH proposals [Andrew]
* whack: Release whack socket on IKE_AUTH errors [Andrew]
* libswan: fix buffer size to getnameinfo() call in resolve_ppp_peer() [Hugh]
* libipsecconf: Don't accidentally clear modecfgdomains= entries [Andrew]
* building: Fixup NSS includes and links (fixes Debian builds) [Andrew/Paul]
* documentation: Update (L)GPL license links and http -> https links [dkg]
* Bugtracker bugs fixed:
   #177 left=%defaultroute not working when "src" in the default route [Kim]
   #80 VTI interface vanishes when peer goes down and up [yu-shiba]

libreswan Debian release 3.26-1

libreswan Debian release 3.25-2

v3.26 (September 16, 2018)
* IKEv2: Support for RSA-PSS (RFC 7427) via authby=rsa-sha2 [Sahana Prasad]
* IKEv2: Support for ECDSA (RFC 7427) via authby=ecdsa-sha2 [Sahana Prasad]
* IKEv2: Use DER handling code of NSS instead of our custom code [Andrew]
* IKEv2: Fix core dump when impaired and proposing esp=null-none [Andrew]
* IKEv2: Fix traffic selector lookup for asymmetric conns [Andrew/Paul]
* IKEv2: Add IKE and ESP support for chacha20poly1305 (RFC 7634) [Andrew]
* IKEv2: Fix leaks in ikev2_calculate_rsa_hash [Hugh]
* IKEv2: Simplify proposal generating [Hugh]
* IKEv1: Fix handling XAUTH empty passwords [Andrew]
* IKEv1: Fix XAUTH message padding [Hugh]
* IKEv1: Various code cleanup, next payload handling [Hugh]
* IKEv1: fix optional key-length regression (in v3.25) with ESP prop [Andrew]
* IKEv1: Don't delete replaced IKE SA, it confuses third party clients [Paul]
* pluto: Relax strictness of DH in ESP/AH proposals [Andrew]
* pluto: Fix for two roadwarriors using ID_IPv4 behind same NAT [Paul]
* pluto: Do not hand out old lease address for authby=secret conns [Paul]
* pluto: new --selftest option that exits pluto after startup tests [Paul]
* pluto: Updated known Vendor ID table [Paul]
* XFRM:  Don't call init_pfkey() on boot so Linux upstream can kill it [Andrew]
*_unbound-hook: Fixup adding IPv4 pubkey, unbound now quotes arg as 1 [Paul]
* building: Fix listed patches for debian build [Paul]
* building: enable DH31 (curve25519) per default [Paul]
* testing: prepare to migrate from f22 to f28 [Andrew, Antony, Paul]
* Bugtracker bugs fixed:
   #166 IPsec/XAuth reusing lease for multiple clients behind same NAT [Paul]

libreswan Debian release 3.25-1

v3.25 (June 27, 2018)
* IKEv2: MOBIKE Initiator support (RFC 4555) [Antony]
* IKEv2: Support for IKE SA rekeying RFC7296 1.3.2, initiator [Antony]
* IKEv2: Support for IPsec SA rekeying RFC7296 1.3.3, initiator [Antony]
* IKEv2: Support for IKE SA reauth=yes|no RFC7296  2.8.3 [Antony]
* IKEv2: Temporarilly disable Liveness/DPD when MOBIKE kick in [Antony]
* IKEv2: No longer allow contradicting esp= and pfs= options [Andrew]
* IKEv2: PPK support for authby=rsasig [Vukasin Karadzic]
* IKEv2: IANA INTERNAL_DNSSEC_TA allocation added [Paul]
* IKEv2: Add PPK support to authby=rsasig [Vukasin]
* IKEv2: Don't calculate NO_PPK_AUTH when the POLICY is INSIST [Vukasin]
* IKEv2: fix PPK when responder is ppk=no but has a valid PPKID [Paul/Vukasin]
* IKEv2: Support for protoport based Opportunistic IPsec [Paul]
* IKEv2: Support multiple authby values (eg authby=rsasig,null) [Paul]
* IKEv2: Support for AUTHNULL fallback via private use Notify [Vukasin]
* IKEv2: Fix v3.23 regression causing liveness check to always fail [Tuomo]
* IKEv2: Support for Microsoft rekey bug: ms-dh-downgrade=yes|no [Andrew/Paul]
* IKEv2: Allow switching between OE instances with different protoports [Paul]
* IKEv2: process INITIAL_CONTACT and delete old states from a connection [Paul]
* IKEv2: Only retransmit fragments on receiving first fragment [Andrew]
* IKEv2: When sending fragments, also update st_msgid_lastreplied [Paul]
* IKEv2: Encrypt IKE_AUTH reply when authenticaion failed [Andrew]
* IKEv2: Fix handling of corrupt encrypted packets [Andrew]
* IKEv2: Do not call ISAKMP_SA_established() during CREATE_CHILD_SA [Paul]
* IKEv2: When receiving Initial Contact, delete old IPsec SA's [Paul]
* IKEv2: Harden IP triggered OE with new dns-match-id=yes|no [AntonyPaul]
* IKEv2: Add PRF/INTEG support for AES_XCBC / AES_CMAC [Andrew]
* IKEv2: permit DH=none (as in esp=aes;none,aes;dh22) [Andrew]
* IKEv1: Prevent crashes with IKEv1 mistakenly allowing narrowing=yes [Paul]
* IKEv1: DPD was not getting scheduled (bug introduced in 3.23) [Paul]
* IKEv1: modecfg_send_set() must not ignore failure of modecfg_resp() [Hugh]
* X509: Extend support for wildcard certs matching remote peer ID [Paul/Hugh]
* X509: Support PKCS7 for Microsoft interop with intermediate certs [Andrew]
* X509: Handle CRL fetching in separate thread [Andrew]
* pluto: Obsoleted connaddrfamily= (fixes 6in4 and 4in6) [Paul]
* pluto: New hostaddrfamily= and clientaddrfamily= (only needed w DNS) [Paul]
* pluto: Cleanup of state/md passing code [Andrew]
* pluto: Allow switching back from wrong instance to template conn [Paul]
* pluto: disentangle IKEv1 and IKEv2 packet sending code [Andrew]
* pluto: Allow rightsubnets= without leftsubnet(s)= [Paul]
* pluto: don't share IP leases for authby=secret (in case of group ID) [Paul]
* pluto: Parser bug prevented 4in6 config [mhuntxu at github, Daniel M. Weeks]
* pluto: Find and delete old connection/states with same ID [Paul/Hugh]
* pluto: traffic log (and updown) line had in/out bytes swapped [Paul/Tuomo]
* pluto: Fix memory/fd leaks found by Coverity and in cert code [Hugh/Andrew]
* pluto: Improve SPD longest prefix to priority calculation [Andrew/Paul/Hugh]
* addconn: Fix auto=route and auto=start processing [Paul]
* whack/auto: Ensure all status and list commands return no error code [Paul]
* KLIPS: Replace deprecated blkcipher with skcipher crypto API [Tijs Van Buggenhout]
* FIPS: Support new NIST ACVP protocol with cavp tool cmdline args [Andrew]
* FIPS: Don't attempt HMAC integrity test on rsasigkey (rhbz#1544143) [Paul]
* FIPS: Don't allow RSA keys < 3072 [Matt/Paul]
* FIPS: Enable our PRF aes_xcbc wrapper on NSS hash code in FIPS mode [Andrew]
* FIPS: Raise minimum RSA key length allowed to 3072 [Paul]
* CAVP: Add -<acvp-key> <acvp-value> and -json(output) options to CAVP [Andrew]
* portexcludes: new command ipsec portexcludes (see portexcludes.conf) [Paul]
* _updown.netkey: fix deleting routes when half routes are used [Tuomo]
* _updown.netkey: don't delete VTI interfaces until we can refcount [Tuomo]
* _updown.netkey: fix unroute: "need at least a destination address" [Tuomo]
* _updown.netkey: don't do proxyarp for direct host-host tunnels [Tuomo]
* _updown.netkey: force routing if we don't have route to remote network [Tuomo]
* _unbound-hook: Pass all IPSECKEY's to pluto, not just the first [Paul]
* contrib/python-swan: module to check if trafic get be encrypted [Kim]
* contrib/c-swan: example code to check if trafic get be encrypted [Kim]
* building: added USE_GLIBC_KERN_FLIP_HEADERS (default off) [Paul]
* building: when ElectricFence enabled, add extra system calls to seccomp [Andrew]
* ipsec: add checknss option --settrusts to reset CA trusts in nss db [Tuomo]
* _updown.netkey: force routing when necessary for IPsec to work [Tuomo]
* _updown.netkey: do not proxyarp for host-host tunnels [Tuomo]
* look: sort XFRM output by priority [Andrew]
* Bugtracker bugs fixed:
   #311: segfault in crl fetching git master f5b17dc [Andrew, Tuomo]
   #314: IPv6 default route is deleted by mistake
   #318: vti interface gets down on previous initiator if roles switch [Tuomo]
   #320: nsspassword file location is half implemented
   #328: Addcon crash on duplicit "left" or "leftid" keys in conn config [Stepan Broz]

v3.24 (June 26, 2018)
* IKEv2: MOBIKE Initiator support (RFC 4555) [Antony]
* IKEv2: Support for IKE SA rekeying RFC7296 1.3.2, initiator [Antony]
* IKEv2: Support for IPsec SA rekeying RFC7296 1.3.3, initiator [Antony]
* IKEv2: Support for IKE SA reauth=yes|no RFC7296  2.8.3 [Antony]
* IKEv2: Temporarilly disable Liveness/DPD when MOBIKE kick in [Antony]
* IKEv2: No longer allow contradicting esp= and pfs= options [Andrew]
* IKEv2: PPK support for authby=rsasig [Vukasin Karadzic]
* IKEv2: IANA INTERNAL_DNSSEC_TA allocation added [Paul]
* IKEv2: Add PPK support to authby=rsasig [Vukasin]
* IKEv2: Don't calculate NO_PPK_AUTH when the POLICY is INSIST [Vukasin]
* IKEv2: fix PPK when responder is ppk=no but has a valid PPKID [Paul/Vukasin]
* IKEv2: Support for protoport based Opportunistic IPsec [Paul]
* IKEv2: Support multiple authby values (eg authby=rsasig,null) [Paul]
* IKEv2: Support for AUTHNULL fallback via private use Notify [Vukasin]
* IKEv2: Fix v3.23 regression causing liveness check to always fail [Tuomo]
* IKEv2: Support for Microsoft rekey bug: ms-dh-downgrade=yes|no [Andrew/Paul]
* IKEv2: Allow switching between OE instances with different protoports [Paul]
* IKEv2: process INITIAL_CONTACT and delete old states from a connection [Paul]
* IKEv2: Only retransmit fragments on receiving first fragment [Andrew]
* IKEv2: When sending fragments, also update st_msgid_lastreplied [Paul]
* IKEv2: Encrypt IKE_AUTH reply when authenticaion failed [Andrew]
* IKEv2: Fix handling of corrupt encrypted packets [Andrew]
* IKEv2: Do not call ISAKMP_SA_established() during CREATE_CHILD_SA [Paul]
* IKEv2: When receiving Initial Contact, delete old IPsec SA's [Paul]
* IKEv2: Harden IP triggered OE with new dns-match-id=yes|no [AntonyPaul]
* IKEv2: Add PRF/INTEG support for AES_XCBC / AES_CMAC [Andrew]
* IKEv2: permit DH=none (as in esp=aes;none,aes;dh22) [Andrew]
* IKEv1: Prevent crashes with IKEv1 mistakenly allowing narrowing=yes [Paul]
* IKEv1: DPD was not getting scheduled (bug introduced in 3.23) [Paul]
* IKEv1: modecfg_send_set() must not ignore failure of modecfg_resp() [Hugh]
* X509: Extend support for wildcard certs matching remote peer ID [Paul/Hugh]
* X509: Support PKCS7 for Microsoft interop with intermediate certs [Andrew]
* X509: Handle CRL fetching in separate thread [Andrew]
* pluto: Obsoleted connaddrfamily= (fixes 6in4 and 4in6) [Paul]
* pluto: New hostaddrfamily= and clientaddrfamily= (only needed w DNS) [Paul]
* pluto: Cleanup of state/md passing code [Andrew]
* pluto: Allow switching back from wrong instance to template conn [Paul]
* pluto: disentangle IKEv1 and IKEv2 packet sending code [Andrew]
* pluto: Allow rightsubnets= without leftsubnet(s)= [Paul]
* pluto: don't share IP leases for authby=secret (in case of group ID) [Paul]
* pluto: Parser bug prevented 4in6 config [mhuntxu at github, Daniel M. Weeks]
* pluto: Find and delete old connection/states with same ID [Paul/Hugh]
* pluto: traffic log (and updown) line had in/out bytes swapped [Paul/Tuomo]
* pluto: Fix memory/fd leaks found by Coverity and in cert code [Hugh/Andrew]
* pluto: Improve SPD longest prefix to priority calculation [Andrew/Paul/Hugh]
* addconn: Fix auto=route and auto=start processing [Paul]
* whack/auto: Ensure all status and list commands return no error code [Paul]
* KLIPS: Replace deprecated blkcipher with skcipher crypto API [Tijs Van Buggenhout]
* FIPS: Support new NIST ACVP protocol with cavp tool cmdline args [Andrew]
* FIPS: Don't attempt HMAC integrity test on rsasigkey (rhbz#1544143) [Paul]
* FIPS: Don't allow RSA keys < 3072 [Matt/Paul]
* FIPS: Enable our PRF aes_xcbc wrapper on NSS hash code in FIPS mode [Andrew]
* FIPS: Raise minimum RSA key length allowed to 3072 [Paul]
* CAVP: Add -<acvp-key> <acvp-value> and -json(output) options to CAVP [Andrew]
* portexcludes: new command ipsec portexcludes (see portexcludes.conf) [Paul]
* _updown.netkey: fix deleting routes when half routes are used [Tuomo]
* _updown.netkey: don't delete VTI interfaces until we can refcount [Tuomo]
* _updown.netkey: fix unroute: "need at least a destination address" [Tuomo]
* _updown.netkey: don't do proxyarp for direct host-host tunnels [Tuomo]
* _updown.netkey: force routing if we don't have route to remote network [Tuomo]
* _unbound-hook: Pass all IPSECKEY's to pluto, not just the first [Paul]
* contrib/python-swan: module to check if trafic get be encrypted [Kim]
* contrib/c-swan: example code to check if trafic get be encrypted [Kim]
* building: added USE_GLIBC_KERN_FLIP_HEADERS (default off) [Paul]
* building: when ElectricFence enabled, add extra system calls to seccomp [Andrew]
* ipsec: add checknss option --settrusts to reset CA trusts in nss db [Tuomo]
* _updown.netkey: force routing when necessary for IPsec to work [Tuomo]
* _updown.netkey: do not proxyarp for host-host tunnels [Tuomo]
* look: sort XFRM output by priority [Andrew]
* Bugtracker bugs fixed:
   #311: segfault in crl fetching git master f5b17dc [Andrew, Tuomo]
   #314: IPv6 default route is deleted by mistake
   #318: vti interface gets down on previous initiator if roles switch [Tuomo]
   #320: nsspassword file location is half implemented
   #328: Addcon crash on duplicit "left" or "leftid" keys in conn config [Stepan Broz]

libreswan Debian release 3.23-6

libreswan Debian release 3.23-5

libreswan Debian release 3.23-4

libreswan Debian release 3.23-3

libreswan Debian release 3.23-2

libreswan Debian release 3.23-1

v3.23 (January 25, 2018)
* IKEv2: MOBIKE support (RFC 45555) [Antony/Paul]
* IKEv2: Add support for modecfgdns= and modecfgdomains= like for IKEv1 [Paul]
* IKEv2: EXPERIMENTAL: Support for Postquantim Preshared Keys [Vukasin Karadzic]
         based on draft-ietf-ipsecme-qr-ikev2-01 (using private use numbers)
         new option: ppk=yes|no|insist (default no)
* pluto: Fix DEFAULT_RUNDIR to be set so it is really configurable [Tuomo]
* pluto: Add support IDr payload (You Tarzan, me Jane) [Paul]
* pluto: pass state to send_crypto_helper_request() [Andrew]
* pluto: Internal time/scheduling changes, micro-seconds logging [Andrew]
* pluto: make counts of states consistently "unsigned" [Hugh]
* pluto/lib: Remove obsoleted/unused %myid support [Paul]
* pluto: add --impair replay-forward,replay-backward [Andrew]
* pluto: add --impair dup-incoming-packets [Andrew]
* pluto: Rework nic offload detection code [Aviv Heller]
* pluto: Retry send on -EAGAIN in check_msg_errqueue() (upto 32x) [Paul/Hugh]
* pluto: Pull latest kernel traffic counters before logging/deleting SA [Paul]
* pluto: STF_INLINE, STF_TOOMUCHCRYPTO no longer needed in helpers [Andrew]
* pluto: Replace socket queues with a simple queue and mutex+cont [Andrew]
* pluto: Do not send DPD/liveness probes for replaced inactive IPsec SAs [Paul]
* pluto: crypto processing cleanup [Andrew]
* XFRM: XFRM_MIGRATE support, used for MOBIKE [Antony]
* XFRM: Listen to NETLINK_ROUTE messages from kernel for MOBIKE [Antony]
* XFRM: Fix unique marks accidentally setting -1 instead of random [Paul]
* XFRM: Only install IPv6 holes when system has configured IPv6 [Antony]
* XFRM: Add support for decap-dscp=yes|no (default no) [Paul]
* XFRM: Add support for nopmtudisc=yes|no (default no) [Paul]
* KLIPS: Support kernels 4.14+ with renamed dev->priv_destructor [Paul]
* KLIPS: updown fixes for IPv6 default route and metric/mtu settings [Wolfgang]
* SECCOMP: Update syscall whitelist for use of libunbound [Paul]
* IKEv1: better handle ESP with no integrity vs unknown integrity [Andrew]
* IKEv1: Fix packet retransmit code wrf timeouts vs duplucates [Andrew]
* IKEv1: Prevent duplicate responder states on retransmision [Andrew]
* IKEv1: Don't linger R1 states for 1h but use configured timeouts [Paul]
* IKEv2: nat_traversal_change_port_lookup() code moved [Antony]
* IKEv2: Macros could misinterpret some IKE/IPsec states [Paul/Antony]
* IKEv2: Updated Group transforms to comply with RFC 8247 [Paul]
* PAM: Don't cancel pam threads (unsupported!) but drop results instead [Andrew]
* _updown: Fix resolv.conf handling (github #130) [Tuomo]
* _updown: Fix POINTPOINT interfaces not to use nexthop [Tuomo]
* _updown.netkey: Add source ip to dev lo by default [Tuomo]
* Makefiles: Fix INC_MANDIR to be share/man and add FINALMANDIR [Tuomo]
* packaging: Move debian/ to packaging ('make deb' still works) [Antony]
* contrib: Added ipsec-dyndns to demonstrante how push an IPSECKEY [Paul]
* Bugtracker bugs fixed:
   #313: changesource in updown_klips doesn't respect PLUTO_METRIC [Wolfgang]
   #314: IPv6 default route is deleted by mistake [Wolfgang]

3.23rc4

3.23rc3