Tags give the ability to mark specific points in history as being important
-
v3.23
17510eef · ·v3.23 (January 25, 2018) * IKEv2: MOBIKE support (RFC 45555) [Antony/Paul] * IKEv2: Add support for modecfgdns= and modecfgdomains= like for IKEv1 [Paul] * IKEv2: EXPERIMENTAL: Support for Postquantim Preshared Keys [Vukasin Karadzic] based on draft-ietf-ipsecme-qr-ikev2-01 (using private use numbers) new option: ppk=yes|no|insist (default no) * pluto: Fix DEFAULT_RUNDIR to be set so it is really configurable [Tuomo] * pluto: Add support IDr payload (You Tarzan, me Jane) [Paul] * pluto: pass state to send_crypto_helper_request() [Andrew] * pluto: Internal time/scheduling changes, micro-seconds logging [Andrew] * pluto: make counts of states consistently "unsigned" [Hugh] * pluto/lib: Remove obsoleted/unused %myid support [Paul] * pluto: add --impair replay-forward,replay-backward [Andrew] * pluto: add --impair dup-incoming-packets [Andrew] * pluto: Rework nic offload detection code [Aviv Heller] * pluto: Retry send on -EAGAIN in check_msg_errqueue() (upto 32x) [Paul/Hugh] * pluto: Pull latest kernel traffic counters before logging/deleting SA [Paul] * pluto: STF_INLINE, STF_TOOMUCHCRYPTO no longer needed in helpers [Andrew] * pluto: Replace socket queues with a simple queue and mutex+cont [Andrew] * pluto: Do not send DPD/liveness probes for replaced inactive IPsec SAs [Paul] * pluto: crypto processing cleanup [Andrew] * XFRM: XFRM_MIGRATE support, used for MOBIKE [Antony] * XFRM: Listen to NETLINK_ROUTE messages from kernel for MOBIKE [Antony] * XFRM: Fix unique marks accidentally setting -1 instead of random [Paul] * XFRM: Only install IPv6 holes when system has configured IPv6 [Antony] * XFRM: Add support for decap-dscp=yes|no (default no) [Paul] * XFRM: Add support for nopmtudisc=yes|no (default no) [Paul] * KLIPS: Support kernels 4.14+ with renamed dev->priv_destructor [Paul] * KLIPS: updown fixes for IPv6 default route and metric/mtu settings [Wolfgang] * SECCOMP: Update syscall whitelist for use of libunbound [Paul] * IKEv1: better handle ESP with no integrity vs unknown integrity [Andrew] * IKEv1: Fix packet retransmit code wrf timeouts vs duplucates [Andrew] * IKEv1: Prevent duplicate responder states on retransmision [Andrew] * IKEv1: Don't linger R1 states for 1h but use configured timeouts [Paul] * IKEv2: nat_traversal_change_port_lookup() code moved [Antony] * IKEv2: Macros could misinterpret some IKE/IPsec states [Paul/Antony] * IKEv2: Updated Group transforms to comply with RFC 8247 [Paul] * PAM: Don't cancel pam threads (unsupported!) but drop results instead [Andrew] * _updown: Fix resolv.conf handling (github #130) [Tuomo] * _updown: Fix POINTPOINT interfaces not to use nexthop [Tuomo] * _updown.netkey: Add source ip to dev lo by default [Tuomo] * Makefiles: Fix INC_MANDIR to be share/man and add FINALMANDIR [Tuomo] * packaging: Move debian/ to packaging ('make deb' still works) [Antony] * contrib: Added ipsec-dyndns to demonstrante how push an IPSECKEY [Paul] * Bugtracker bugs fixed: #313: changesource in updown_klips doesn't respect PLUTO_METRIC [Wolfgang] #314: IPv6 default route is deleted by mistake [Wolfgang] -
v3.23rc1
a380b0ad · ·v3.23 (unrelased) * pluto: Fix DEFAULT_RUNDIR to be set so it is really configurable [Tuomo] * _updown: Fix resolv.conf handling (github #130) [Tuomo] * _updown: Fix POINTPOINT interfaces not to use nexthop [Tuomo] * Makefiles: Fix INC_MANDIR to be share/man and add FINALMANDIR [Tuomo]
-
v3.22
8c509021 · ·v3.22 (October 22, 2017) * IKEv2: EXPERIMENTAL: unbound DNS server ipsecmod support [Opportunistic IPsec] * IKEv2: Initial support for RFC 7427 Digital Signature [Sahana Prasad/GSoC] * IKEv2: Do not include INTEG=NONE in AEAD IKE proposals [Andrew] * IKEv2: Accept both ESP=AEAD+NONE and ESP=AEAD in proposals [Andrew] (See also: https://www.rfc-editor.org/errata/eid5109) * IKEV2: Fix interop with old pluto that rejected esp=aead+none [Andrew] * IKEv2: Add support for GMAC via esp=null_auth_aes_gcm [Andrew] * IKEv2: Fragmentation code cleanup and memory leak fixes [Andrew] * IKEv1: Fix XAUTH retransmits and packet storage [Antony] * IKEv1: Perform custom state change for XAUTH without ModeCFG [Paul] * IKEv1: Add support for nat-ikev1-method=none [Paul] * IKEv1: XAUTH password length wasn't consistent at 128 [Stepan Broz] * pluto: Natively install ICMPv6 neighbour discovery holes [Mayank Totale/GSoC] * pluto: Fixup XAUTH/PAM thread cancelation handling [Andrew/Antony] * pluto: Change default rundir from /var/run/pluto to /run/pluto [Paul] * pluto: Various ike_alg parsing updates [Andrew] * pluto: Various cleanups in addresspool and XAUTH code [Hugh] * pluto: Fix missing ntohl() on the SPI numbers in ipsec status [Paul] * pluto: Various memory leak fixes [Antony,Paul,Hugh] * pluto: Make ioctl(SIOCGIFFLAGS) failure for labeled devices non-fatal [Paul] * pluto: Give IKE traffic preference via SO_PRIO [Paul] * pluto: New setup options: ike-socket-errqueue= , ike-socket-bufsiza=e [Paul] * pluto: Improve whack --listevents with libevent [Antony] * pluto: Fixup NIC offload support [Antony, Hugh] * pluto: Track and try the number of EAGAIN errors on IKE socket [Hugh/Paul] * pluto: Prevent spurious initiating states on responder-only conn [Antony] * pluto: don't call sanitize_string() in fmt_log() as it is expensive [Paul] * pluto: No longer need to specify null for AEAD, can use esp=aes_gcm [Andrew] * pluto: Increase default nhelpers for 1 CPU (2) and 2 CPUs (4) [Paul] * pluto: New option logip= (default yes) to disable log of incoming IPs [Paul] * pluto: signal handling cleanup [Andrew/Hugh] * pluto: Don't try to retransmit unsent packet [Paul/Hugh] * pluto: state hashing improvements [Andrew] * pluto: Fix erranious connecting switching (bug in v3.21) [Paul] * pluto: when deleting parent, don't deschedule DH for wrong child [Andrew] * pluto: dpdaction=restart fixup when using %any [Antony] * pluto: Don't die on labeled interfaces without SIOCGIFFLAGS support [Paul] * addconn: left=%defaultroute would fail if >500 host routes [Kim] * showhotkey/rsasigkey: Fixup mismatch of public key display [Andrew] * FIPS: Some selftests did not run properly under FIPS mode [Andrew] * KLIPS: Removed old premade patches, use make targets instead [paul] * updown Don't remove source ip if it's still used (rhbz#1492501) [Tuomo] * updown: Allow disabling via leftupdown="" or leftupdown="%disabled" [Paul] * updown: SPI numbers were missing ntohl() conversion [Paul] * various: phase out --ctlbase for --ctlsocket and --rundir [Paul] * libipsecconf: reject unavailable kernel algorithms in parser [Andrew] * libswan/pluto: throw a clearer error for broken libunbound [Paul] * libswan/pluto: Cleanup logging and tighten logging lock [Andrew] * libswan/pluto: Greatly optimize logging code [Andrew] * libswan/pluto: Some logging algorithm renames for more consistency [Andrew] * building: remove -fexceptions; breaks pthread_cleanup_push [Andrew] * packaging: Update debian/ and move to packaging/debian [Antony] * packaging: Update fedora/rhel spec files [Tuomo] * testing: --impair-foo changed to --impair foo [Andrew] * testing: Some new impair options for testing [Andrew,Sahana,Paul] * testing: Allow null encryption with null auth for testing [Andrew] * Bugtracker bugs fixed: #294: Bug in public key reported by rsasigkey [Tijs Van Buggenhout/Andrew] #299: Fix overlapping addresspool and static lease from passwd file [Antony] #300: Fix bug in v3.21 that rejected hardcodes certs without a CA [Paul] #302: IKEv1-only and IKEv2-only must not share IKE SA [Paul] #303: xauth password length limited to 64 bytes [Stepan Broz] -
v3.22dr1
4eabfba3 · ·v3.22 (unreleased) * pluto: Support for RFC 7427 Digital Signature AUTH [Sahana Prasad/GSoC] * pluto: Change default rundir from /var/run/pluto to /run/pluto [Paul] * various: phase out --ctlbase for --ctlsocket and --rundir [Paul] * libipsecconf: reject unavailable kernel algorithms in parser [Andrew] * libswan/pluto: throw a clearer error for broken libunbound [Paul] * pluto: Various ike_alg parsing updates [Andrew] * libswan/pluto: Cleanup logging and tighten logging lock [Andrew] * Bugtracker bugs fixed: #294: Bug in public key reported by rsasigkey [Tijs Van Buggenhout/Andrew]
-
v3.21
2e2a612b · ·* FIPS: Don't crash on too weak PSK's in FIPS mode, warn for non-FIPS [Andrew] * FIPS: rsasigkey: Use modulus F4, not 3 (FIPS 186-4, section B.3.1) [Paul] * pluto: Support for "idXXX" esp/ike transform IDs removed [Andrew,Paul] * pluto: Do not return whack error when termining an alias connection [Paul] * pluto: Remove IKE policy bits on passthrough conns [Paul] * pluto: Minor memory leak fixes [Paul] * pluto: Fix memory leak due to addresspool reference count error [Antony] * pluto: Re-add support for ipsec whack --listevents [Antony] * pluto: Cleanup listed events on shutdown to please leak-detective [Antony] * pluto: Perform stricter SubjectAltName checks on configured ID's [Paul] * pluto: Handle *subnets in --route and --unroute via whack [Mika/Tuomo] * pluto: Unify IKEv1 XAUTH and IKEv2 PAM threading code [Andrew] * pluto: Use pthread_cancel() (not SIGINT, conflicts with debuggers) [Andrew] * pluto: Fix memory corruption with XAUTH/PAM threads [Andrew/Hugh] * pluto: Fix resource leak processing XAUTH password authentication [Andrew] * pluto: Fix warnings generated by gcc 7.1 [Lubomir Rintel] * pluto: NIC offload support nic-offload=auto|yes|no (eg mellanox) [Ilan Tayari] * pluto: Use common function in ikev1 / ikev2 for dpd/liveness actions [Antony] * NSS: Try harder finding private keys that reside on hardware tokens [Andrew] * IKEv2: Opportunistic IPsec support for IPSECKEY records [Antony] * IKEv2: New dnssec-enable=yes|no, dnssec-rootkey-file=, dnssec-anchors= [Paul] * IKEv2: If CREATE_CHILD_SA superseded retransmit, drop it [Antony] * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.1) [Antony] * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.2 responder) [Antony] * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.3 responder) [Antony] * IKEv2: Flush ESP/AH proposals on the initiator. It could be stale [Antony] * IKEv2: State Machine (svm) updates to simplify CREATE_CHILD_SA [Antony] * IKEv2: DH role is based on message role not Original Initiator role [Antony] * IKEv2: Return CHILD_SA_NOT_FOUND when appropriate [Antony] * IKEv2: After an IKE rekey, rehash inherited Child SA to new parent [Antony] * IKEv2: Rekeying must update SPIs when inheriting a Child SA [Antony] * IKEv2: Decrypt and verify the paylods before calling processor [Andrew] * IKEv2: Fragmentation code cleanup [Andrew] * IKEv2: Drop CREATE_CHILD_SA message when no IKE state found [Antony] * IKEv2: Do not send a new delete request for the same Child SA [Antony] * IKEv2: During Child SA rekey, abort when ESP proposals mismatch [Antony] * IKEv2: OE client check should take responders behind NAT into account [Paul] * IKEv2: Improved dpdaction=hold processing [Antony] * IKEv1: Only initiate and create IKE SA for appropriate dpdaction [Antony] * IKEv1: Re-add SHA2_256 (prefered) and SHA2_512 to IKEv1 defaults [Andrew] * IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads [Paul] * IKEv1: Multiple CISCO_SPLIT_INC's cause duplicate spd_routes [Oleg Rosowiecki] * X509: Improve some failure logging [Paul] * XFRM: Use proper alignment for IPv4 AH as per RFC4302 Section 3.3.3.2.1 [Paul] * XFRM: Update including system or local copy of xfrm.h [Paul/Antony] * XFRM: Remove no longer needed {rt}netlink.h copies [Paul] * KLIPS: cryptoapi: switch from hash to ahash [Richard] * KLIPS: Add traffic accounting support [Richard/Paul] * KLIPS: Support for linux 4.11 [Paul] * lib: Move the alg_info lookup-by-name code to libswan [Andrew] * lib: Move all conditionally compiled ike_alg*.c files to libswan.a [Andrew] * addconn: Replace ttoaddr() with calls supporting DNSSEC [Paul/Antony] * libswan: Algo code cleanup [Andrew] * libipsecconf: Load specified RSA keys irrespective of policy [Paul] * libipsecconf/pluto: Be more strict in authby= & type= combinations [Paul] * libipsecconf: Fail to load connections with unsatisfied auto= clause [Hugh] * parser: Numerous algorithm parser fixes, eg. esp=aes_ccm_8_128-null [Andrew] * algparse: (Experimental) modified to run algorithm parser stand-alone [Andrew] * newhostkey: Actually append to secrets as the warning claims it will [Paul] * _updown.netkey: Fix syntax failure when PLUTO_MY_SOURCEIP is not set [Tuomo] * _updown.netkey,klips: Fix use of printf when updating resolv.conf [Tuomo] * _updown.netkey: Remove wrong use of PLUTO_PEER_CLIENT netmask [Tuomo] * _updown: Add MAX_CIDR variable for host netmask [Tuomo] * ipsec import: Trust bits correction did not always trigger [Tuomo] * building: Convert lib/ to use mk/library.mk [Andrew] * building: Work around rhel-6 gcc [Andrew] * building: Add copy unbound-event.h work around broken unbound installs [Paul] * packaging: Better split rpm and make variables [Paul] * packaging: Updates for new requirements for ldns, unbound-devel [Paul] * testing: Add DNSSEC, Opportunistic IPsec testcases, fixups [Multiple people] * contrib: Munin plugin for libreswan [Kim/Paul]