Tags

Tags give the ability to mark specific points in history as being important

v3.16

e3ddadd3 · RELEASE: bump version to 3.16 · Dec 17, 2015

v3.16 (December 18, 2015)
* auto: add new option --start which is like auto=start [Tuomo]
* libipsecconf: allow time with no unit suffix (openswan compat) [Hugh]
* libipsecconf: cleanup parser.y to work on old/new GCC and 32/64bit [Hugh]
* libipsecconf: re-introduce strictcrlpolicy= as alias for crl-strict= [Paul]
* libipsecconf: Allow time specification for dpdtimeout= / dpddelay= [Paul]
* libipsecconf: aliases curl_timeout / curl_iface for openswan migration [Paul]
* libswan: Fix memory leak in match_rdn() [Valeriu Goldberger]
* PAM: Fix some IKEv1 XAUTH methods always returning "denied" [Antony]
* PAM: stacked pam modules (eg pam_ssss) need CAP_DAC_READ_SEARCH [Matt]
* newhostkey: fix seedev device [Paul]
* pluto: terminate_connection() when we become unoriented (rhbz#609343) [Paul]
* pluto: find_client_connection() must ignore unoriented c (rhbz#1166146) [Paul]
* pluto: Fix trafficstatus byte counter output [Antony]
* pluto: accept racoon's over-sized padding (got rejected in 3.14) [Andrew]
* pluto: obsolete plutofork= and ignore the keyword on startup [Paul]
* pluto: send_crl_to_import: use waitpid(2) to wait for correct child [Hugh]
* pluto: cleanup struct spd_route and related tidying [Hugh]
* pluto: fix eclipsed to iterate over connection's spd_routes [Hugh]
* pluto: accept delete payload with wrong side's SPI (CISCO bug) [Paul+Hugh]
* pluto: initialise phase2 our_lastused/peer_lastused on creation [Paul+Hugh]
* pluto: pluto: OE: add shunts.total count to ipsec whack --globalstatus [Paul]
* pluto: Add keyword  replay-window= (default 32, 0 means disable) [Paul]
* pluto: Add fake-strongswan=yes|no (default no) to send strongswan VID [Paul]
* pluto: Add support for XFRM marking cia mark=val/mask [Amir Naftali]
* pluto: Use selinux dynamic class/perm discovery, not old API [Lubomir Rintel]
* pluto: Fix for uniqueids killing second tunnel between hosts [Tuomo]
* pluto: Don't refuse to load passthrough conn with ike= / esp= settings [Paul]
* pluto: Free the event struct initialzed in main loop and tidy [Antony]
* pluto: Add event for child handling of addconn [Wolfgang/Antony]
* pluto: release_fragments() cannot try both IKEv1 and IKEv2 fragments [Paul]
* X509: load_end_nss_certificate() cleanup [Matt]
* X509: Add on-demand loading of NSS certificate private keys [Matt]
* X509: Fix possible NSS cert leaks in trusted_ca_nss() [Matt]
* IKEv2: delete_state() should only handle shunt of real parent SA [Paul]
* IKEv2: retransmit_v2_msg() should delete parent and child SA on failure [Paul]
* IKEv2: mixup in parent/child SA caused keyingtries to be lost [Paul]
* IKEv2: Remove two bogus state machine entries for INFORMATIONAL [Paul]
* IKEv2: Remove duplicate SEND_V2_NOTIFICATION() [Paul]
* IKEv2: Only let passthrough conn win if it has longer prefix [Paul]
* OE: Deleting opportunistic Parent with no Child SA [Paul]
* OE: Send authentication failed for OE child fail [Paul]
* OE: Don't reject IPv6 family for OE foodgroups [Antony]
* OE: Move orphan_holdpass() call into delete_state() [Paul]
* OE: Call orphan_holdpass() for opportunistic conns for EVENT_SA_EXPIRE [Paul]
* OE: Do not answer IKE request if we matched authby=never conn [Paul]
* OE: Fix memory leaks in nullgw and bs->why [Antony]
* OE: At IKE rekey time, delete the IKE/IPsec SA when idle [Antony]
* FIPS: fips.h should only require compiled libexec/ components [Paul]
* XAUTH: Fix for connection going up->down->up causing passert [Hugh]
* XAUTH: Do not interpret padding as incomplete attribute [Lubomir Rintel]
* XAUTH: Improve failure logging [Paul]
* XFRM: Workaround bug in Linux kernel NLMSG_OK's definition [Hugh]
* KLIPS: kernels 4.1.x+ always use the same interface to uids [Roel van Meer]
* KLIPS: Various changes to support 4.1.x kernels [Wolfgang]
* ipsec: custom directory not recognized, github issue #44 [Tuomo]
* updown.*: Fix NetworkManager callback [Lubomir Rintel]
* addconn: tidy [Hugh]
* building: obsolete USE_ADNS and disable building adns helpers [Paul]
* building: Do not link all binaries with nss,nspr and gmp [Paul]
* building install "ipsec_initnss.8" and "ipsec_import.8" man pages [Andrew]
* packaging: debian/ directory update [Paul/Daniel]
* testing: Various testing updates and improvements [Antony/Paul/Andrew]
* documentation: added CODE_OF_CONDUCT.d [Paul]
* Bugtracker bugs fixed:
   #216 No longer require :RSA entries for X.509 certs in ipsec.secrets [Matt]
   #233 pluto sends delete SAs in wrong order and reconnection issues [Wolfgang]
   #247 KLIPS: fix pluto can't add ipv6 addresses to ipsec devices [Wolfgang]
   #248 keyingtries=%forever doesn't work anymore [Wolfgang]

Unverified

v3.16rc3

d4114c08 · kvm: handle test results that lack sanitizer scripts · Dec 10, 2015
```
v3.16rc3
```
Unverified
v3.16rc2

d81fbe2f · updated changes · Nov 30, 2015
```
3.16rc2
```
Unverified

v3.15

45a39651 · RELEASE: bump version to 3.15 · Aug 24, 2015

v3.15 (August 24, 2015)
* SECURITY: CVE-2015-3240 IKE daemon restart when receiving a bad DH gx [Hugh]
* KLIPS: fix use of *iovec() functions for linux 4.x kernels [Greg Ungerer]
* IKEv1: Remove old IPsec SA's when newest IPsec SA is removed [CHEN, JIANFU]
* IKEv1: Fix Labeled IPsec SECCTX parsing - bug introduced in 3.14 [Matt]
* NETKEY: workaround for NLMSG_OK() macro causing build failure on i686 [Hugh]
* NETKEY: Fix IPsec SA priority on type=passthrough conns [Antony]
* NETKEY: Fix nflog= on type=passthrough conns [Paul]
* pluto: Use PORT_ErrorToString() to translate NSS errors [Matt]
* pluto/whack: add --impair-send-zero-gx to test CVE-2015-3240 [Paul]
* ipsec: checknss/initnss must both convert old database if it exists [Tuomo]
* packaging: debian fixes for userland package [Antony]

Unverified

v3.14

4784a567 · packaging: set version to 3.14 for tag · Aug 11, 2015

v3.14 (August 11, 2015)
* NSS: Major rewrite of PRF / PRFPLUS / integrity functions for FIPS [Andrew]
* FIPS: Added programs/pluto/cavp for NIST CVAS testing [Andrew]
* IKEv2: RFC 7383 IKEv2 Fragmentation support [Herbert/Hugh]
* IKEv2: RFC 7619 Auth Null support (authby=null) [Paul/Antony/Hugh]
* IKEv2: RFC 7619 ID Null support (leftid=%null) [Paul/Antony/Hugh]
* IKEv2: whack and smc related time out fixes [Antony]
* IKEv2: rekey, expire, delete refactoring and fixes [Antony]
* IKEv2: do not pad IKE messages (fix interop w. InsideSecure) [Paul]
* IKEv2: Fix esp=camellia to use the IKEv2 IANA registry number for ESP [Paul]
* IKEv2: Fix memory leaks in addresspool and child exchange sadb [Antony]
* IKEv2: Support for INVALID_KE DH group re-transmits [Paul/Hugh]
* IKEv2: if applicable, add CERTREQ payload to IKE_SA_INIT response [Antony]
* IKEv2: Various memory leak fixes [Hugh]
* IKEv2: Delete parent/child SA when IPsec SA expires due inactivity [Antony]
* IKEv2: Added pam-authorize= (default no) for userid verification [Antony]
* IKEv2: Informational exchange did not always update msgid counters [Paul]
* IKEv2: Don't send v2N_INVALID_MSGID in response to duplicate IKE_INIT packet
* IKEv2: Time all crypto operations, not just DH IKEv2 [Antony]
* IKEv2: reduce leaks involving sa_v2_convert [Hugh]
* IKEv2: eliminate leaks of st_tpacket [Hugh]
* IKEv2: fix send certreq [Antony]
* IKEv2: find_host_connection now checks RSA, PSK and NULL one by one [Antony]
* IKEv1: Don't copy isakmp_sa from received packet [Paul]
* IKEv1: Do not retransmit forever [Antony/Herbert]
* FIPS: Enforce crypto restrictions in FIPS mode (no md5,twofish, etc) [Paul]
* XAUTH: retransmit user/password request in 10s (instead of 30s) [Wolfgang]
* X509: Re-added CRL and OCSP support using NSS [Matt]
* X509: Expired certificate could crash pluto [Wolfgang]
* x509: New options: ocsp_enable= ocsp_strict= ocsp_timeout= [Matt]
        ocsp_uri= and ocsp_trust_name=
* pluto: Converted select() loop to use libevent and subsecond timers [Antony]
* pluto: unroute IPSEC SA instead of hold, if oppo and CK_INSTANCE [Antony]
* pluto: Added --impair-send-no-ikev2-auth and --impair-force-fips [Paul]
* pluto: Added retransmit-timeout= (default 60s) [Antony]
* pluto: Added retransmit-interval= in ms (default 500) [Antony]
* pluto: Greatly reduce time to retransmit from 20s to 0.5s [Antony]
* pluto: Support for IKEv1 and IKEv2 AES_CTR (ike=aes_ctr) [Andrew Cagney]
* pluto: Support for CBC/CTR test vectors using NSS [Andrew Cagney]
* pluto: Remove last weary old FreeS/WAN X.509 code and use NSS instead [Matt]
* pluto: Static IP support using passwd file with addresspool= [Wolfgang]
* pluto: major tidy of labeled ipsec code [Hugh]
* pluto: fixes for uninitialized fields in output struct [Hugh/Paul]
* pluto: audit format and log item update as per audit spec [Paul]
* pluto: simplify and clarify sa_copy_sa and friends [Hugh]
* pluto: small steps improving crypto helpers [Hugh]
* pluto: plutostderrlog= renamed to logfile= [Paul]
* pluto: plutostderrlogtime= renamed to logtime= [Paul]
* pluto: New option logappend=yes|no (default yes) [Paul]
* pluto: Removed obsoleted loopback= support [Paul]
* pluto: advanced state counting (anon,auth,halfopen,child) [Paul/Andrew/Hugh]
         (see ipsec whack --globalstatus)
* pluto/rsasigkey: added --seedbits option (and seedbits= option) [Paul]
* pluto: do not terminate_connection() in-flight [Hugh]
* pluto: don't use an expired reserved kernel SPI as fallback [Herbert Xu]
* pluto: Use "third best" monotime() on mismatched kernel/glibc headers [Paul]
* pluto: removed bool inbound_only from delete_ipsec_sa() [Paul/Herbert]
* pluto: fix modecfg client/server status display (was swapped) [Herbert]
* pluto: Global NFLOG support via nflog-all= keyword (default off) [Paul]
* pluto: Per-conn NFLOG support via nflog= keyword (default off) [Paul]
* pluto: Reduce default logging for unknown/halfopen/opportunistic SA's [Paul]
* pluto: Fix bogus "no RSA public key known for '%fromcert'" [Herbert Xu]
* pluto: exclude ike/esp options from %default for never-negotiate conns [Paul]
* pluto: added xfrmlifetime= (default 300) to customise NETKEY acquires [Paul]
* pluto: added shuntlifetime= (default 15m) for bare shunts [Paul]
* pluto: added negotiationshunt= (default hold) [Paul]
* pluto: Obsoleted force-busy= for ddos-mode= [Paul]
* pluto: Added config setup keyword ddos-mode= (default auto) [Paul]
* pluto: Added config setup keyword ddos-ike-treshold= (default 25000) [Paul]
* pluto: Added config setup keyword max-halfopen-ike= (default 50000) [Paul]
* pluto: route_owner() don't passert on changed interface [Paul]
* pluto: Remove DNSSEC DLV support (DLV is decommissioned) [paul]
* pluto: Support for unbound < 1.4.21 [Tony Whyman]
* libipsecconf: Improve parser for pipe case (with NM) [Hugh/Lubomir Rintel]
* libcrypto/twofish: Fix CALC_SB_* macros [Lubomir Rintel]
* readwriteconf: improve error handling [Hugh]
* ipsec: ipsec --import does not need to run restorecon [Paul]
* ipsec: --checknss option automatically updates NSS DB to SQL [Matt]
* ipsec: --checknflog option installs nflog-group= iptables rules [Paul]
* rsasigkey: Rename --random to --seeddev [Paul]
* packaging: Various SPEC file fixes and Buildrequire: updates [Tuomo/Kim]
* packaging: Add v6neighbour-hole.conf for Neighbour Discovery hole [Paul]
* initsystems: run ipsec --checknss before start [Tuomo]
* building: overhaul of build system Makefiles (see mk/) [Andrew]
* testing: docker test type support [Antony]
* testing: test case updates/additions [Antony/Paul/Andrew/Matt]
* testing: more FIPS support and --imapir-force-fips option added [Paul]
* NETKEY: Fix bare shunt management code to work properly for NETKEY [Paul/Hugh/Antony]
* NETKEY: Increase netlink message buffer for larger SElinux labels [Paul]
* NETKEY: kernel netlink decode and log polixy expire message [Antony]
* KLIPS: move udp_encap_enable() to not be within spinlock [Wolfgang]
* KLIPS: ipsec_rcv_decap_ipip broken for IPv6 lsb#227 [Frank Schmirler]
* KLIPS: Support for SHA2 via CryptoAPI [Wolfgang]
* KLIPS: Support for sha2_truncbug [Wolfgang]
* whack: New ipsec whack --purgeocsp [Matt]
* whack: New ipsec whack --ddos-busy | --ddos-auto | --ddos-unlimited [Paul]
* whack: New ipsec whack --globalstatus [Paul]
* whack: New ipsec whack --shuntstatus [Paul]
* whack: New ipsec whack --deleteid --name <id> [Antony]
* whack: cleanup help text [Tuomo]
* _stackmanager: Don't load blacklisted modules (rhbz#1207689) [Paul/Tuomo]
* _stackmanager: Support for xfrmlifetime= ipsec.conf option [Paul]
* _updown: add proxy arp for cases where routing won't work [Tuomo/Wolfgang]
* Bugtracker bugs fixed:
  #260: libswan: extra safetey around same_id() when ID_FROMCERT is used [Paul]

Unverified

v3.14rc3

732dbccc · pluto: re-implement code extracting bytes (i.e., salt) from a symkey · Jun 29, 2015
```
FIPS fixes
```
Unverified
v3.14rc2

17dead54 · testing: updated interop-ikev2-strongswan-04-x509-responder · Jun 14, 2015
```
3.14rc2 with RFC7283 support
```
Unverified
v3.14rc1

936a95ea · pluto/whack: remove nflog-all remnants, update whack help and man page · Jun 03, 2015
```
3.14rc1 release candidate
```
Unverified

v3.12

d8da6bc7 · updated changes · Nov 06, 2014

v3.12 (November 6, 2014)
* IKEv2: CP payload now installs internal address and dns [Antony]
* IKEv2: Don't try to decrypt if DH is incomplete [Antony]
* IKEv2: If applicable, add a CERTREQ payload in IKE_SA_INIT response [Antony]
* IKEv2: Fix parent I2 replace event delay [Antony]
* IKEv2: Liveness fix for restarting instantiated connection [Antony]
* IKEv2: Schedule expire instead of replace when rekey=no [Antony]
* IKEv2: Zero out CP payload before sending [Antony]
* IKEv2: Fix message id in create child sa response [Antony]
* IKEv2: Don't try to instantiate unoriented connections [Antoy]
* XAUTH: Fix 2 missing breaks when deciding on sending ModeCFG payloads [Paul]
* X509: Ensure that root CA does not end up in the ca_path list [Matt]
* pluto: Cleanup DYNDNS code and other clang warnings [Hugh]
* pluto: lswconf.c: getNSSPassword: fix bugs and tidy [Hugh]
* pluto: check return value of ike_alg_register_enc for twofish/serpent [Paul]
* pluto: fix various uninitialised variables in out_struct() calls [Paul/Hugh]
* KLIPS: Fix missing breaks in spi command algo type parsing [Paul]
* building: disable libcap-ng and NM support for OSX [Paul]

Unverified

v3.11

84dec051 · documentation: generated ipsec.conf.5 · Oct 22, 2014

v3.11 (October 22, 2014)
* x509: IKEv1 CA cert chain support with sendca option [Matt]
* pluto: Fix mtu= option mangling introduced in 3.10 [Kim]
* pluto: Fixes auto=start and auto=route with %defaultroute [Kim/Tuomo/Paul]
         (troubled in 3.9 and 3.10)
* pluto: Don't register ESP_BLOWFISH [Paul]
* pluto: ESP support for aes_xcbc [Paul]
* pluto: ESP support for aes_ctr [Paul]
* pluto: ESP support for camellia on NETKEY [Paul]
* pluto: IKE support for aes_xcbc (pending NSS update) [Paul]
* IKEv1: Default to DH Group 2 and 5 for initiating Aggressive Mode [Paul]
         (3.9 included DH 14 which was prefered, causing interop issues)
* pluto: Force ESP_CAST to only allow 128 bit key sizes [Paul]
* pluto: Log_crypto_workers threads did not use static bool first_time [Coverity]
* pluto: Warn (not fail) on empty NSS private key passwords [Oskari Saarenmaa]
         - rhbz#1145231 (rhel7) and rhbz#1144941 (fedora)
* pluto: Added PLUTO_IN_BYTES= / PLUTO_OUT_BYTES= for updown [Antony]
* pluto: Handle list of certs from parse_pkcs7_cert [Hugh]
* pluto: Fix --impair-retransmits IMPAIR code [Hugh]
* pluto: separate SEND_V2_NOTIFICATION from SEND_NOTIFICATION [Hugh]
* pluto: Various fixes/cleanups in algo registration functions [Paul/Hugh]
* pluto: ah=null as a valid phase2alg for a connection [Paul]
* pluto: Clean up complete_v*_state_transitions and related things [Hugh]
* pluto: More crypto helper cleanup [Hugh]
* NETKEY: Don't trust PF_KEY API to tell us about IPCOMP support [Paul]
* KLIPS: ip_select_ident was backported to 3.2.63 [Bram]
* IKEv2: Don't copy reserved ISAKMP flags in reply msg (rhbz#1052811) [Paul]
* IKEv2: ISAKMP_FLAGS_v2_IKE_I was not always set on Original Initiator [Paul]
* IKEv2: CP payload support for responder [Antony]
* IKEv2: CREATE_CHILD_SA support for responder [Antony]
         (NON_ADDITIONAL_SAS stub removed)
* systemd: Use After=network-online.target instead of network.target [Kim]
           - rhbz#1145245 (rhel7) and rhbz#1144832 (fedora)
* systemd: Add Wants=network-online.target [Lukas Wunner]
* addconn: Route before and after listen (bug introduced in 3.10) [Paul/Hugh]
* rsasigkey: Use a version of jam_str instead of strcpy() for hostname [Paul]
* IKEv2: CERTREQ payload should use SHA1 hash of DN instead of IKEv1 DN [Matt]
* updown: Pluto should give CAP_NET_RAW to updown for iptables -t mangle [Paul]
* _stackmanager: Fixed to work again with mawk [Marc-Christian Petersen/Tuomo]
* testing: Many test case updates [Paul/Antony/Hugh/Matt]
* Bugtracker bugs fixed:
  #206: Libreswan v3.10 on 32-bit does not work [Kim]

Unverified

v3.10

33a18041 · updated changes · Sep 01, 2014

v3.10 (September 1, 2014)
* XAUTH: New option: ipsec whack --traficstatus [Antony]
* XAUTH: New option: ipsec --deleteuser --name xauth-username [Antony]
* XAUTH: Do not strip "-" from XAUTH usernames [Paul]
* _updown.netkey: New environment variable PLUTO_ADDTIME for IPsec SA's [Paul]
* _updown.netkey: Don't skip routing if mtu= option is used [Tuomo]
* NETKEY: protoport= installed broken swapped src/dst passthrough SA's [Antony]
* NETKEY: fix names for RIPEMD160 and AES_CTR [Paul]
* KLIPS: support 3.16+ kernels with update __ip_select_ident() [Thomas Geulig]
* _stackmanager: KLIPS support for alias devices [Marc-Christian Petersen]
* pluto: Simplfy/tidy alg_info [Hugh]
* pluto: Simplify find_host_connection() and terminate_connection() [Hugh]
* pluto: Fix a leaking socket in whack [Hugh]
* pluto: Combine same_dn() and match_dn() to avoid deduplicate logic [Hugh]
* pluto: Add strneq(); get rid of most remaining strncmp calls [Hugh]
* pluto: Get rid of or document strcat, strncat, strcpy, etc [Hugh]
* pluto: malloc/calloc/realloc/free tidying, including a few bug fixes [Hugh]
* pluto: Fix memory allocation/free errors (especially in ike_frag) [Hugh/Paul]
         (triggered as of 3.9 when --leak-detective was used)
* pluto: Various warning fixes from LLVM/Coverity [Hugh]
* pluto: Don't listen before all connections are loaded [Paul]
         (this sub-optimal behaviour was introduced in 3.1)
* cryptohelpers: cleanup and improved error logging [Hugh]
* IKEv2: esp=/phase2alg= should be strict (bug introduced in 3.9) [Paul]
* IKEv2: Don't abort all proposals when encountering unknown PRF [Hugh]
* IKEv2: ikev2_parse_*_sa_body: stop matching after first success [Hugh]
* IKEv2: Reject responder SA with multiple proposals [Hugh]
* IKEv2: Enforce proposal numbering rules [Hugh]
* IKEv2: first initiating XCHG of Original Responder is not a retransmit [Paul]
* IKEv2: Don't respond to reply messages when parent SA was not found [Paul]
* IKEv2: clarify O_responder/O_initiator and Request/Reply code [Paul]
* IKEv2: Check received msgid is larger then previous before storing [Paul]
* IKEv1: parse_ipsec_sa_body() did not allow newer AH transforms [Paul]
* IKEv1: Add sha2 and aes_cbc support for ESP algo [Paul]
* IKEv1: cap IKE lifetimes > 1d to 1d, instead of rejecting SA [Paul]
* IKEv1: cisco-unity=yes now also sends VID when acting as VPN server
* whack: Don't change exit status for RC_INFORMATIONAL* [Mike Gilbert]
* rsasigkey: a logic error limited the randomness of the key size [Paul]
* ipsec: create NSS DB on startup when missing [Paul]
* ipsec: Added "ipsec --checknss" that creates-when-missing NSS DB [Paul]
* verify: Make verify python3 compatbile [Slavek Kabrda]
* readwriteconf: Fix writing kt_invertbool's (like aggrmode=) [Paul]
* testing: Obsoleted dotest.sh with dotest.py, speed increase [Antony]
* testing: Added more test cases and general cleanup [Antony/Paul]
* compiling: Fix ADNS without USE_DNSSEC compile [Tuomo]

Unverified

v3.9

69fbb754 · updated changes release date · Jul 09, 2014
```
Release version 3.9
```
Unverified

v3.8

b43bc52c · testing: updated interop-ikev2-strongswan-09-psk-aes-gcm · Jan 15, 2014

v3.8 (January 15, 2014)
* SECURITY: CVE-2013-6467 missing IKEv2 payloads causes restart [Iustina/Hugh]
* building: Remove #ifdef DEBUG - always compile into userland [Paul]
* IKEv2: Updated AUTH names to latest IANA registry entries [Paul]
* pluto/whack: Added --impair-send-ikev2-ke test option [Paul]
* pluto: allow shutdown command even with bad WHACK_BASIC_MAGIC [Paul]
* addconn: ignore obsoleted --defaultroute and --defaultroutenexthop [Paul]
* Various code cleanup [Hugh]
* initscripts: sysv should try harder to kill pluto without ctl file [Tuomo]
* gentoo: fixes to build and init system on Gentoo [Mike Gilbert]
* KLIPS: fix NAT-T status in eroute output [Paul]
* pluto: updated ietf_constants.h with IANA entries [Paul]
* IKE: Make sure sha2 is an alias for sha2_256 for ike= and esp= [Hugh/Paul]
* Bugtracker bugs fixed:
  #171: showhostkey.c:322: bad switch statement

Unverified

v3.6

2c75abed · updated changes · Oct 30, 2013

* IKEv2: Fix interoperability bug in SKEYSEED generation [Paul/Hugh/Antony]
* IKEv2: Add liveness checks (a.k.a DPD for IKEv2) [Matt Rogers]
* IKEv2: ikev2=insist allowed ikev1 when acting as responder [Matt Rogers]
* IKEv2: Fix fallback to ikev1 when remote has ikev2=no [Paul]
* IKEv1: Cleanup AGGR Mode VendorID - also send fragmentation vid [Paul]
* IKEv1: Added cisco_unity= (default no) option which sends VID [Paul]
* IKEv1: Fix compatibility with NAT-T and remote_peer_type=cisco [Paul]
* IKEv1: dpdaction=restart_by_peer is now called dpdaction=restart [Paul]
* IKEv1: Added support for modecfgbanner= and modecfgdomain= [Paul]
* IKE: introduce ikepad=yes|no (default yes) for Checkpoint interop [David]
* pluto: work around for Cisco VPN clients sending extraneous bytes [Paul/Hugh]
* pluto: Support for google-authenticator OTP via pam [Paul]
* pluto: fix kernel.c typo in word outgoing [Tuomo]
* pluto: remove dsa/elgamal stubs from gnupg that were unused [Paul]
* pluto: Added per conn priority= to specify kernel IPsec SA priority [Paul]
* keyword: auto=route and ipsec auto --route renamed to "ondemand" [Paul]
* NETKEY/BSD: Added per conn reqid= to specify kernel IPsec SA [Paul]
              (based on idea by Panagiotis Tamtamis)
* pluto: %fromcert now works for local certs and those received via IKE [Matt]
* pluto: Allow \\ masking in RDNs similar to ,, [Matt Rogers]
* pluto: merge updateresolvconf/restoreresolv.conf in client-up|down [Paul]
* building: Removed USE_MODP_RFC5114 flag. Support is always added [Paul]
* building: Removed USE_AGGRESSIVE flag. Support is always added [Paul]
* building: Removed USE_XAUTH flag, Support is always added [Paul]
* building: Removed MODECFG* flags, Support is always added [Paul]
* building: Remove blowfish (use twofish instead) [Paul]
* building: Generate Makefile depend files automatically [Tuomo]
* building: Add support for openrc initsystem on Alpine Linux [Paul]
* packaging: spec files now initialise NSS DB when not found [Paul]
* NETKEY: Take protoport= into account when setting IPsec SA priority [Paul]
* NETKEY: Change Update SA to Add SA when existing SA is not found [Mattias]
* NETKEY: Fix Labeled IPsec (broken in openswan 2.6.33) [Paul]
* KLIPS: Support for 3.10+ kernels (/proc use via seq_* functions) [David]
* Changed HAVE_STATSD compile option to statsbin= runtime option [Paul]
* sysvinit: status function used incorrect variable for pid file [Tuomo]
* _stackmanager: coding style cleanup - fixes bashism [Tuomo]
* testing: Various interop test case updates [Paul]
* FIPS: Support versioned hmac files, fips test in non-fips mode [Paul]
* rsasigkey/newhostkey: Keysize for new RSA keys keysize increasd from 2192
  to randomised 3072-4096 (in blocks of 16) to fight keysize monoculture [Paul]
* Removed unused and unmaintained USE_TAPROOM functionality [Paul]
* NAT-T: Added 100.64.0.0/10 from RFC 6598 to virtual_private [Paul]
* NSS: pluto should now open NSS files in readwrite, just read [Paul]
* Bugtracker bugs fixed:
  #130: debian debuild creates a deb with /usr/libexec contents
        [Marc-Cristian Petersen]
  #145: support old location of /selinux/enforce still in use by CentOS6 [Paul]

Unverified

v3.5

aba60a4f · fix typo in changes · Jul 13, 2013

v3.5 (July 13, 2013)
* NETKEY: _stackmanager: Clear disable_xfm/disable_policy /proc files
          for labeled IPsec [Paul]
* KLIPS: Added support for kernel 3.9.x [Paul/David]
* KLIPS: NATT support for kernel 3.5+ needs udp_encap_enable() [David]
* KLIPS: pointer can look valid during free process [Unknown/David]
* KLIPS: change default for hidetos (quality of service) to yes [Paul]
* KLIPS: preliminary SHA2 family support via OCF/CryptoAPI [David]
* MAST: _stackmanager: bring mast0 up even if module was loaded [neoXite]
* MAST: Add support for IPv6 iptables mangle table in updown.mast [Paul]
* _stackmanager: Move iptables mangle rules to MAST only section [Paul]
* _stackmanager: re-add support for hidetos=, overridemtu= and fragicmp= [Paul]
* _stackmanager: Clear disable_xfm/disable_policy for labeled IPsec [Paul]
* pluto: Fix reading ipsec.secrets without trailing newline [Hugh]
* pluto: 'ipsec status' output changes, added 'config setup' items [Paul]
* pluto: Added config setup, compile paths, runtime info to ipsec status [Paul]
* pluto: removed IKE_ALG and KERNEL_ALG defines [Paul]
* pluto: Simplify Pluto_IsFIPS(), remove redundant log message [Paul]
* pluto: Added Pluto_IsSElinux() to log SElinux runtime status [Paul]
* pluto: Removed unused alg_info parameters permitmann and permitike [Paul]
* pluto: Fix STATE_XAUTH_R0/STATE_XAUTH_R1 state names [Paul]
* pluto: out_modify_previous_np() should allow ISAKMP_NEXT_SIG for RSA [Paul]
* building: cleanup old vars, and allow more env overrides [Paul]
* packaging: Fix systemd script Alias target (rhbz#982166) [Paul]
* newhostkey: help the user when nssdb is not initialized yet [Paul]
* newhostkey: simplify default nss dir handling [Paul]
* lswan_detect: cleanup coding style and fix help for unknown options [Tuomo]
* lswan_detect: add gentoo detection [Tuomo]
* setup: add rhsysv, openrc, and real sysv init support [Tuomo]
* barf: do not cause any iptables modules to get loaded (rhbz#954249) [Paul]
* look: Don't cause loading of iptables kernel modules (rhbz#954249) [Paul]
* FIPS: Remove hardcoded /usr/libexec/ipsec path, use IPSEC_EXECDIR [Paul]
* FIPS: Add warning in ipsec verify for prelink command [Paul]
* testing: Add option for "post" scripts during a test run [Matt Rogers]
* testing: dist_cert support for commands in different path locations [Matt]
* testing: Generate CRL with leading zero byte for testing [Paul]
* Bugtracker bugs fixed:
   #82: Phase out DBG_KLIPS/DBG_NETKEY for DBG_KERNEL [Paul]
   #96: lswan_detect: Alpine linux compatibility [Tuomo]
   #99: NETKEY: Segfault on acquire_netlink with labeled_ipsec [Kim/Tuomo]
  #101: restore port when ipsec policy is generated for nat-t [Kim/Tuomo]
  #124: pluto: Add usage comment for addresspool.* [Paul]
  #126: pluto: nhelpers= does not default to -1 [Paul]
  #128: pluto: prevent libcurl sigalarm from crashing pluto (lsbz#128) [Paul]

Unverified

v3.4

bf262dbf · * update changes · Jun 06, 2013

v3.4 (June 6, 2013)
* Change coding style to Linux kernel [Team]
* IN MEMORIAM: June 3rd, 2013 Hugh Daniel

Unverified

v3.3

71b86e88 · * Added today's release date · May 13, 2013

v3.3 (May 13, 2013)
* SECURITY: atodn() buffer overflow with oe=yes [Florian/Hugh/Paul]
            affected: libreswan 3.0 and 3.1 (CVE-2013-2053)
            see also: openswan up to 2.6.38 (CVE-2013-2052)
            see also: strongswan up to 4.3.4 (CVE-2013-2054)
* security: dn_parse(), hex_str() write beyond end of the buffer [Florian]
* security: get_rnd_bytes: Abort on random number generator failure [Florian]
* security: Integer overflow if the leak detective enabled [Florian]
* security: Check that origin of netlink message is the kernel [Florian]
* security: Abort on crypto failure for 3des/aes to prevent leaks [Florian]
* security: Check PK11_CreateContextBySymKey() for NULL and SECFailure [Paul]
* security: RSA: Check modulus length against key overall length [Florian]
* security: fetch_curl: Set timeout for the entire request [Florian]
* security: Multiple hardening fixes from security audit [Florian Weimar]
* security: Cleanup buffer usage for traffic logging with XAUTH [Hugh]
* security: Cleanup ASN1_BUF_LEN use and remove unused load_host_cert() [Paul]
* security: cleanup CFLAGS handling [Paul]
* security: IKEv2 crashed when using nhelpers=0 [Paul]
* security: Remove stale non-NSS ASN1 handling and pem decryption code [Paul]
* security: Initial loading of file CRL fails for NSS CAs  [Matt Rogers]
            (rhbz#960171)
* security: Removal of USE_WEAKSTUFF and USE_NOCRYPTO (1DES, modp768) [Paul]
* security: Removal of 1DES for KLIPS using CryptoAPI [Paul]
* security: * security: Cleanup of ASN1_BUF_LEN/BUF_LEN/PATH_MAX defines [Paul]
* pluto: Add support for OID_SHA224_WITH_RSA signatures [Paul]
* pluto: Always list section headers --list* calls, even when empty [Paul]
* X509: Fix for CRL sig failure if first byte is zero [Dhr/Matt/Paul]
        (rhbz#958969)
* _stackmanager: fix loading of aes-x86_64 module [Tuomo]
* Bugtracker bugs fixed:
   #64: removal of /dev/*random everywhere put feeding nss pools [Paul]
   #90: NETKEY: Transport mode inbound eroute was from client [Kim/Tuomo]
   #91: SAREF: Patches updated for 3.4.x (tested on 3.4.42) [Andreas Herz]

Unverified

v3.1

32e465ee · Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan · Mar 14, 2013
```
3.1 release
```
Unverified

v2.6.38

1639ae50 · update CHANGES · Mar 23, 2012

* DPD: seq_no logged after hton() call [Shinichi Furuso]
* DPD: With multiple phase 2 SAs, we sent too many [Shinichi Furuso]
  R_U_THERE's
* barf: iptables-save on suse is in /usr/sbin, not /sbin [Paul/Shinichi]
* SUSE: Package compliant with Kernel Module Package Manual [Shinichi Furuso]
* verify: fix false positive on IP forwarding (perl dependant) [Steve Delaney]
* IKEv2: Introduced new keyword narrowing=yes|no [Paul]
* IKEv2: Send TS_UNACCEPTABLE when narrowing would violate local policy [Paul]
* IKEv2: Fix for multiple SAs to the same peer with different ports [Avesh]
* IKEv2: IKE-SA_INIT with INVALID_KE_PAYLOAD Notify Payload should
         continue [Avesh]
* IKEv2: incorrecty sent PAYLOAD_MALFORMED on unknown minor version [Avesh]
* IKEv2 should ignore unknown RESERVED bits in payload [Avesh]
* IKEv2: Implement sending higher IKEv2 major and minor versions [Paul]
* IKEv2: Delete SA states added to state machine [Avesh]
* IKEv2: Informational Exchange added [Avesh]
* hostpair: initial_connection_sent was never set to not FALSE [Avesh]
* Crypto: handle leading zeroes in DH keys [Avesh]
* Add PLUTO_IS_PEER_CISCO= to updown scripts [Avesh]
* XFRM: update userland copies of xfrm.h netlink.h rtnetlink.h [Paul/Avesh]
* SHA2 fix when pluto is compiled without USE_EXTRACRYPTO [Paul/Tuomo]
* SHA2: Fix for Linux kernel using bad sha2_256 truncation (96 instead of 128)
  (to get the old behaviour for interop, specify sha2_truncbug=yes) [Paul]
* Fix two format string buglets [Moritz Muehlenhoff]
* XAUTH: Support unbound as local resolver in remote_peer_type=cisco [Paul]
* NATT: Fix iphone/iOS by removing outdated OSX NAT-T workarounds [Paul]
* SAREF: kernel patches updated to linux 3.0.0 [Jonathon Padfield]
* SAREF: fix all patch versions to use new numbers for SAREF [Paul]
* Fix various compiler warnings in lib, pluto and ikeping [dhr]
* Various ESP_* and AH_* fixes/updates from IANA [Paul]
* Fix authalg in esp_info to be u_int16_t, not u_int8_t [Paul]
* Debian: Various debiacn packaging fixes [Simon]
* KLIPS: Fix crasher on returning -ENODEV from ppp devices [David]
* XAUTH: Support dynamic config update for unbound DNSSEC resolver [Paul/Tuomo]
* Remove non-iproute2 version of _updown.klips and its USE_IPROUTE2 [Paul]
* Bugracker bugs fixed:
   #1263 /usr/lib/ipsec/_startnetkey selects wrong default gateway if there
         are multiple [Petr Tichy]
   #1314 update the updateresolvconf routines to be able to reconfigure
         locally running unbound [Paul]
   #1322 get rid of unused bucketno argument in state_hash [Paul]
   #1326 0001-SAREF patch not compiling on 3.0.0 [Jonathon Padfield]

Unverified

v2.6.38rc1

8c02060f · updated CHANGES · Mar 12, 2012

2.6.38 release candidate 1.

Large bugfix releases, focus on IKEv2 and NAT/OSX fixes

Unverified