See also https://libreswan.org/ v3.10 (August 27, 2014) * XAUTH: New option: ipsec whack --traficstatus [Antony] * XAUTH: New option: ipsec --deleteuser --name xauth-username [Antony] * XAUTH: Do not strip "-" from XAUTH usernames [Paul] * _updown.netkey: New environment variable PLUTO_ADDTIME for IPsec SA's [Paul] * _updown.netkey: Don't skip routing if mtu= option is used [Tuomo] * NETKEY: protoport= installed broken swapped src/dst passthrough SA's [Antony] * NETKEY: fix names for RIPEMD160 and AES_CTR [Paul] * KLIPS: support 3.16+ kernels with update __ip_select_ident() [Thomas Geulig] * _stackmanager: KLIPS support for alias devices [Marc-Christian Petersen] * pluto: Simplfy/tidy alg_info [Hugh] * pluto: Simplify find_host_connection() and terminate_connection() [Hugh] * pluto: Fix a leaking socket in whack [Hugh] * pluto: Combine same_dn() and match_dn() to avoid deduplicate logic [Hugh] * pluto: Add strneq(); get rid of most remaining strncmp calls [Hugh] * pluto: Get rid of or document strcat, strncat, strcpy, etc [Hugh] * pluto: malloc/calloc/realloc/free tidying, including a few bug fixes [Hugh] * pluto: Fix memory allocation/free errors (especially in ike_frag) [Hugh/Paul] (triggered as of 3.9 when --leak-detective was used) * pluto: Various warning fixes from LLVM/Coverity [Hugh] * pluto: Don't listen before all connections are loaded [Paul] (this sub-optimal behaviour was introduced in 3.1) * cryptohelpers: cleanup and improved error logging [Hugh] * IKEv2: esp=/phase2alg= should be strict (bug introduced in 3.9) [Paul] * IKEv2: Don't abort all proposals when encountering unknown PRF [Hugh] * IKEv2: ikev2_parse_*_sa_body: stop matching after first success [Hugh] * IKEv2: Reject responder SA with multiple proposals [Hugh] * IKEv2: Enforce proposal numbering rules [Hugh] * IKEv2: first initiating XCHG of Original Responder is not a retransmit [Paul] * IKEv2: Don't respond to reply messages when parent SA was not found [Paul] * IKEv2: clarify O_responder/O_initiator and Request/Reply code [Paul] * IKEv2: Check received msgid is larger then previous before storing [Paul] * IKEv1: parse_ipsec_sa_body() did not allow newer AH transforms [Paul] * IKEv1: Add sha2 and aes_cbc support for ESP algo [Paul] * IKEv1: cap IKE lifetimes > 1d to 1d, instead of rejecting SA [Paul] * whack: Don't change exit status for RC_INFORMATIONAL* [Mike Gilbert] * rsasigkey: a logic error limited the randomness of the key size [Paul] * ipsec: create NSS DB on startup when missing [Paul] * ipsec: Added "ipsec --checknss" that creates-when-missing NSS DB [Paul] * verify: Make verify python3 compatbile [Slavek Kabrda] * readwriteconf: Fix writing kt_invertbool's (like aggrmode=) [Paul] * testing: Obsoleted dotest.sh with dotest.py, speed increase [Antony] * testing: Added more test cases and general cleanup [Antony/Paul] * compiling: Fix ADNS without USE_DNSSEC compile [Tuomo] v3.9 (July 9, 2014) * Documentation: cleanup of README.* and docs/* [Paul] * libswan: Cleanup allocation and certificate handling functions [Hugh] * libswan: Introduce add_str() to replace abused strncat() [Hugh] * libswan: Complain when loading connection with expired certificate [Paul] * libswan: Some error messages did not make it to the whack log (user) [Paul] * pluto: STF_TOOMUCHCRYPTO handling should not delete the state [Paul/Hugh] * pluto: Default cipher keysizes is now RFC compliant 128 (not 256) [Paul] * pluto: Allow sha2 as an alias for sha2_256 [Paul/Matt] * pluto: Allow more DBG_* and IMPAIR options [Hugh] * pluto: Some enc transforms did not send KEY LENGTH for default key size [Paul] * pluto: Ensure required KEY_LENGTH attributes for some ciphers are sent [Paul] * pluto: Default ESP key size was "max" instead of "default" [Paul/Hugh] * pluto: Bogus keysizes (eg 3des666) was not rejected at IKE level [Paul/Hugh] * pluto: esp=aes now accepts both aes128 and aes256 [Paul/Hugh] * pluto: ipsec status did not display "000" for ESP default size [Paul] * pluto: ipsec status did not print IKE algo seperator (",") [Paul] * pluto: ipsec status no longer prints remote nexthop when oriented [Paul] * pluto: sa_copy_sa_first() memory leak fixed [Hugh] * pluto: Improved exponential backoff in message retransmission [Hugh] * pluto: timer.c simplifications and improvements for monotome time [Hugh] * pluto: Cleanup and document wire_chunk crypto helper code [Hugh] * pluto: rename program files using proper ikev[12]_* prefixes [Paul] * pluto: Don't load certs via load_acerts() from /etc/ipsec.d/acerts/ [Paul] * pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs [Paul] * pluto: Remove unused libaes/libdes/liblswcrypto [Paul] * pluto: Print proper cipher/algo/modp groups in phase1/parent SA [Paul] * pluto: Various IANA updates to ipsec/ike/ikev2 registries [Paul] * pluto: STF_TOOMUCHCRYPTO could cause double delete of state [Hugh] * pluto: Alias "sha" to "sha1" for ike= and esp= [Matt] * pluto: Simplify/cleanup NSS and cryptohelper code [Hugh] * pluto: pluto_crypt.c used non-thread-safe strerror() [Hugh] * pluto: ensure addconn thread uses the same ctlbase as pluto did [Paul] * pluto: LEAK_DETECTIVE is now a runtime --leak-detective pluto option [Paul] * pluto: Add modp2048 to default proposal list [Paul] * pluto: oakley_alg_makedb() algo preference picking fixed [Paul/Hugh] * pluto: Added --impair-send-key-size-check for testing [Paul] * pluto: Make timer.c code IKE version independant [Antony] * addconn: Default gateway finding logic fixes [Wolfgang] * addconn: Only resolve %defaultroute using the main routing table [Wolfgang] * addconn: ensure expired certificates show clearly over whack * NATT: Added nat-ikev1-method=drafts|rfc|both to workaround buggy Ciscos [Paul] * NATT: non port-floating (4500) NATT draft support removed [Paul] * NATT: Change order of NATT payloads to accomodate racoon sensitivity [Paul] * NATT: ignore incoming ISAKMP_NEXT_SAK (AKA ISAKMP_NEXT_NATD_BADDRAFTS) [Paul] * NATT: Addded IKEv2 NAT-Traversal support [Antony] * XAUTH: Cleanup code [Hugh] * XAUTH: Workaround for Android bug sending trailing NULL with password [Hugh] * XAUTH: Improved logging and output for automated processing (eg for NM) [Paul] * XAUTH: Hand out previously given IP lease to same client on reconnect [Antony] * DPD: openbsd isakmpd bug workaround for duplicate DPD seqno [Paul] * IKEv1: aggr mode: print names of ignored proposals part [Paul] * IKEv1: rename init_am_st_oakley() to init_aggr_st_oakley() [Paul] * IKEv2: Rekey / Delete event scheduling fixes [Antony] * IKEv2: liveness (DPD) fix msgid handling for Informational XCHG [Matt] * IKEv2: Improved RESPONDER_TIMEOUT logic [Antony] * IKEv2: Extend smc with SMF2_CONTINUE_MATCH for cookie state matching [Hugh] * IKEv2: handle DDOS cookie without creating state and using memory [Hugh] * IKEv2: Fix IS_IPSEC_SA_ESTABLISHED macro to include IKEv2 [Antony] * IKEv2: CREATE_CHILD_SA exchange can return NO_ADDITIONAL_SAS [Antony] * IKEv2: Lingering states were never cleaned up [Antony] * IKEv2: Support Authenticated Header ("AH") [Hugh] * IKEv2: don't call dpd_active_locally() on an undefined state [Paul] * IKEv2: Return proper message to the user when our RSA/PSK is missing [Paul] * IKEv2: Always add SAi TSi TSr in I2 to allow IKE SA Reauthentication [Antony] * IKEv2: When deleting CHILD_SA without a IKE SA don't try to send v2D [Antony] * IKEv2: Fix process_informational_ikev2() for Delete payloads [Paul/Hugh] * IKEv2: Improved logging of IKEv2 transform IDs [Hugh] * pluto/whack: Allow shutdown command for different MAGIC [Paul] * NSS: Changed PR_ASSERT() calls to passert() calls [Paul] * NSS: ipsec initnss can now take a non-default location [Paul] * newhostkey: Return proper error codes, no longer allow stdin [Paul] * OCF: ipsec_ocf_cbimm KLIPS option was always ignored by mistake [Hugh] * OCF: Remove obsoleted HAVE_OCF support for IKE acceleration [Paul] (kernel OCF support is still available and supported) * NETKEY: esp=cast failed due to wrong crypto identifier [Paul] * KLIPS: SAref patches for Ubuntu kernel 3.11.0-15.25 [Simon Deziel] * KLIPS: Improved suport for various 3.x Linux kernels [various] * KLIPS: support for CONFIG_USER_NS [Matt] * _stackmanager: only unload stack when switching (rhbz#1025687) [Paul/Tuomo] * building: remove LIBDIR as we install all programs in LIBEXECDIR [Tuomo] * packaging: NSS fixups for deb packaging [mountaincat] * testing: a LOT of test case updates [many people] * Bugfixes for better C-library compatibility with "musl" [Hugh/Paul] * Bugtracker bugs fixed: #67: uniqueids: don't compare ipv4 and ipv6 addresses [Tuomo] #86: left=%defaultroute does not work in a conn [Hugh/Paul] v3.8 (January 15, 2014) * SECURITY: CVE-2013-6467 missing IKEv2 payloads causes restart [Iustina/Hugh] * building: Remove #ifdef DEBUG - always compile into userland [Paul] * IKEv2: Updated AUTH names to latest IANA registry entries [Paul] * pluto/whack: Added --impair-send-ikev2-ke test option [Paul] * pluto: allow shutdown command even with bad WHACK_BASIC_MAGIC [Paul] * addconn: ignore obsoleted --defaultroute and --defaultroutenexthop [Paul] * Various code cleanup [Hugh] * initscripts: sysv should try harder to kill pluto without ctl file [Tuomo] * gentoo: fixes to build and init system on Gentoo [Mike Gilbert] * KLIPS: fix NAT-T status in eroute output [Paul] * pluto: updated ietf_constants.h with IANA entries [Paul] * IKE: Make sure sha2 is an alias for sha2_256 for ike= and esp= [Hugh/Paul] * Bugtracker bugs fixed: #171: showhostkey.c:322: bad switch statement v3.7 (December 10, 2013) * SECURITY: CVE-2013-4564 Denial of service via unauth packet [Paul/Hugh] * SECURITY: fix insecure tmp file in rpm %post - introduced in 3.6 [Tuomo] * SECURITY: Properly handle IKEv2 I1 notification without KE payload [Paul] * IKE: aes_gcm and aes_ccm now specify key size without salt [Paul/Hugh] * NETKEY: Added twofish and serpent as valid ESP algorithms [Paul] * KLIPS: Fix for crashes in ipsec_xmit_ipip() [Thomas/Roel/David] * KLIPS: Fix NAT-T (NEED_UDP_ENCAP_ENABLE) for 3.4 kernel [Roel] * KLIPS: Fix compiling for 3.9 kernels (PDE_DATA fix) [Paul] * KLIPS: Claim we do namespaces - makes it work on simple host case [Paul] * IKEv2: Add support for AES-GCM, AES-CCM [Paul/Hugh] * IKEv2: Check for inbound traffic before sending liveness exchange [Matt] * IKEv2: Fix some error codes that mistakenly used IKEv1 versions [Paul] * IKEv2: in R1 don't copy their IKEv2 minor for our reply packet [Paul] * IKEv2: Don't kill unrelated states on same hash chain in IKE DEL [Hugh] * pluto: change ipsec_notification_names to ikev[12]_notify_names [Paul] * pluto: Various cleanup and reducing scope of variables [Hugh] * building: support for slackware version/init system detection [Roel] * rsasigkey: Remove spurious debug line confusing ipsec showhostkey [Paul] (rhbz#1039655) * initsystems: fix typo in openrc script [Natanael Copa] * testing: KVM test system updates [Paul] * secrets: Log glob failing for secrets parser as warning, not error [Paul] * setup: fix systemd init detection [Tuomo] * labeled ipsec: Set default value of secctx_attr_value to 32001 [Paul] (rhbz#923250) * barf: don't load l2tp kernel modules and use new syntax (rhbz#1033191) [Paul] * Bugtracker bugs fixed: #116: Don't load connections when leftcert= cert not found in NSS DB [Matt] v3.6 (October 30, 2013) * IKEv2: Fix interoperability bug in SKEYSEED generation [Paul/Hugh/Antony] * IKEv2: Add liveness checks (a.k.a DPD for IKEv2) [Matt Rogers] * IKEv2: ikev2=insist allowed ikev1 when acting as responder [Matt Rogers] * IKEv2: Fix fallback to ikev1 when remote has ikev2=no [Paul] * IKEv1: Cleanup AGGR Mode VendorID - also send fragmentation vid [Paul] * IKEv1: Added cisco_unity= (default no) option which sends VID [Paul] * IKEv1: Fix compatibility with NAT-T and remote_peer_type=cisco [Paul] * IKEv1: dpdaction=restart_by_peer is now called dpdaction=restart [Paul] * IKEv1: Added support for modecfgbanner= and modecfgdomain= [Paul] * IKE: introduce ikepad=yes|no (default yes) for Checkpoint interop [David] * pluto: work around for Cisco VPN clients sending extraneous bytes [Paul/Hugh] * pluto: Support for google-authenticator OTP via pam [Paul] * pluto: fix kernel.c typo in word outgoing [Tuomo] * pluto: remove dsa/elgamal stubs from gnupg that were unused [Paul] * pluto: Added per conn priority= to specify kernel IPsec SA priority [Paul] * keyword: auto=route and ipsec auto --route renamed to "ondemand" [Paul] * NETKEY/BSD: Added per conn reqid= to specify kernel IPsec SA [Paul] (based on idea by Panagiotis Tamtamis) * pluto: %fromcert now works for local certs and those received via IKE [Matt] * pluto: Allow \\ masking in RDNs similar to ,, [Matt Rogers] * pluto: merge updateresolvconf/restoreresolv.conf in client-up|down [Paul] * building: Removed USE_MODP_RFC5114 flag. Support is always added [Paul] * building: Removed USE_AGGRESSIVE flag. Support is always added [Paul] * building: Removed USE_XAUTH flag, Support is always added [Paul] * building: Removed MODECFG* flags, Support is always added [Paul] * building: Remove blowfish (use twofish instead) [Paul] * building: Generate Makefile depend files automatically [Tuomo] * building: Add support for openrc initsystem on Alpine Linux [Paul] * packaging: spec files now initialise NSS DB when not found [Paul] * NETKEY: Take protoport= into account when setting IPsec SA priority [Paul] * NETKEY: Change Update SA to Add SA when existing SA is not found [Mattias] * NETKEY: Fix Labeled IPsec (broken in openswan 2.6.33) [Paul] * KLIPS: Support for 3.10+ kernels (/proc use via seq_* functions) [David] * Changed HAVE_STATSD compile option to statsbin= runtime option [Paul] * sysvinit: status function used incorrect variable for pid file [Tuomo] * _stackmanager: coding style cleanup - fixes bashism [Tuomo] * testing: Various interop test case updates [Paul] * FIPS: Support versioned hmac files, fips test in non-fips mode [Paul] * rsasigkey/newhostkey: Keysize for new RSA keys keysize increasd from 2192 to randomised 3072-4096 (in blocks of 16) to fight keysize monoculture [Paul] * Removed unused and unmaintained USE_TAPROOM functionality [Paul] * NAT-T: Added 100.64.0.0/10 from RFC 6598 to virtual_private [Paul] * NSS: pluto should now open NSS files in readwrite, just read [Paul] * Bugtracker bugs fixed: #130: debian debuild creates a deb with /usr/libexec contents [Marc-Christian Petersen] #145: support old location of /selinux/enforce still in use by CentOS6 [Paul] v3.5 (July 13, 2013) * NETKEY: _stackmanager: Clear disable_xfm/disable_policy /proc files for labeled IPsec [Paul] * KLIPS: Added support for kernel 3.9.x [Paul/David] * KLIPS: NATT support for kernel 3.5+ needs udp_encap_enable() [David] * KLIPS: pointer can look valid during free process [Unknown/David] * KLIPS: change default for hidetos (quality of service) to yes [Paul] * KLIPS: preliminary SHA2 family support via OCF/CryptoAPI [David] * MAST: _stackmanager: bring mast0 up even if module was loaded [neoXite] * MAST: Add support for IPv6 iptables mangle table in updown.mast [Paul] * _stackmanager: Move iptables mangle rules to MAST only section [Paul] * _stackmanager: re-add support for hidetos=, overridemtu= and fragicmp= [Paul] * _stackmanager: Clear disable_xfm/disable_policy for labeled IPsec [Paul] * pluto: Fix reading ipsec.secrets without trailing newline [Hugh] * pluto: 'ipsec status' output changes, added 'config setup' items [Paul] * pluto: Added config setup, compile paths, runtime info to ipsec status [Paul] * pluto: removed IKE_ALG and KERNEL_ALG defines [Paul] * pluto: Simplify Pluto_IsFIPS(), remove redundant log message [Paul] * pluto: Added Pluto_IsSElinux() to log SElinux runtime status [Paul] * pluto: Removed unused alg_info parameters permitmann and permitike [Paul] * pluto: Fix STATE_XAUTH_R0/STATE_XAUTH_R1 state names [Paul] * pluto: out_modify_previous_np() should allow ISAKMP_NEXT_SIG for RSA [Paul] * building: cleanup old vars, and allow more env overrides [Paul] * packaging: Fix systemd script Alias target (rhbz#982166) [Paul] * newhostkey: help the user when nssdb is not initialized yet [Paul] * newhostkey: simplify default nss dir handling [Paul] * lswan_detect: cleanup coding style and fix help for unknown options [Tuomo] * lswan_detect: add gentoo detection [Tuomo] * setup: add rhsysv, openrc, and real sysv init support [Tuomo] * barf: do not cause any iptables modules to get loaded (rhbz#954249) [Paul] * look: Don't cause loading of iptables kernel modules (rhbz#954249) [Paul] * FIPS: Remove hardcoded /usr/libexec/ipsec path, use IPSEC_EXECDIR [Paul] * FIPS: Add warning in ipsec verify for prelink command [Paul] * testing: Add option for "post" scripts during a test run [Matt Rogers] * testing: dist_cert support for commands in different path locations [Matt] * testing: Generate CRL with leading zero byte for testing [Paul] * Bugtracker bugs fixed: #82: Phase out DBG_KLIPS/DBG_NETKEY for DBG_KERNEL [Paul] #96: lswan_detect: Alpine linux compatibility [Tuomo] #99: NETKEY: Segfault on acquire_netlink with labeled_ipsec [Kim/Tuomo] #101: restore port when ipsec policy is generated for nat-t [Kim/Tuomo] #124: pluto: Add usage comment for addresspool.* [Paul] #126: pluto: nhelpers= does not default to -1 [Paul] #128: pluto: prevent libcurl sigalarm from crashing pluto (lsbz#128) [Paul] v3.4 (June 6, 2013) * Change coding style to Linux kernel [Team] * IN MEMORIAM: June 3rd, 2013 Hugh Daniel v3.3 (May 13, 2013) * SECURITY: atodn() buffer overflow with oe=yes [Florian/Hugh/Paul] affected: libreswan 3.0 and 3.1 (CVE-2013-2052) see also: openswan up to 2.6.38 (CVE-2013-2053) see also: strongswan up to 4.3.4 (CVE-2013-2054) * security: dn_parse(), hex_str() write beyond end of the buffer [Florian] * security: get_rnd_bytes: Abort on random number generator failure [Florian] * security: Integer overflow if the leak detective enabled [Florian] * security: Check that origin of netlink message is the kernel [Florian] * security: Abort on crypto failure for 3des/aes to prevent leaks [Florian] * security: Check PK11_CreateContextBySymKey() for NULL and SECFailure [Paul] * security: RSA: Check modulus length against key overall length [Florian] * security: fetch_curl: Set timeout for the entire request [Florian] * security: Multiple hardening fixes from security audit [Florian Weimar] * security: Cleanup buffer usage for traffic logging with XAUTH [Hugh] * security: Cleanup ASN1_BUF_LEN use and remove unused load_host_cert() [Paul] * security: cleanup CFLAGS handling [Paul] * security: IKEv2 crashed when using nhelpers=0 [Paul] * security: Remove stale non-NSS ASN1 handling and pem decryption code [Paul] * security: Initial loading of file CRL fails for NSS CAs [Matt Rogers] (rhbz#960171) * security: Removal of USE_WEAKSTUFF and USE_NOCRYPTO (1DES, modp768) [Paul] * security: Removal of 1DES for KLIPS using CryptoAPI [Paul] * security: * security: Cleanup of ASN1_BUF_LEN/BUF_LEN/PATH_MAX defines [Paul] * pluto: Add support for OID_SHA224_WITH_RSA signatures [Paul] * pluto: Always list section headers --list* calls, even when empty [Paul] * X509: Fix for CRL sig failure if first byte is zero [Dhr/Matt/Paul] (rhbz#958969) * _stackmanager: fix loading of aes-x86_64 module [Tuomo] * Bugtracker bugs fixed: #64: removal of /dev/*random everywhere put feeding nss pools [Paul] #90: NETKEY: Transport mode inbound eroute was from client [Kim/Tuomo] #91: SAREF: Patches updated for 3.4.x (tested on 3.4.42) [Andreas Herz] v3.2 (April 13, 2013) * addresspool: Identify reconnecting client and re-use lease [Antony] * IKEv1: Support for sending initial_contact in Main Mode [Paul] * addconn: improve defaultroute finder [Kim] * compiling: fix use of variables in buidlsystem consitent [Tuomo] * ipsec: fix syntax error in --help introduced in 3.1 [Tuomo] * verify: fix wrong confdir location [Tuomo] * pluto: cleanup of XAUTHuser and traffic statistics logging [Paul] * pluto: Obsoleted force_keepalive= and --force_keepalive [Paul] * pluto: Added per-conn nat_keepalive=yes|no (default yes) [Paul] * pluto: Log our own vendorid as "received" instead of "ignored" [Paul] * pluto: Prevent logging from truncating XAUTHuser= [Paul] * pluto: Don't log (0 byte) SA traffic statistics for ISAKMP SA's [Paul] * pluto: Some more changes in the output of ipsec auto --status [Paul] * pluto: wipe old logfile on restart (match previous behaviour) [Antony] * _stackmanager: When unloading NETKEY, unload ip_vti before xfrm*tunnel [Paul] * _stackmanager: Stack was not cleaned up for upstart / non-modular [Paul] * building: Fix warnings when compiling with clang [Florian Weimer] * building: Add -pie to linker flags, ensure relro is not overwritten [Paul] * building: fix "make depend" in programs/pluto [Antony] * packaging: Split RHEL spec file into rhel5/rhel6, add USE_OCF flag [Paul] * initsystem: fixed default sysv init status function [Tuomo] * KLIPS: SAref patches for 3.0.55+ and RHEL 2.6.32-358.2.1 [Pavel Kopchyk] * Bugtracker bugs fixed: #75: Libreswan inserts wrong xfrm policies on some configurations [Tuomo] #76: NSS:: ipsec initnss fails with a @FINALCONFDDIR@ replace and no default configdir [Tuomo] #78: NSS: segfault on libnss functions when using ikev2 [Antony] #85: NETKEY: Pass traffic selectors to the kernel in Transport Mode support was incomplete and broke nat-t trasport mode [Kim/Tuomo] v3.1 (March 14, 2013) * XAUTH: Support for leftaddresspool= [Antony] * XAUTH: Added xauthby=alwaysok option [Paul] * XAUTH: Added xauthfail=hard|soft option [Paul] * IKEv1: Support for IKE fragmentation via ike_frag= [Wolfgang/Paul/Hugh] * IKEv1: Support for removing bogus non-ESP markers [Paul/Hugh] * NETKEY: Show traffic stats in ipsec auto --status and teardown [Wes/Paul] * ipsec: Add "ipsec start|stop|restart|status" aliases [Paul] * testing: Many updates to KVM testing infrastructure [Paul/Antony] * starter: auto=route and auto=start only performed auto=add [Wolfgang] * libswan: logging cleanups from openswan 2.5.x era [DHR/Antony/Paul] * pluto: log XAUTHusername in the "established IPsec SA" line [Paul] * pluto: Show labeled IPsec information in ipsec auto --status [Paul] * pluto: Various minor changes to ipsec auto --status output [Paul] * pluto: Debug logs were not written if a file was specified [Paul/Antony] * pluto: fix for additional proposal sizes when enabling 1DES [Paul] * IKEv2: narrowing used a wrong port range in determining bestfit [Coverity] * IKEv1: Better logging of Vendor IDs in [Paul] * KLIPS: enable crytoAPI in packaging/makefiles/module.defs [Paul] * SAREF: patches for Ubuntu kernel 3.2.0-33.52 [Simon] * libipsecconf: Improved fix for osw#1370 (segfault on no EOL) [Philippe] * libipsecconf: Forbid rekey=no plus dpdaction=restart(_by_peer) [Paul] * libipsecconf: crlcheckinterval unit is time, not number [Tuomo] * libipsecconf: Remove bogus key_from_DNS_on_demand policy for PSK [Paul] * libipsecconf: Raise POLICY bits from int (32) to lset_t(64) [Paul] * libipsecconf: sourceip= setting could overwrite nexthop= setting [Paul] * XAUTH: ModeConfig DNS options only worked via whack, not config file [Paul] * XAUTH: modecfg_wins[12]= support removed [Paul] * XAUTH: Use re_entrant versions of localtime_r/gmtime_r [Paul] * XAUTH: Added threading mutex locks for log functions [Philippe/Paul] * XAUTH: Added threading mutex locks for crypt() [Philippe] (crypt_r is not available on all platforms) * XAUTH: Only try to update resolveconf/restoreconf when XAUTH client [Paul] * addconn: If no protostack= is configured, return "netkey" as default [Paul] * addconn: Fix for addconn loading Point-To-Point connections [Kim] * X509: Initialise libcurl for SSL to support CRLs over HTTPS [Paul] * X509: Warn 14 days before certificates expire [Tuomo] * packaging: add /etc/ipsec.d/{crls,cacerts} to rpm spec files [Tuomo] * packaging: Fixes to spec file, added kmod spec file for KLIPS [Paul] * compiling: added -pthread to CFLAGS [Tuomo] * _plutorun: pass all command line options to pluto [Tuomo] * _updown: Various fixes for klips/netkey version [Tuomo/Antony] * X509: Reintroduced lock_certs_and_keys()/unlock_certs_and_keys() [Paul] * initsystem: change sysv initscripts to use new _plutorun interface [Tuomo] * DPD: Don't try to delete non-events [Paul] * Bugtracker bugs fixed: #8 honour compress=no option [Matt Rogers] #50 It is assumed ipsec.conf lives in the same dir as rc.d/init.d [Tuomo] #53 ipsec auto --status does not show phase2 parameters when using (unspecified) defaults? [Matt Rogers] #71 Libreswan pre-3.1 git version breaks on-demand ipv6 tunneling [Tuomo] v3.0 (January 02, 2013) * FORK: Rename from Openswan to Libreswan [Team] (for older CHANGES see docs/CHANGES.openswan) * FORK: Changed our VendorID prefix to "OEN" [Team] * LICENSE: Updated FSF address on the GPLv2 COPYING file [Team] * TRADEMARK: Give everyone unlimitel eternal royalty-free license to use the name "libreswan" to refer to this software and website [Team] * NSS: is now mandatory - custom crypto code removed [Paul] * NSS: Support reading NSS password from file [Avesh] * NSS: Added "ipsec initnss" and "ipsec import" commands [Paul] * NSS: We need to include nsperror.h for PR_GetError() [Paul] * NSS: PK11_DigestFinal() passed sizeof pointer instead of passing sizeof *pointer [Paul] * NSS: use pkg-config to find the right cflags and libs [Paul] * DNS: Removed LWRES code and old static ISC libraries [Paul] * DNS: Don't attempt to resolve numerical sourceip= values [Paul] * DNS: starter and pluto now support USE_DNSSEC using libunbound [Paul] * OE: Removed support for old KEY and TXT DNS records [Paul] * OE: Add support for IPSECKEY in ipsec showhostkey [Paul] * pluto: --config uses libipsecconf to read 'config setup' [Kim B. Heino] * pluto: left=%defaultroute now obtains src ip from routing table [Kim B. Heino] * pluto: Removed support for non-strict ike/esp lines [Paul] * pluto: UDPFROMTO support was not enabled for NETKEY if not also build with KLIPS [Paul] * pluto: Pass traffic selectors to the kernel in Transport Mode [Avesh] (rhbz#831669) * pluto: Fix phase confusion in xauth/modeconfig [Avesh] * pluto: Added new option plutostderrlogtime= (default=no) [Paul] * pluto: Additional safety checks to strncat() calls for addrtot(), inet_addrtot(), sin_addrtot(), alg_info_snprint_esp(), alg_info_snprint_ah(), idtoa() and format_end() [Paul] * pluto: Removed unused OCSP code [Paul] * pluto: Add Linux audit support via USE_LINUX_AUDIT (incomplete) [Paul/Antony] * pluto: crlcheckinterval did not interpret plain numbers as seconds [Philippe] * pluto: Change ft_mbz to ft_zig - Don't error on "must be zero" but instead "zero ignore". This works around an Android ICS/racoon bug [Paul] * pluto: Update known vendorids [Paul] * pluto: phased out HAVE_THREADS, pluto/pam now thread-safe [Philippe/Paul] * pluto: Fixed IPSEC_CONFDDIR handling which broke NSS in tests [Paul] * pluto: obsoleted prepluto= postpluto= plutoopts= config setup options [Paul] * pluto: obsoleted plutowait= and pluto= config setup option [Paul] * pluto: obsoleted nocrsend= option removed (use leftsendcert=) [Paul] * pluto: removed manual keying remnants [Paul] * pluto: remove protostack=auto and --use-auto, netkey is new default [Paul] * pluto: Added perpeerlog=yes|no and perpeerlogdir=/var/log [Paul] * pluto: Added retransmits=yes|no (matches pluto --noretransmits) [Paul] * pluto: Added plutofork=yes|no to match pluto --nofork [Paul] * pluto: added ikeport= and nat_ikeport= options, and --natikeport [Paul] * pluto: support for secretsfile= and ipsecdir= in ipsec.conf [Paul] * pluto: remove old unsused USE_IPSECPOLICY code [Paul] * pluto: rhbz#609343: pluto crashes when removing logical interface [Avesh] * pluto: dont stop processing after --coredir argument [Paul] * pluto: perform whack --listen and addconn --autoall on startup [Paul] * pluto: honour plutostderrlog= natively now _plutorun is gone This also adds a new option --logfile to the pluto daemon [Paul] * pluto: if started with --nofork, don't care about existing pid file [Paul] * pluto: incorrect free in scan_proc_shunts() [Roel van Meer] * pluto: eclipsed() was broken since freeswan-2.02 [Philippe] * _plutoload: obsoleted [Kim/Paul] * auto: no longer pass defaultroute/defaultrouteaddr to addconn [Paul] * whack: fix handling --sha2_truncbug and --nm_configured options [Paul] * whack: don't try to write to closed stdout tty [Philippe] * DPD: reduce flood of DPD messages with unexpected seqno [Andrey Alexandrenko] * DPD: We did not send DPD VID in aggressive mode with NAT-T disabled * DPD: dpdaction=restart can cause full phase1 timeout after DPD (rhbz#848132) [Avesh] * PAM: updated contrib/pam.d/pluto (rhbz#815127) [Philippe Vouters] * PAM: move pam out of contrib, and install config when HAVE_XAUTHPAM [Paul] * IKEv1: In aggresive mode: allow ISAKMP_NEXT_CR ISAKMP_NEXT_CERT as payloads [Philippe] * IKEv1: aggressive mode sometimes picked wrong RSA/PSK conn [Philippe] * IKEv1: Simplify outgoing NAT-T proposals, fix logging [Paul] * XAUTH: Support for runtime choice of xauthby= [Philippe] * XAUTH: Support for Mutual RSA + XAuth (interop with Shrew Soft) [Philippe] * XAUTH: Fixed updown to remove ModeCfg (cisco) obtained sourceip [Avesh/Tuomo] * XAUTH: Do not redo xauth/modecfg during rekey to cisco [Avesh] * XAUTH: Use incoming XAUTH VID when picking best connection [Philippe] * XAUTH: pam was failing when built with USE_LIBCAP_NG=true [Philippe Vouters] * XAUTH: Fixup of defines [Paul/Philippe] * XAUTH: Don't use XAUTH VID to put conn in policy XAUTH [Andrey Alexandrenko] * XAUTH: Fix XAUTH TYPE handling and logging [Philippe] * IKEv2: Comply to RFC's for "must be zero" to ignore instead of abort [Paul] (rhbz#831669) * IKEv2: road warrior support [Antony/Paul/Avesh] * IKEv2: narrowing code extended to cover ports,protocol,subnets [Antony/Paul] * Only set MODP768_MODULUS with USE_VERYWEAK_DH1 [Paul] * NETKEY: ignore interfaces= line for NETKEY [Paul] * NETKEY: Fix for three AES-GCM issues with key lengths 128, 192, 256 bits and IV of 8, 12, 16 bytes as per RFC 4106 [Avesh] * NETKEY: Labeled IPsec updates [Avesh] * NETKEY: Support for SHA384/SHA512 and integ(ikev2) in ESP [Avesh] * NETKEY: In _updown.netkey, insert route on correct interface when nexthop is used [Tuomo] * NETKEY: Revert "Always use XFRM_MSG_UPDPOLICY instead of XFRM_MSG_NEWPOLICY" This caused module unload issues and XFRM_MSG_REPLACE errors [Paul] * KLIPS: Removed support for Linux < 2.4.4 [Paul] * KLIPS: Changed _startklips to use ip route instead of netstat [Harald] * KLIPS: misc. fixes, mostly satot() related [David] * KLIPS: 20% speed gain on transmitting packets [David] * MAST: Fixed _updown.mast missing incomplete if-clause [Harald] * SAREF: kernel patches updated to linux 3.2.0 [Simon Deziel] * addconn: mimic _plutoload, cleanup and fixup of functions [Paul] * scripts: Support /etc/sysconfig/ipsec and /etc/default/ipsec (rhbz#789917) * _stackmanager: new script replacing _startnetkey/_startklips [Paul] * barf: do not grep lastlog, wtmp, tmp (rhbz#771612) [Paul] * verify: ported ipsec verify from perl to python [Paul] * verify: check ipsec.conf, ipsec.secrets syntax [Paul] * verify: warn on newly obsoleted keywords [Paul] * auto: fix --status output for vnet/vhost case [Ani] * copyright: Removed obsoleted/unmaintained "ipsec copyright" command [Paul] * showdefaults: removed ipsec showdefaults [Paul] * _include: Removed obsolete _include program [Paul] * policy: Removed broken 'ipsec policy' [Paul] * mailkey: Removed obsolete command. Was already not build or installed [Paul] * scripts: phased out /var/run/pluto/ipsec.info [Paul] * OSX: Set __APPLE_USE_RFC_3542 required for udpfromto functionality [Paul] * DOCS: Add man page leftid= note on Cisco ID_KEY_ID Group Name [Philippe] * liblibreswan: Remove unused optionsfrom() temp file handling [Paul] * liblibreswan: Support comma's inside OID's by using ",," to mean "," inside the OID (rhbz#868986) [Matt Rogers] * initsystems: Native support for systemd, upstart and sysvinit [Paul/Wes] * testing: Ported broken UML harness to KVM/libvirt/9p [Paul/Antony] (see the wiki on libreswan.org for details on how to use it) * packaging: Updated libreswan.spec to reflect updated options [Paul] * packaging: /usr/lib{64}/ipsec is no longer used [Paul] * manpages: Build during build phase, not during install phase [Wes] * compiling: Update standard compile options to be more hardened [Paul] * Bugtracker bugs fixed: #7 after 'make install' - check if the service is enabled or not and notify the user [Wes] #9 install /etc/pam.d/pluto if USE_XAUTH=true [Wes] #25 addconn behaves differently from whack regarding case [Paul] #33 warn on /usr/local install with selinux enabled [Wes] #40 ensure make install checks and restorecon's SElinux policies [Wes] osw#993 ipsec showhostkey: wrong kind of key PPK_XAUTH [Philippe Vouters] osw#1308 forceencaps= setting does now show up in "ipsec auto --status" [Matt Rogers] osw#1329 IKEv2 core dumps on 2.6.32 with changes backported from the 2.6.38 tree [Steve Lanser] osw#1334 Block rules created by openswan remain even after tunnel establishment or XFRM_MSG_POLEXPIRE [Panagiotis Tamtamis] osw#1349 pluto logging no subjectAltName matches ID '%fromcert', replaced by subject DN [Tuomo] osw#1359 Openswan L2TP and IPhone vpn connection [Paul] osw#1370 Segfault on no new line at the end of ipsec.conf [Wes] osw#1375 ipsec verify uses perl, should use python [Paul] osw#1381 XAuth: the variable PLUTO_XAUTH_USERNAME is empty in the updown script [Bram] osw#1384 confusing output from ipsec auto --status [Bram] For older changes, see docs/CHANGES.openswan