[Swan-announce] Libreswan 3.9 released

The Libreswan Project team at libreswan.org
Wed Jul 9 22:12:46 EEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


The Libreswan Project has released libreswan-3.9.

This is a feature and major bugfix release. It contains more than the
usual amount of changes. Users of IKEv2 are encouraged to upgrade as this
release contains many IKEv2 enhancements and bugfixes.  KLIPS support
was updated for kernels up to 3.14. Workarounds for some Android phones,
isakmpd, racoon and older cisco firmware enhances interoperability.
Some ESP transforms were added (such as CAST) and SHA2_384 and SHA2_512
support was added for ESP. The compile-time LEAK_DETECTIVE is now a
pluto daemon option as --leak-detective. And addconn %defaultroute
handling that caused some people upgrading from openswan to libreswan
some problems has been fixed.

The MODP2048 group was added to the default proposal list, and some IKE
proposals which did not send a default KEY_LENGTH now properly do so.
These two might cause existing connections to require a configuration change
if the remote peer is very strict in its proposal set. Please take care
when upgrading.

You can download libreswan via https at:

https://download.libreswan.org/libreswan-3.9.tar.gz
https://download.libreswan.org/libreswan-3.9.tar.gz.asc

or via ftp at:

ftp://download.libreswan.org/libreswan-3.9.tar.gz
ftp://download.libreswan.org/libreswan-3.9.tar.gz.asc

The full changelog is available at:
https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug tracker:

https://lists.libreswan.org/
https://bugs.libreswan.org/

Binary packages for Fedora, RHEL and Ubuntu can be found at
https://download.libreswan.org/binaries/

See also https://libreswan.org/

v3.9 (July 9, 2014)
* Documentation: cleanup of README.* and docs/* [Paul]
* libswan: Cleanup allocation and  certificate handling functions [Hugh]
* libswan: Introduce add_str() to replace abused strncat() [Hugh]
* libswan: Complain when loading connection with expired certificate [Paul]
* libswan: Some error messages did not make it to the whack log (user) [Paul]
* pluto: STF_TOOMUCHCRYPTO handling should not delete the state [Paul/Hugh]
* pluto: Default cipher keysizes is now RFC compliant 128 (not 256) [Paul]
* pluto: Allow sha2 as an alias for sha2_256 [Paul/Matt]
* pluto: Allow more DBG_* and IMPAIR options [Hugh]
* pluto: Some enc transforms did not send KEY LENGTH for default key size [Paul]
* pluto: Ensure required KEY_LENGTH attributes for some ciphers are sent [Paul]
* pluto: Default ESP key size was "max" instead of "default" [Paul/Hugh]
* pluto: Bogus keysizes (eg 3des666) was not rejected at IKE level [Paul/Hugh]
* pluto: esp=aes now accepts both aes128 and aes256 [Paul/Hugh]
* pluto: ipsec status did not display "000" for ESP default size [Paul]
* pluto: ipsec status did not print IKE algo seperator (",") [Paul]
* pluto: ipsec status no longer prints remote nexthop when oriented [Paul]
* pluto: sa_copy_sa_first() memory leak fixed [Hugh]
* pluto: Improved exponential backoff in message retransmission [Hugh]
* pluto: timer.c simplifications and improvements for monotome time [Hugh]
* pluto: Cleanup and document wire_chunk crypto helper code [Hugh]
* pluto: rename program files using proper ikev[12]_* prefixes [Paul]
* pluto: Don't load certs via load_acerts() from /etc/ipsec.d/acerts/ [Paul]
* pluto: Drop CAP_DAC_OVERRIDE privs later to support non-root dirs [Paul]
* pluto: Remove unused libaes/libdes/liblswcrypto [Paul]
* pluto: Print proper cipher/algo/modp groups in phase1/parent SA [Paul]
* pluto: Various IANA updates to ipsec/ike/ikev2 registries [Paul]
* pluto: STF_TOOMUCHCRYPTO could cause double delete of state [Hugh]
* pluto: Alias "sha" to "sha1" for ike= and esp= [Matt]
* pluto: Simplify/cleanup NSS and cryptohelper code [Hugh]
* pluto: pluto_crypt.c used non-thread-safe strerror() [Hugh]
* pluto: ensure addconn thread uses the same ctlbase as pluto did [Paul]
* pluto: LEAK_DETECTIVE is now a runtime --leak-detective pluto option [Paul]
* pluto: Add modp2048 to default proposal list [Paul]
* pluto: oakley_alg_makedb() algo preference picking fixed [Paul/Hugh]
* pluto: Added --impair-send-key-size-check for testing [Paul]
* pluto: Make timer.c code IKE version independant [Antony]
* addconn: Default gateway finding logic fixes [Wolfgang]
* addconn: Only resolve %defaultroute using the main routing table [Wolfgang]
* addconn: ensure expired certificates show clearly over whack
* NATT: Added nat-ikev1-method=drafts|rfc|both to workaround buggy Ciscos [Paul]
* NATT: non port-floating (4500) NATT draft support removed [Paul]
* NATT: Change order of NATT payloads to accomodate racoon sensitivity [Paul]
* NATT: ignore incoming ISAKMP_NEXT_SAK (AKA ISAKMP_NEXT_NATD_BADDRAFTS) [Paul]
* NATT: Addded IKEv2 NAT-Traversal support [Antony]
* XAUTH: Cleanup code [Hugh]
* XAUTH: Workaround for Android bug sending trailing NULL with password [Hugh]
* XAUTH: Improved logging and output for automated processing (eg for NM) [Paul]
* XAUTH: Hand out previously given IP lease to same client on reconnect [Antony]
* DPD: openbsd isakmpd bug workaround for duplicate DPD seqno [Paul]
* IKEv1: aggr mode: print names of ignored proposals part [Paul]
* IKEv1: rename init_am_st_oakley() to init_aggr_st_oakley() [Paul]
* IKEv2: Rekey / Delete event scheduling fixes [Antony]
* IKEv2: liveness (DPD) fix msgid handling for Informational XCHG [Matt]
* IKEv2: Improved RESPONDER_TIMEOUT logic [Antony]
* IKEv2: Extend smc with SMF2_CONTINUE_MATCH for cookie state matching [Hugh]
* IKEv2: handle DDOS cookie without creating state and using memory [Hugh]
* IKEv2: Fix IS_IPSEC_SA_ESTABLISHED macro to include IKEv2 [Antony]
* IKEv2: CREATE_CHILD_SA exchange can return NO_ADDITIONAL_SAS [Antony]
* IKEv2: Lingering states were never cleaned up [Antony]
* IKEv2: Support Authenticated Header ("AH") [Hugh]
* IKEv2: don't call dpd_active_locally() on an undefined state [Paul]
* IKEv2: Return proper message to the user when our RSA/PSK is missing [Paul]
* IKEv2: Always add SAi TSi TSr in I2 to allow IKE SA Reauthentication [Antony]
* IKEv2: When deleting CHILD_SA without a IKE SA don't try to send v2D [Antony]
* IKEv2: Fix process_informational_ikev2() for Delete payloads [Paul/Hugh]
* IKEv2: Improved logging of IKEv2 transform IDs [Hugh]
* pluto/whack: Allow shutdown command for different MAGIC [Paul]
* NSS: Changed PR_ASSERT() calls to passert() calls [Paul]
* NSS: ipsec initnss can now take a non-default location [Paul]
* newhostkey: Return proper error codes, no longer allow stdin [Paul]
* OCF: ipsec_ocf_cbimm KLIPS option was always ignored by mistake [Hugh]
* OCF: Remove obsoleted HAVE_OCF support for IKE acceleration [Paul]
        (kernel OCF support is still available and supported)
* NETKEY: esp=cast failed due to wrong crypto identifier [Paul]
* KLIPS: SAref patches for Ubuntu kernel 3.11.0-15.25 [Simon Deziel]
* KLIPS: Improved suport for various 3.x Linux kernels [various]
* KLIPS: support for CONFIG_USER_NS [Matt]
* _stackmanager: only unload stack when switching (rhbz#1025687) [Paul/Tuomo]
* building: remove LIBDIR as we install all programs in LIBEXECDIR [Tuomo]
* packaging: NSS fixups for deb packaging [mountaincat]
* testing: a LOT of test case updates [many people]
* Bugfixes for better C-library compatibility with "musl" [Hugh/Paul]
* Bugtracker bugs fixed:
   #67: uniqueids: don't compare ipv4 and ipv6 addresses [Tuomo]
   #86: left=%defaultroute does not work in a conn [Hugh/Paul]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTvZJ8AAoJEIX/S0OzD8b5w3QP/R7TR8+7W5ZqyiFd8B3tiEGu
PFt/kZCHXi6wbBmPOFVpxNF5rRvwBPGsPG78rH1ntD0nWl7Tx2rBmcoYg2pc5gwJ
g6DmTIXpaIUF7q6hvpH7ZCuARrnn8t53NziMHCt0GRVeWVNe1PLnbCEAgaryFxIF
0cfx8tLQW2wadyIRrH1UFOx79MnNSYFFCGQiqxJ1bAy7pVqVl0EY3aR22XcqPael
PQ6KpPxF2kejL9wRRoZoesw3yObJl+ss22nGOmZEWBtj11cbfsxJ3kTpUP8aJnrW
nmuCoTVRKTJRZVnz9lj9gDQKIUVTIt12Ucq5S6zVgZuRWqA7BN3FR0McIwRBSSBQ
Hijx5AXHqKhkMLPfC7fhhZ8j8R7r+MHj37ZFca14GY+q2sucOXCS1Hm8/bm1EK8O
Vgqa0iAJhtLKYU7GKi4w9xNMPpP1TJnY3JsJkVZvc02PYVfns7CiBSJi6Znbl3Ih
VY2zboxI50dKK5i41JWwwS1fsy1LMiRexKSxT4YvMo2GscqVK5OSA+biCnqMs3HW
gAyLpbYz9+ZFKIob4+ygNvllbaE4pOYDFMSbAMMkhZ6K6nIj7s70hPmRpLRqUNxM
QTFt6qZrIj0pCqdjGviLPogPoWbkGUg5kuqvaNlXL7jX4PwEUjbi+zmXSCcDaCFx
J5fZA6PUM6bsuVkFns7F
=Hv+5
-----END PGP SIGNATURE-----

More information about the Swan-announce mailing list