[Swan-announce] Libreswan 3.22 released

The Libreswan Project team at libreswan.org
Sun Oct 29 06:12:13 UTC 2017

Hash: SHA512

The Libreswan Project has released libreswan-3.22

This is a performance enhancement and feature release.

Performance improvements:

After investigating performance under high load, we found a number of
issues that slowed down performance. This resulted in some state
machine code updates related to IKE retransmits, logging improvements,
less phtread locking, and hash table improvements. These performance
fixes resulted in libreswan handling 4x more connections then previous

New Features:

This release features Opportunistic IPsec support using the unbound DNS
ipsecmod module. This allows the DNS server to perform IPSECKEY lookups
while it performs A/AAAA lookups and trigger Opportunistic IPsec before
the DNS client receives an answer from the DNS server.

Socket handling was updated to handle EAGAIN errors better and options
for the socket buffer sizes and whether or not to process the socket
error queue were added (see 'man ipsec.conf' and 'man pluto'). A client
vanishing on a busy server could also cause an unrelated DH calculation
to be aborted.

Initial support for RFC 7427 Digital Signature has been added, and in
the next few releases we expect to increase the number of supported
algorithms and signature formats.

Support for GMAC via esp=null_auth_aes_gcm was added for 3GPP.

IKE UDP holes for IPv6 no longer need a separate v6neighbor-hole.conf
and pluto now handles these internally.

Important bugfxies:

A number of memory leaks were found and fixed, most notable in the IKEv2
fragmentation code. The XAUTH retransmit logic was fixed, and XAUTH
without ModeCFG was fixed.

The previous version mistakenly rejected preloaded certificates that
were not authenticated using a CA certificate.

You can download libreswan via https at:

https: //download.libreswan.org/libreswan-3.22.tar.gz
https: //download.libreswan.org/libreswan-3.22.tar.gz.asc

The full changelog is available at:
https: //download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug tracker:

https: //lists.libreswan.org/
https: //bugs.libreswan.org/

Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at
https: //download.libreswan.org/binaries/

Binary packages for Fedora and Debian should be available in their respective
repositories a few days after this release.

See also https://libreswan.org/

v3.22 (October 22, 2017)
* IKEv2: EXPERIMENTAL: unbound DNS server ipsecmod support [Opportunistic IPsec]
* IKEv2: Initial support for RFC 7427 Digital Signature [Sahana Prasad/GSoC]
* IKEv2: Do not include INTEG=NONE in AEAD IKE proposals [Andrew]
* IKEv2: Accept both ESP=AEAD+NONE and ESP=AEAD in proposals [Andrew]
          (See also: https://www.rfc-editor.org/errata/eid5109)
* IKEV2: Fix interop with old pluto that rejected esp=aead+none [Andrew]
* IKEv2: Add support for GMAC via esp=null_auth_aes_gcm [Andrew]
* IKEv2: Fragmentation code cleanup and memory leak fixes [Andrew]
* IKEv1: Fix XAUTH retransmits and packet storage [Antony]
* IKEv1: Perform custom state change for XAUTH without ModeCFG [Paul]
* IKEv1: Add support for nat-ikev1-method=none [Paul]
* IKEv1: XAUTH password length wasn't consistent at 128 [Stepan Broz]
* pluto: Natively install ICMPv6 neighbour discovery holes [Mayank Totale/GSoC]
* pluto: Fixup XAUTH/PAM thread cancelation handling [Andrew/Antony]
* pluto: Change default rundir from /var/run/pluto to /run/pluto [Paul]
* pluto: Various ike_alg parsing updates [Andrew]
* pluto: Various cleanups in addresspool and XAUTH code [Hugh]
* pluto: Fix missing ntohl() on the SPI numbers in ipsec status [Paul]
* pluto: Various memory leak fixes [Antony,Paul,Hugh]
* pluto: Make ioctl(SIOCGIFFLAGS) failure for labeled devices non-fatal [Paul]
* pluto: Give IKE traffic preference via SO_PRIO [Paul]
* pluto: New setup options: ike-socket-errqueue= , ike-socket-bufsiza=e [Paul]
* pluto: Improve whack --listevents with libevent [Antony]
* pluto: Fixup NIC offload support [Antony, Hugh]
* pluto: Track and try the number of EAGAIN errors on IKE socket [Hugh/Paul]
* pluto: Prevent spurious initiating states on responder-only conn [Antony]
* pluto: don't call sanitize_string() in fmt_log() as it is expensive [Paul]
* pluto: No longer need to specify null for AEAD, can use esp=aes_gcm [Andrew]
* pluto: Increase default nhelpers for 1 CPU (2) and 2 CPUs (4) [Paul]
* pluto: New option logip= (default yes) to disable log of incoming IPs [Paul]
* pluto: signal handling cleanup [Andrew/Hugh]
* pluto: Don't try to retransmit unsent packet [Paul/Hugh]
* pluto: state hashing improvements [Andrew]
* pluto: Fix erranious connecting switching (bug in v3.21) [Paul]
* pluto: when deleting parent, don't deschedule DH for wrong child [Andrew]
* pluto: dpdaction=restart fixup when using %any [Antony]
* pluto: Don't die on labeled interfaces without SIOCGIFFLAGS support [Paul]
* addconn: left=%defaultroute would fail if >500 host routes [Kim]
* showhotkey/rsasigkey: Fixup mismatch of public key display [Andrew]
* FIPS: Some selftests did not run properly under FIPS mode [Andrew]
* KLIPS: Removed old premade patches, use make targets instead [paul]
* updown Don't remove source ip if it's still used (rhbz#1492501) [Tuomo]
* updown: Allow disabling via leftupdown="" or leftupdown="%disabled" [Paul]
* updown: SPI numbers were missing ntohl() conversion [Paul]
* various: phase out --ctlbase for --ctlsocket and --rundir [Paul]
* libipsecconf: reject unavailable kernel algorithms in parser [Andrew]
* libswan/pluto: throw a clearer error for broken libunbound [Paul]
* libswan/pluto: Cleanup logging and tighten logging lock [Andrew]
* libswan/pluto: Greatly optimize logging code [Andrew]
* libswan/pluto: Some logging algorithm renames for more consistency [Andrew]
* building: remove -fexceptions; breaks pthread_cleanup_push [Andrew]
* packaging: Update debian/ and move to packaging/debian [Antony]
* packaging: Update fedora/rhel spec files [Tuomo]
* testing: --impair-foo changed to --impair foo [Andrew]
* testing: Some new impair options for testing [Andrew,Sahana,Paul]
* testing: Allow null encryption with null auth for testing [Andrew]
* Bugtracker bugs fixed:
    #294: Bug in public key reported by rsasigkey [Tijs Van Buggenhout/Andrew]
    #299: Fix overlapping addresspool and static lease from passwd file [Antony]
    #300: Fix bug in v3.21 that rejected hardcodes certs without a CA [Paul]
    #302: IKEv1-only and IKEv2-only must not share IKE SA [Paul]
    #303: xauth password length limited to 64 bytes [Stepan Broz]


More information about the Swan-announce mailing list