From team at libreswan.org Fri Feb 14 04:00:42 2020 From: team at libreswan.org (Libreswan Team) Date: Thu, 13 Feb 2020 23:00:42 -0500 (EST) Subject: [Swan-announce] libreswan-3.30 released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-3.30 This is a major bugfix and feature release. This release includes support for XFRMi virtual ipsec devices. This is also the last release to support KLIPS based virtual ipsec devices. Those using KLIPS should use this release to migrate to XFRMi. Other new features include IPv6 roadwarrior/addresspool support, a significant performance increase on processing X.509 certificates for large scale systems and the Opportunistic IPsec (mesh or any-to-any) support has been significantly improved to properly handle the cases of nodes crashing or briefly not supporting Opportunistic IPsec. This release follows the recommendation of RFC 8247 to no longer support SHA1 for RFC 7427 style Digitial Signature support. This can lead to interop issues with certain strongSwan configurations that mistakenly negotiate SHA1 despite libreswan not sending suppor for this using the Hash Algorithm Notify payload. libreswan now also makes use of the new IKE PDF code inside the NSS crypto library. As a result, libreswan itself currently no longer needs a separate FIPS validation - validation of the NSS library is enough. For a full changelog, see below changelog for details. You can download libreswan via https at: https://download.libreswan.org/libreswan-3.30.tar.gz https://download.libreswan.org/libreswan-3.30.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.30 (February 13 2020) * WARNING: This is the last release that supports the KLIPS stack, use the new ipsec-interface= virtual interfaces instead. * XFRM: Fix detection on kernels without xfrm_stat (debian et all) [Paul] * XFRM: XFRMi interface support using ipsec-interface= and iface-ip= [Antony] * IKEv2: Message ID handling: remove a O(#STATES) lookup [Andrew] * IKEv2: OE previous half-open state overwrites IPsec policy [Paul/Stepan] * IKEv2: On initiator, do not retransmit on IKE_AUTH processing failure [Paul] * IKEv2: Prevent leak in ikev2_send_certreq() on sending error [Paul] * IKEv2: Remove SHA1 from default proposal list [Paul] * IKEv2: On PPK failure with insist, return AUTHENTICATION_FAILED [Vukasin] * IKEv2: Do not try to delete (replaced) bare shunts [Paul] * IKEv2: Delete pending outgoing bare shunts if incoming IPsec happened [Paul] * IKEv2: Allow CP payload in CREATE_CHILD_SA (RFC 7296 Appendix C.4) [Paul] * IKEv2: calculate_sa_prio() now allows OE shunt to override priority [Paul] * IKEv2: calculate_sa_prio() support for /32 template vs instance [Hugh/Paul] * IKEv2: IPv6 support for addresspool= option [Antony] * IKEv2: Updated support for MOBIKE triggered events [Antony] * IKEv2: Support reconnecting authnull clients [Paul] * IKEv2: New whack commands --rekey-ike and --rekey-ipsec [Antony] * IKEv2: Prefer RFC 7427 Digital Signatures for default authby=rsasig [Sahana] * IKEv2: Refuse SHA1 for RFC 7427 Digital Signatures as per RFC 8247 [Sahana] * IKEv2: Use IKEv2 fragment size values (not IKEv1) [Andrew] * IKEv2: On initiator, do not retransmit on IKE_AUTH processing failure [Paul] * IKEv1: Re-implement CVE-2019-10155 fix to prevent future occurances [Andrew] * IKEv1: do not assert on bad virtual private entry [Paul] * pluto: Simplify plutodebug= options to: base, cpu-usage, crypt, private and tmi (maps old values to new ones for compatibility) [Andrew] * pluto: non-default ipsec.conf did not load auto=add connections [Paul] * pluto: fix %defaultroute for link-local and non-link-local gateway [Antony] * pluto: Improve whackfd handling (prevent console hangs/omissions) [Andrew] * pluto: Support to disable SAN checks (require-id-on-certificate=no) [Paul] * pluto: Audit log IKE SA and IPsec SA failures for Common Criteria (CC) [Paul] * pluto: Disable support for DH2/modp1024 at compile time [Paul] * pluto: Add audit-log=yes|no (default yes) [Paul] * pluto: DDNS event should not cause connection initialization [Paul] * pluto: Various O(STATE) optimializations [Andrew] * pluto: Fixup reporting of esp-hw-offload capabilities in kernel/nic [Paul] * pluto: Add chacha20_poly1305 and curve25519 to default proposals [Paul] * pluto: Updated SECCOMP syscall whitelist [Paul] * pluto: With non-default config file, connections loading was skipped [Paul] * pluto: Fix Opportunistic Encryption with Transport Mode policies [Paul] * pluto: Fix various memory leaks in IKE and X.509 code [Andrew] * pluto: netlink: increase the additional bufferspace to 32KiB [Antony] * pluto: pluto --selftest no longer logs to stderr with timestamps [Paul] * pluto: fix for redirect-to type when it is FQDN [John Mah] * pluto: addresspool: give new lease to different (xauth)usernames [Paul] * pluto: addresspool: reduce complexity from O(#LEASES) to O(1) [Andrew] * whack: Remove obsoleted --whackrecord and --whackstoprecord options [Andrew] * whack: Added whack --ddns to trigger DNS refresh event manually [Paul] * X509: Offload most code to helpers for significant performance boost [Andrew] * X509: Simplify code, cut redundant calculations, speed improvements [Andrew] * X509: SAN checks should confirm IKE peer ID on responder too [Paul] * letsencrypt: new command "ipsec letsencrypt" [Rishabh] * _updown.netkey: PLUTO_VIRT_INTERFACE replaces PLUTO_INTERFACE [Antony] * _updown.netkey: add IPv6 routing support [Tuomo] * _updown.netkey: don't remove old resolv.conf, just update it [Tuomo] * _updown.netkey: fix for iproute2 >= 5.1 which no longer ignores /mask [Paul] * libswan: Don't leak ECDSA pubkey on form_ckaid_ecdsa() failure [Paul] * libswan: Close netlink socket on send error in netlink_query() [Paul] * libipsecconf: don't throw error for not finding a wildcarded include [Paul] * verify: improve support for python2 and python3 [Anand Bibhuti/Paul] * KLIPS: Support for kernels >= 4.20 with SYNC_SKCIPHER_REQUEST_ON_STACK [Paul] * KLIPS: Userland tools compile fixes [Hugh/Paul] * building: No longer build with DH2(modp1024) support (see RFC 8247) [Paul] * building: Add config for PYTHON_BINARY, default being /usr/bin/python3 [Tuomo] * building: Add new USE_NSS_PRF, to use KDF from NSS [Robert Relyea/Andrew] * building: Add USE_PRF_AES_XCBC, replaces USE_XCBC [Paul] * building: Fixes for NetBSD build [Andrew] * building: Fixes for gcc10 [Paul] * packaging: fedora30 requires gcc to be listed as BuildRequires: [Paul] * packaging: Add Debian stretch specific configs and more cleanup [Antony] * packaging: make deb jessie and xenial config detection [Antony] * packaging: update python she-bang handling [Tuomo] * testing: Added a new namespaces based testrun method [Antony] * testing: setup: namespace based ipsec stop needs ip xfrm flush state [Paul] * testing: setup: namespace based ipsec skips initsystem [Paul] -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAl5GG0YTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+cvgD/0ZfFfZD+rC0XncwgQNWGIQHHb62JWK DKd7bDFd5agogG7WcXpTxisRHoRJrpt8ogGEwwSvHWsxUAbbaviTlij/2eoG/Eeu 0lSVvgxHGyZ5JKNqarKvM6e6uWKGlL+8znhtZXNtliCpkWSt45245Zz3+DcBYKgC djB8NAfZXtahVKKrJ5lPyFwvHgjy1Z6G8IhLNlPSJ0t+ar59De3NDL4ofa5ivLvG rgyWvjtONiUHlg0opqj/PWWNQDpjT2gx9XTNsu6omxes2AZvHvEzYIBHRCe5AAuS RrARcrZqwzzy5oGRIyEXsTDsF7Z1G6DI+d1e/eu/7yoIgRciYlMgYoejMlSMKGFs 3Y/8CHU5A+SpV+/ALG+2sejsvuT/i09To5MLgxXuMQRNq7uDVlN59ZfS2YjjT3uc rdoLduaEm5hCDXSnB+XKlO3NQkQcA9HFoC24iOan2Oxo1zmMvhbGfGjAHPJw/sJF pGNGk8pdKk+3uXoUtteoJF1NFES1B9uFDbl2yXbJlqzHB+NxuFvogT6xcbiLTINX 7vR5WwuD2enWKHXa0n/zqEgx9qcchortguQt7HqCstS9+ofjwnMTw+Qzr8MjY7ZP O2Hi2in9l2FpI0wbP0T09IkeUJZDo4xJFgMv/EaIa9z7W+uRI0n2qj9msaisxIaw xDxJC8uMpTmZGA== =hb9V -----END PGP SIGNATURE----- From team at libreswan.org Wed Mar 4 18:52:59 2020 From: team at libreswan.org (The Libreswan Team) Date: Wed, 4 Mar 2020 13:52:59 -0500 (EST) Subject: [Swan-announce] libreswan-3.31 released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-3.31 This is a bugfix release. It fixes IKEv2 IPv4 rekeying that was broken in 3.30. It also adds support for XFRM interfaces to IKEv1 to help migration from KLIPS to XFRM, and an updown script fix for KLIPS. This release is meant to be the last one supporting both KLIPS and XFRM and can be used to test migration to XFRM. For a full changelog, see below changelog for details. You can download libreswan via https at: https://download.libreswan.org/libreswan-3.31.tar.gz https://download.libreswan.org/libreswan-3.31.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.31 (March 3, 2020) * IKEv2: Opportunistic conns specifying keyingtries=0 are changed to 1 [Paul] * IKEv2: Fix ikev2 rekey failures due to bad Traffic Selector proposa [Antony] * IKEv2: Verify (not ignore) expected TSi/TSr payloads for IPsec rekeys [Paul] * IKEv1: Support for XFRMi interfaces [Paul] * pluto: Disable log_to_audit if kernel does not support audit [Paul] * addconn: Do not assert on ipsec-interface=no [Paul] * nat_traversal: Fix not to send nat-t keepalives when there is no nat [Tuomo] * KLIPS: Fix _updown.klips (regression introduced in 3.30) [Wolfgang] * pluto: Increase max IKEv2 fragments to 32 to support Windows [John Mah] -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAl5f+E0THHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+b8iD/44M4hna7IxQgCC0t6S6xj4zu9gb7uT FD8zISjAnO9FpQ/zBnOe3U6tstJj+oNmBNYS+W0XhyszYTXVpxAn52OsAuTYTvvw 2Wwj+eBvAlpBL143rLMfJX+5bBHkybQ+9jccAprBMDA0o+Ijp3Cf6o4v8p56tGjW UlOzmU3jhc31vFYk8oKVg+FxBoexE9/TBdlEZhc9FvF/2FT0trQKepVs0/F8Gk17 mMzWojAj3BVj8QoOm2vYGYm8nf3Y72ASt+ugUJc9vM+8r1831KlMUBgLaXRO9hqC 3k+3s+06kLyiwdVwaDJBIcOqMRCo/CjOGg7RtYxvkkfK8WY0PKM2Fj2rtBH1b06k Hvr23ELozEtBVK2AiISUQskDKBDvIEfESY+O22U3gbwUZJIB64lQI03J0aJKt8B7 V91McIQa+2wZLDj0dHPORQMncgzveVTc33tHMJ7g1LIatJA9cp8XrI5WPrW1Z0w2 nOisgsSQ2OnysMgqJgZbPSvkT7ULDUqAS9jCQg8JBox7m3iqBeyVGxLkhHNiDfvE l0xhm7UQYwvMgA4A9aslntSH+/Hl5d1ZjwMZkbvlg4MV9BleNB106IfS2+auMjhq Hk/SO0ARHsxhmeGRNbfWJY2r2SY63M4Y6AwKXOYBbYQyRXb5kU+uQPzVyzCGxYkY Fz/WbKX175f11Q== =WQTa -----END PGP SIGNATURE----- From team at libreswan.org Mon May 11 14:28:43 2020 From: team at libreswan.org (The Libreswan Team) Date: Mon, 11 May 2020 10:28:43 -0400 (EDT) Subject: [Swan-announce] libreswan-3.33 released to address CVE-2020-1763 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-3.32 This is a security release that addresses CVE-2020-1763. This vulnerability can cause libreswan to restart after receiving an unauthenticated bogus IKEv1 Informational Exchange packet. For details and patches see: https://libreswan.org/security/CVE-2020-1763/ You can download libreswan via https at: https://download.libreswan.org/libreswan-3.32.tar.gz https://download.libreswan.org/libreswan-3.32.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.32 (May 11, 2020) * SECURITY: Fixes CVE-2020-1763 https://libreswan.org/security/CVE-2020-1763 * IKEv2: Support non-narrowed child rekey for narrowing (regression in 3.31) * FIPS: ECDSA keys were mistakenly rejected as "too weak" [Paul] * FIPS: Minimum RSA key size is 2048, not 3072 [Paul] * FIPS: Use NSS to check FIPS mode instead of manually checking fips=1 [Paul] * IKEv2: Do not use fragments if not appropriate (regression from v3.30) [Paul] * IKEv1: Add NSS KDF support for the Quick Mode KDF [Andrew/Paul] * libipsecconf: support old-style ",," to mean "\," in specifying id [Paul] * libipsecconf: left/rightinterface-ip= are not kt_obsolete [Paul] * whack: Add missing ecdsa/sha2 and compat rsa policy options to whack [Paul] * Fix left=%iface syntax due to string length miscalculation [Antony] * X509: don't try to match up ID on SAN when ID type is ID_DER_ASN1_DN [Paul] * packaging: debian fixes [Antony] * building: USE_NSS_KDF=true now uses NSS for all KDF functions Using this option, libreswan no longer needs FIPS certification -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAl65YMYTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+X2ED/99ZZMFbUmAzQEgm+u+GXkQu7Ni5LnD ta4Vre0Zu74C9R9AHmK8RrY+HysTXKcJhqXONSbq2QQNn5Y6plA8vI7hWNyEBpmS rsav2GQX1CPNv1RPPbrZRNWXuJ5VxGA+bvNyngKuw7qD/QGvvITImcW4Q/7hOJXj iMYmdKQstOSlsSxID9OqdKQUEJWYJ+ajOjIaA6CENzbFuGE5/78HbUvkUMhGdLAn FGP1bXJDdXfMAyxjB0rapNakdr4RomsVbleZ0Zrbe/pRs5C0Qu6iL4zlxeVXMOWB uHCpiNHKXLrMj6T/OLlrcsSPpqJFvY9uObwxQSP6Ihe5arhNz7Guc2IBEE6nFik/ urpUw0MjtJ4nYsoEZIexyHCNUY/0icVOXQI8z6bTDZHH2OKXrtyoQivIN6S26Ps2 htL0hAWvrSTcqv4G6b2mS1K74WZmKt5klepRbr69YzW8CasXN0kQa/Wa09EpRp1X 07+6I4wknyYniQ53T7P/gDol+R4tp0Stt6Va/hq/vog5RcccK3fTgdAXQUD8OMde TNlbsv17mUBumcQvZQiMFXXm/EAuSxSH6B9grTxKOiHKqXBPayzJ+Y0Ex37KuciH Ss1G9fuXxENcVoeE1/2QPCNEQ9jDuD0KX1q2lcX7yEwOQZkrj6IKj66+oL/KPKmY Jo0HVIJ1brXTdg== =F7cd -----END PGP SIGNATURE----- From team at libreswan.org Mon May 11 14:34:39 2020 From: team at libreswan.org (The Libreswan Team) Date: Mon, 11 May 2020 10:34:39 -0400 (EDT) Subject: [Swan-announce] libreswan-3.32 released to address CVE-2020-1763 [version corrected] Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-3.32 (previous announcement was mistakenly referring to 3.33) This is a security release that addresses CVE-2020-1763. This vulnerability can cause libreswan to restart after receiving an unauthenticated bogus IKEv1 Informational Exchange packet. For details and patches see: https://libreswan.org/security/CVE-2020-1763/ You can download libreswan via https at: https://download.libreswan.org/libreswan-3.32.tar.gz https://download.libreswan.org/libreswan-3.32.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.32 (May 11, 2020) * SECURITY: Fixes CVE-2020-1763 https://libreswan.org/security/CVE-2020-1763 * IKEv2: Support non-narrowed child rekey for narrowing (regression in 3.31) * FIPS: ECDSA keys were mistakenly rejected as "too weak" [Paul] * FIPS: Minimum RSA key size is 2048, not 3072 [Paul] * FIPS: Use NSS to check FIPS mode instead of manually checking fips=1 [Paul] * IKEv2: Do not use fragments if not appropriate (regression from v3.30) [Paul] * IKEv1: Add NSS KDF support for the Quick Mode KDF [Andrew/Paul] * libipsecconf: support old-style ",," to mean "\," in specifying id [Paul] * libipsecconf: left/rightinterface-ip= are not kt_obsolete [Paul] * whack: Add missing ecdsa/sha2 and compat rsa policy options to whack [Paul] * Fix left=%iface syntax due to string length miscalculation [Antony] * X509: don't try to match up ID on SAN when ID type is ID_DER_ASN1_DN [Paul] * packaging: debian fixes [Antony] * building: USE_NSS_KDF=true now uses NSS for all KDF functions Using this option, libreswan no longer needs FIPS certification -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAl65Yi4THHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+QcMD/9hVWruPG4RsarJSvu7oVjYKInF11a0 iICQWDeR7ZUGyBiCJTe/FXrBgJKc3hPJ9BRCw0ALZuRewHSdfCKIbSx8IMdbQUzd wmXvBudtJwDNJgNmaHBvBedcGVRhMH9nhGLuHUJvB4/PNYa5kZFjhuONB674KXdD jBwXWyDiHA4w7B8zyLPlLCY6vSK6siPe2CT5o0fUIy0k+MkTmj+ERuiUBnPhM8lG 6n0J7y7dKEz6vOTNrrC1OzEBwF6mcSM8tSxoHLa7U4hdOK9eJ6wwORT2CH73tWXJ 7ynSXNQ5dIopPI6qlquaJiYqVoIyTvXUjyYEniiE3mFbae336fqiHtsKwgKy2yva oI7r9rpum396ZNrDUDDmfMCsGSixag9p+mp3JAOH3Ot5S9OHJn4wnr/lH2VnJrZp q7ztL0g/TIIefd9AsgKnNeNcAhvj3G4zh3u60FN8ifQkw54Zd87ad6YtdoEKCCbZ toxVidY/rARoelOfOpwpkT+2hPZerV5tPkIAz8o5amk4ykzQ8eFz3URmmmYLpyKe m5BTNTB0j77r6DePEGTzAGMiE4I3MDRmgvMbP/vHRO06/Sb3TuXUu6X+j1VoG6dQ 7rSnH0ej12NlA9cdIDKhEQzLPjX7j5F139zVmdp/yJhCtxgZKVzIfwf0D7zrmQvG A75eTAxXUBZsfQ== =C9LE -----END PGP SIGNATURE----- From team at libreswan.org Thu Oct 15 14:22:38 2020 From: team at libreswan.org (The Libreswan Team) Date: Thu, 15 Oct 2020 10:22:38 -0400 (EDT) Subject: [Swan-announce] libreswan-4.0 released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-4.0 This is a major feature and cleanup release. The major release number was increased to signify some major changes. Please ensure you extensively test libreswan 4.0 before upgrading production systems. Compatibility issues: * The KLIPS IPsec stack has been removed - please switch to XFRMi to use ipsecX devices. * Obsolete algorithms removed/disabled (Serpent, Twofish, CAST, MD5/SHA1, DH2, DH22-24, RIPEMD. * Some compatibility keywords have been removed (mostly ones with "_") * Some whack options have been removed and renamed * ipsec status and ipsec trafficstatus output changes * The default NSS database files (*.db) moved from /etc/ipsec.d to /var/lib/ipsec/nss * BUILD variables changed/renamed (see mk/config.mk) * New BUILD variables (eg USE_NSS_KDF, USE_OLD_SELINUX) * Removed BUILD variables SINGLE_CONF_DIR, EMIT_ISAKMP_SPI, USE_KEYRR, TEST_INDECENT_PROPOSAL and ALLOW_MICROSOFT_BAD_PROPOSAL * Renamed INC_* config variables * Updates to _updown scripts (eg renamed _updown.xfrm) * NETKEY options now called XFRM * ipsec newhostkey no longer supports or requires --output * Global ikeport/natport options removed for per conn port options New features: * Support for RFC 8229 IKE and ESP over TCP (requires Linux >= 5.8) * Support for INTERMEDIATE exchange (draft-ietf-ipsecme-ikev2-intermediate) * Support for NetBSD * Improved support for OCP/clouds by supporting custom ikeports * Failover and loadbalancing support for IKEv2 REDIRECT * Improved certificate reloading support (ipsec whack --rereadcerts) * ipsec.secrets no longer needed for RSA keys ( :RSA section is now ignored) Bug fixes: * Improved NAT/port switching * Fix labeled IPsec (selinux) for IKEv1 * Improved ipsecX device support * Fix traffic counters for updown script * Work around for some Linux kernel versions with ACQUIRE bug * Windows 10 rekey interoperability fix We are really happy to see that this release contains contributions from over 30 individual developers. Please let us know if there is anything we can do to help you with contributing to libreswan. This latest version of libreswan can be downloaded from: https://download.libreswan.org/libreswan-4.0.tar.gz https://download.libreswan.org/libreswan-4.0.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v4.0 (October 14, 2020) * KLIPS: Support for KLIPS completely removed [Paul] * pluto: Removed support for deprecated algos: serpent, twofish, cast [Paul] * IKEv2: EXPERIMENTAL: Support for RFC 8229 IKE/ESP over TCP [Andrew] New per-conn keywords: listen-tcp=yes|no, tcponly=yes|no, tcp-remoteport= Requires: Linux kernel >= 5.8 * IKEv2: Support for leftikeport= / rightikeport= [Andrew/Paul] * IKEv2: EXPERIMENTAL: Support for INTERMEDIATE Exchange [Yulia Kuzovkova/GSoC] New keyword: intermediate=yes * FIPS: Remove DH 23/24 from FIPS allowed list as per SP 800 56A Rev 3 [Paul] * pluto: Support for rereading configured certificates from NSS [Myungjin Lee] * pluto: plutodebug= keywords are now: base,cpu-usage,crypt,tmi,private [Andrew] * pluto: find_pluto_xfrmi_interface() would only check first interface [Paul] * pluto: ddos cookies-threshold and max-halfopen output was swapped [John Mah] * pluto: Fix leased IP address leak [Andrew/Paul] * pluto: Fix displaying PLUTO_BYTES_ counters [Paul] * pluto: Replace/remove deprecated libselinux functions [Eduardo Barretto] * pluto: Update selinux calls for Labeled IPsec support [Richard Haines] * pluto: Memory leak fixes [Hugh] * pluto: Remove unused per peer logging [Andrew] * pluto: Cleanup logging code for minimal logging support [Andrew] * pluto: Cleanup netlink / XFRM code [Hugh] * pluto: xfrmi used mark-out for XFRMA_SET_MARK [Antony/Wolfgang] * pluto: Support for ipsec0 interface to help migrate from KLIPS to XFRM [Paul] * pluto: Fix logging some IKE messages to proper IKE SA state [Andrew] * pluto: Remove global ikeport/nat-ikeport, add listen-udp/listen-tcp [Paul] * pluto: Connections now have serial numbers which are logged [Paul/Andrew] * pluto: No longer require :RSA sections in ipsec.secrets [Andrew] * pluto: pluto chooses wrong raw RSA key (github#352) [Andrew] * seccomp: Update syscall allowlist for pluto and addconn [Paul] * whack: Support for ipsec whack --rereadcerts [Paul] * whack: Rename --ikev1-allow and --ikev2-allow to --ikev1 and --ikev2 [Paul] * whack: Clear inherited defaults for IKEv2 from IKEv1 connections [Paul] * show: Fixup for python3 version of ipaddress module [Paul] * IKEv2: Fix Windows 10 rekey being rejected [Antony/Paul] * IKEv2: Remove duplicaes from proposals using "+" [Andrew] * IKEv2: CERTREQ payload was not sent for authby=ecdsa [Paul] * IKEv2: Decode notify payloads into the message digest [Andrew] * IKEv2: Don't use NAT-T port when no NAT DETECTION payloads received [Andrew] * IKEv2: Add load-balance support (multiple targets) to redirect [Vukasin] * IKEv2: Only sent REDIRECTs to established IKE SA's (not IPsec SAs) [Paul] * IKEv2: Fix AUTH failure if ID payload reserved fields != 0 [Paul/Andrew/Hugh] * IKEv2: A delete(IKE SA) request should not trigger a delete request [Andrew] * IKEv2: Ignore, not abort when receiving unknown type transforms [Andrew] * IKEv2: Don't switch NAT port on receiving non-NAT notify payloads [Andrew] * IKEv1: Prevent crashing in Quick Mode on unused NAT payload [Daniel Wendler] * libipsecconf: Fix config handling of policy-label [bauen1] * libipsecconf: Promote ah= / esp= as desired keywords over phase2alg= [Paul] * libipsecconf: Remove most obsoleted option names with undersscore(_) [Paul] * rsasigkey/newhostkey: Remove obsoleted --output option [Paul] * building: Add NetBSD support [Andrew] * building: Remove support for SINGLE_CONF_DIR, EMIT_ISAKMP_SPI, [Paul] USE_KEYRR and TEST_INDECENT_PROPOSAL * building: Merge userland.mk into config.mk to simplify makefiles [Tuomo] * building: Deprecate INC_ variables [Tuomo] * building: Remove all support for SERPENT, TWOFISH, CAST and RIPEMD [Paul] * building: Remove -DALLOW_MICROSOFT_BAD_PROPOSAL [Tuomo] * building: The define USE_NSS_PRF was renamed to USE_NSS_KDF [Tuomo] * building: Rename master branch to main branch [Paul] * building: Fix finding ipsec command in non-standard bin dirs [Tuomo] * building: Introduce USE_OLD_SELINUX to support libselinux < 2.1.9 [Paul] * building: NETKEY options changed to XFRM options [Paul] * building: NSS database (*.db) are now expected in /var/lib/ipsec/nss [Tuomo] ipsec checknss called in initsystem will migrate files Use FINALNSSDIR=/etc/ipsec.d to use the pre-4.0 location * packaging: Debian: remove runtime dependency on systemd [Stephen Kitt] * packaging: Fedora: add missing build dependency for certutil [Stephen Kitt] * packaging: Debian switched to using /usr/libexec/ [dkg] * testing: Support Fedora32, Ubuntu, improved namespaces support [Paul/Others] * testing: Work around kernel ICMP Acquire bug [Paul] * testing: Added interop testing with OpenBSD iked [Ravi Teja] * documentation: friendler ipsec cmd output [Paul] -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAl+IWvsTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+QxID/9JJZWCr0R93uqTdIaQc+TJwBh+uWJ8 MC71i9ybJLWkVtRuc9IkqOU+SkcXtaJYqIgms344A7BRsTb8NFoKtmf8sF/AcMSt 2c7iDHYa4WLpVZ/7/oBuwhXbTClAnJAYsAAwgjvByrz5mSBTSLUD4KChGupOVeWV 85+rwcOvyMNkdx+TNS726RpBvBJ3gWt3BmZG5Kl96BuduR1xbJyxM5mpUCNx6dFi emgHgTTmrFFgA3PphMSiO5R//aR1YWGhdhAL9qdC996qh2Jq7djHzsI77YBQuaDx X4NR8FR9Kjp6QCmDw+1Y/0qSUx1gu1Qj4+YN/k5zuJN7uN+BVdsmZjpFzkYVir4g zHQprOWtZu7921tnEvT/LnQUgOXHZjH/7MiQipgvnIexcAVgTdd4d7MqqraHG3ct uy/vNhC+Mzh6XHCzSB6CbpiY4Kn5sJYdF3dT0jIGRKQV83KVl7LZB0SEBm7xJYDN vn3RcMaCDLKri7MTMeiJjH7tlhlN43OfyzhAq1j0p5PY0jfc6PNyMepxxhRzeMuL 47hXs9bui5AZSku4Oe7k9k2KCzQly7/bxrSBFFpKgoCDJE4ZKPUXKiFUKHyh0P1T gCtpTHEs0CjvAaL4ILbGTydRDLuxkMRxDt2Vtneuf1/s8BCzne/QiW8FDstBV8Di M18cgwbvYbiIHQ== =50vq -----END PGP SIGNATURE----- From team at libreswan.org Mon Oct 19 03:08:20 2020 From: team at libreswan.org (The Libreswan Team) Date: Sun, 18 Oct 2020 23:08:20 -0400 (EDT) Subject: [Swan-announce] libreswan 4.1 released to address urgent Cisco interoperability issue Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan 4.1 This is a major bugfix release. A bug in libreswan 4.0 that rejected invalid IKEv2 Notify protocol ID's instead of ignoring these as per RFC 7296 resulted in an interoperability issue with some Cisco devices that send invalid Notify protocol IDs. A DNS resolving bug was fixed that could lead to connections failing to resolve properly when the connection used left=%defaultroute and a right= with DNS name that published both A and AAAA records. If upgrading from libreswan 3.32 or earlier to libreswan 4.1, please read the libreswan 4.0 announcement: https://lists.libreswan.org/pipermail/swan-announce/2020/000038.html This latest version of libreswan can be downloaded from: https://download.libreswan.org/libreswan-4.1.tar.gz https://download.libreswan.org/libreswan-4.1.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v4.1 (October 18, 2020) * IKEv2: Fix Notify protocol ID interop with Cisco introduced in 4.0 [Antony] * addconn: Fix resolving with %defaultroute plus peer with A + AAAA [Antony] * building: minor cleanups [Andrew/Tuomo] v4.0 (October 14, 2020) * KLIPS: Support for KLIPS completely removed [Paul] * pluto: Removed support for deprecated algos: serpent, twofish, cast [Paul] * IKEv2: EXPERIMENTAL: Support for RFC 8229 IKE/ESP over TCP [Andrew] New per-conn keywords: listen-tcp=yes|no, tcponly=yes|no, tcp-remoteport= Requires: Linux kernel >= 5.8 * IKEv2: Support for leftikeport= / rightikeport= [Andrew/Paul] * IKEv2: EXPERIMENTAL: Support for INTERMEDIATE Exchange [Yulia Kuzovkova/GSoC] New keyword: intermediate=yes * FIPS: Remove DH 23/24 from FIPS allowed list as per SP 800 56A Rev 3 [Paul] * pluto: Support for rereading configured certificates from NSS [Myungjin Lee] * pluto: plutodebug= keywords are now: base,cpu-usage,crypt,tmi,private [Andrew] * pluto: find_pluto_xfrmi_interface() would only check first interface [Paul] * pluto: ddos cookies-threshold and max-halfopen output was swapped [John Mah] * pluto: Fix leased IP address leak [Andrew/Paul] * pluto: Fix displaying PLUTO_BYTES_ counters [Paul] * pluto: Replace/remove deprecated libselinux functions [Eduardo Barretto] * pluto: Update selinux calls for Labeled IPsec support [Richard Haines] * pluto: Memory leak fixes [Hugh] * pluto: Remove unused per peer logging [Andrew] * pluto: Cleanup logging code for minimal logging support [Andrew] * pluto: Cleanup netlink / XFRM code [Hugh] * pluto: xfrmi used mark-out for XFRMA_SET_MARK [Antony/Wolfgang] * pluto: Support for ipsec0 interface to help migrate from KLIPS to XFRM [Paul] * pluto: Fix logging some IKE messages to proper IKE SA state [Andrew] * pluto: Remove global ikeport/nat-ikeport, add listen-udp/listen-tcp [Paul] * pluto: Connections now have serial numbers which are logged [Paul/Andrew] * pluto: No longer require :RSA sections in ipsec.secrets [Andrew] * pluto: pluto chooses wrong raw RSA key (github#352) [Andrew] * seccomp: Update syscall allowlist for pluto and addconn [Paul] * whack: Support for ipsec whack --rereadcerts [Paul] * whack: Rename --ikev1-allow and --ikev2-allow to --ikev1 and --ikev2 [Paul] * whack: Clear inherited defaults for IKEv2 from IKEv1 connections [Paul] * show: Fixup for python3 version of ipaddress module [Paul] * IKEv2: Fix Windows 10 rekey being rejected [Antony/Paul] * IKEv2: Remove duplicaes from proposals using "+" [Andrew] * IKEv2: CERTREQ payload was not sent for authby=ecdsa [Paul] * IKEv2: Decode notify payloads into the message digest [Andrew] * IKEv2: Don't use NAT-T port when no NAT DETECTION payloads received [Andrew] * IKEv2: Add load-balance support (multiple targets) to redirect [Vukasin] * IKEv2: Only sent REDIRECTs to established IKE SA's (not IPsec SAs) [Paul] * IKEv2: Fix AUTH failure if ID payload reserved fields != 0 [Paul/Andrew/Hugh] * IKEv2: A delete(IKE SA) request should not trigger a delete request [Andrew] * IKEv2: Ignore, not abort when receiving unknown type transforms [Andrew] * IKEv2: Don't switch NAT port on receiving non-NAT notify payloads [Andrew] * IKEv1: Prevent crashing in Quick Mode on unused NAT payload [Daniel Wendler] * libipsecconf: Fix config handling of policy-label [bauen1] * libipsecconf: Promote ah= / esp= as desired keywords over phase2alg= [Paul] * libipsecconf: Remove most obsoleted option names with undersscore(_) [Paul] * rsasigkey/newhostkey: Remove obsoleted --output option [Paul] * building: Add NetBSD support [Andrew] * building: Remove support for SINGLE_CONF_DIR, EMIT_ISAKMP_SPI, [Paul] USE_KEYRR and TEST_INDECENT_PROPOSAL * building: Merge userland.mk into config.mk to simplify makefiles [Tuomo] * building: Deprecate INC_ variables [Tuomo] * building: Remove all support for SERPENT, TWOFISH, CAST and RIPEMD [Paul] * building: Remove -DALLOW_MICROSOFT_BAD_PROPOSAL [Tuomo] * building: The define USE_NSS_PRF was renamed to USE_NSS_KDF [Tuomo] * building: Rename master branch to main branch [Paul] * building: Fix finding ipsec command in non-standard bin dirs [Tuomo] * building: Introduce USE_OLD_SELINUX to support libselinux < 2.1.9 [Paul] * building: NETKEY options changed to XFRM options [Paul] * building: NSS database (*.db) are now expected in /var/lib/ipsec/nss [Tuomo] ipsec checknss called in initsystem will migrate files Use FINALNSSDIR=/etc/ipsec.d to use the pre-4.0 location * packaging: Debian: remove runtime dependency on systemd [Stephen Kitt] * packaging: Fedora: add missing build dependency for certutil [Stephen Kitt] * packaging: Debian switched to using /usr/libexec/ [dkg] * testing: Support Fedora32, Ubuntu, improved namespaces support [Paul/Others] * testing: Work around kernel ICMP Acquire bug [Paul] * testing: Added interop testing with OpenBSD iked [Ravi Teja] * documentation: friendler ipsec cmd output [Paul] -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAl+NAvUTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Q91D/wKXPmX9o5NckJPmVsxVCN0PHBX8J0m YT2v2cA6C8o51mZKrErjWS2dtZ+nVi26HAg29nfoGFiA/zcIabgn5XHG61LFgTcZ 1xnVwASIFFD4bhwZmGIzGVbmKZOx7EjPYzjdtQ6JEDCtbnkQtQ7L5mj8bOewcCIY sNN0OptqrfDH4RDjcgIs7QJyp6fw5bK1YX0QEHWEiZEdoeMDDFBwJU5VheDtMmIH A7XpvRM6RgsXstoDDvOf4w2MKci1WYVFJgulBiBg/WOqLyiK94w+mK+sdlVFkXRW PsHHj7V2ZIOa3fThcXzYqtQFtb+tut2ImjJgMHLASJHx7VrmO+EiSjO37DMvWOr0 0OVfTSO+hA3ZjPh/rwGtbDZ2vDWlegQ+sl3q7aKU9fqiQjrEwzCY46c+oixQmJfI P7sdP7yQsktC3yAvK1+WjpLaDQrI5gD0H3gDE9pzLLNOC+XctnWyyyI3xLZeqouc oPSLmXiGpZRVdLlMh/+X7OZ4W7z4jZnHOklxrCHOJZAZEGI++LdUL43PbH2a4Sa8 o7ImvRexjsls9v1GKjWBtZ/vpaSCaWkiMcjZ7sX7gKis+0TnG7Ar7WyvQUi7Wjn9 NOb1JPTcTTzwDFWMu5ZE+CKSvm4hXspLBEoFQV0wAWg0ef+NJ2KnK5fgvkCKjstK uZfwRg5bzBo/xw== =Ibh+ -----END PGP SIGNATURE-----