[Swan] [Swan-announce] Libreswan 3.21 released
Tony Whyman
tony.whyman at mccallumwhyman.com
Fri Aug 11 09:04:13 UTC 2017
There seems to be a compatibility problem when compiling under Ubuntu
14.04 (trusty).
I can compile this release under Ubuntu 16.04 (xenial), abeit only after
adding new dependencies:
libsystemd-dev and libldns-dev (could be useful to add checks for these
dependencies to the configure script).
However, when compiling in a 14.04 environment, I get the error message:
libreswan-3.21/programs/pluto/pluto_sd.c:29:2: error: implicit
declaration of function 'sd_watchdog_enabled'
[-Werror=implicit-function-declaration]
int ret = sd_watchdog_enabled(0, &sd_usecs);
Digging deeper, "sd_watchdog_enabled" is not part of systemd/sd-daemon.h
in the 14.04 distribution, but is present in the 16.04 distribution. It
looks like the new version of libreswan will only compile with a recent
version of the systemd libraries.
Is this intentional and has support for older distributions been dropped?
Note: Ubuntu 14.04/Mint 17 is an LTS release and is still in wide use.
Tony Whyman
On 10/08/17 02:34, The Libreswan Project wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> The Libreswan Project has released libreswan-3.21
>
> This is a bugfix and feature release.
>
> New Features:
>
> This release features Opportunistic IPsec using DNSSEC lookups of
> IPSECKEY records. It also adds support for the DNSSEC root key rollover
> that is currently happening with support for loading new DNSSEC
> trust anchors from disk. If using DNSSECi with libreswan, please
> upgrade to this version before October 10, 2017.
> Support for hardware offloading for certain NIC cards (such as Mellanox)
> was added. PFS support was added to the CREATE_CHILD_SA Exchange.
>
> Important bugfixes:
>
> The ID handling code is now more strict when using certificates. Any
> ID configured via leftid= or rightid= MUST either be the certificate
> DN or be a SubjectAltName (SAN) on the certificate.
> A race condition in the threading code was fixed that could cause pluto
> to crash on loaded systems that use IKEv1 XAUTH or IKEv2 PAM
> authentication.
> A crasher in FIPS mode when input to hashing algorithms was too weak
> was fixed.
>
> Compatiblity changes:
>
> The above mentioned stricter ID handling can cause existing connections
> to fail if a SubjectAltName is missing from a certificate whose ID is
> specified specified in the connection.
>
> You can download libreswan via https at:
>
> https: //download.libreswan.org/libreswan-3.21.tar.gz
> https: //download.libreswan.org/libreswan-3.21.tar.gz.asc
>
> The full changelog is available at:
> https: //download.libreswan.org/CHANGES
>
> Please report bugs either via one of the mailinglists or at our bug
> tracker:
>
> https: //lists.libreswan.org/
> https: //bugs.libreswan.org/
>
> Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at
> https: //download.libreswan.org/binaries/
>
> Binary packages for Fedora and Debian should be available in their
> respective
> repositories a few days after this release.
>
> See also https://libreswan.org/
>
> v3.21 (August 9, 2017)
> * FIPS: Don't crash on too weak PSK's in FIPS mode, warn for non-FIPS
> [Andrew]
> * FIPS: rsasigkey: Use modulus F4, not 3 (FIPS 186-4, section B.3.1)
> [Paul]
> * pluto: Support for "idXXX" esp/ike transform IDs removed [Andrew,Paul]
> * pluto: Do not return whack error when termining an alias connection
> [Paul]
> * pluto: Remove IKE policy bits on passthrough conns [Paul]
> * pluto: Minor memory leak fixes [Paul]
> * pluto: Fix memory leak due to addresspool reference count error
> [Antony]
> * pluto: Re-add support for ipsec whack --listevents [Antony]
> * pluto: Cleanup listed events on shutdown to please leak-detective
> [Antony]
> * pluto: Perform stricter SubjectAltName checks on configured ID's [Paul]
> * pluto: Handle *subnets in --route and --unroute via whack [Mika/Tuomo]
> * pluto: Unify IKEv1 XAUTH and IKEv2 PAM threading code [Andrew]
> * pluto: Use pthread_cancel() (not SIGINT, conflicts with debuggers)
> [Andrew]
> * pluto: Fix memory corruption with XAUTH/PAM threads [Andrew/Hugh]
> * pluto: Fix resource leak processing XAUTH password authentication
> [Andrew]
> * pluto: Fix warnings generated by gcc 7.1 [Lubomir Rintel]
> * pluto: NIC offload support nic-offload=auto|yes|no (eg mellanox)
> [Ilan Tayari]
> * pluto: Use common function in ikev1 / ikev2 for dpd/liveness actions
> [Antony]
> * NSS: Try harder finding private keys that reside on hardware tokens
> [Andrew]
> * IKEv2: Opportunistic IPsec support for IPSECKEY records [Antony]
> * IKEv2: New dnssec-enable=yes|no, dnssec-rootkey-file=,
> dnssec-anchors= [Paul]
> * IKEv2: If CREATE_CHILD_SA superseded retransmit, drop it [Antony]
> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.1) [Antony]
> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.2 responder)
> [Antony]
> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.3 responder)
> [Antony]
> * IKEv2: Flush ESP/AH proposals on the initiator. It could be stale
> [Antony]
> * IKEv2: State Machine (svm) updates to simplify CREATE_CHILD_SA [Antony]
> * IKEv2: DH role is based on message role not Original Initiator role
> [Antony]
> * IKEv2: Return CHILD_SA_NOT_FOUND when appropriate [Antony]
> * IKEv2: After an IKE rekey, rehash inherited Child SA to new parent
> [Antony]
> * IKEv2: Rekeying must update SPIs when inheriting a Child SA [Antony]
> * IKEv2: Decrypt and verify the paylods before calling processor [Andrew]
> * IKEv2: Fragmentation code cleanup [Andrew]
> * IKEv2: Drop CREATE_CHILD_SA message when no IKE state found [Antony]
> * IKEv2: Do not send a new delete request for the same Child SA [Antony]
> * IKEv2: During Child SA rekey, abort when ESP proposals mismatch
> [Antony]
> * IKEv2: OE client check should take responders behind NAT into
> account [Paul]
> * IKEv2: Improved dpdaction=hold processing [Antony]
> * IKEv1: Only initiate and create IKE SA for appropriate dpdaction
> [Antony]
> * IKEv1: Re-add SHA2_256 (prefered) and SHA2_512 to IKEv1 defaults
> [Andrew]
> * IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads [Paul]
> * IKEv1: Multiple CISCO_SPLIT_INC's cause duplicate spd_routes [Oleg
> Rosowiecki]
> * X509: Improve some failure logging [Paul]
> * XFRM: Use proper alignment for IPv4 AH as per RFC4302 Section
> 3.3.3.2.1 [Paul]
> * XFRM: Update including system or local copy of xfrm.h [Paul/Antony]
> * XFRM: Remove no longer needed {rt}netlink.h copies [Paul]
> * KLIPS: cryptoapi: switch from hash to ahash [Richard]
> * KLIPS: Add traffic accounting support [Richard/Paul]
> * KLIPS: Support for linux 4.11 [Paul]
> * lib: Move the alg_info lookup-by-name code to libswan [Andrew]
> * lib: Move all conditionally compiled ike_alg*.c files to libswan.a
> [Andrew]
> * addconn: Replace ttoaddr() with calls supporting DNSSEC [Paul/Antony]
> * libswan: Algo code cleanup [Andrew]
> * libipsecconf: Load specified RSA keys irrespective of policy [Paul]
> * libipsecconf/pluto: Be more strict in authby= & type= combinations
> [Paul]
> * libipsecconf: Fail to load connections with unsatisfied auto= clause
> [Hugh]
> * parser: Numerous algorithm parser fixes, eg. esp=aes_ccm_8_128-null
> [Andrew]
> * algparse: (Experimental) modified to run algorithm parser
> stand-alone [Andrew]
> * newhostkey: Actually append to secrets as the warning claims it will
> [Paul]
> * _updown.netkey: Fix syntax failure when PLUTO_MY_SOURCEIP is not set
> [Tuomo]
> * _updown.netkey,klips: Fix use of printf when updating resolv.conf
> [Tuomo]
> * _updown.netkey: Remove wrong use of PLUTO_PEER_CLIENT netmask [Tuomo]
> * _updown: Add MAX_CIDR variable for host netmask [Tuomo]
> * ipsec import: Trust bits correction did not always trigger [Tuomo]
> * building: Convert lib/ to use mk/library.mk [Andrew]
> * building: Work around rhel-6 gcc [Andrew]
> * building: Add copy unbound-event.h work around broken unbound
> installs [Paul]
> * packaging: Better split rpm and make variables [Paul]
> * packaging: Updates for new requirements for ldns, unbound-devel [Paul]
> * testing: Add DNSSEC, Opportunistic IPsec testcases, fixups [Multiple
> people]
> * contrib: Munin plugin for libreswan [Kim/Paul]
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJZi7foAAoJEIX/S0OzD8b5dzQP/jLS3XCt1LYZ4O74zbeli97X
> XoBLpooCNDxLHdgtxCfd7qY1v4aBCmXOyNheuWbloWUPVUKlUlpXdZrulM2Ny2TO
> IkaIjXKM5EdMJdCds6k8LzFaMGMYNAu4v56QFfnfKqOy2UKjNu5uhHan4A0n9jgK
> ORkNaoiLjqmhRXdCHfTGPxs4U5JbpBsezjq49tU3m4tyLAixr4YbJB5/kLc+/BOI
> gpkZ7cuH5PbC3Rv/ywpkhckSiUcZEC7A4//rXahM4QzzWXsi7RhO6mOG2oU+s6lU
> NSKoDqj2Km+NMoQuXlbEfPLPESvUU8buWQhLlItekvhMP1oWftl1/vzoQRtYp6ZS
> MTcgS6vmkCr08ZDejDdfdR2Cfb8D+/MBy2f0fk7lvkii3NXmoIm2TQhwHjXxlPob
> 1QqVyv/HVw6HkDCG3K9RHJcqSOvbcXNafv0XyHSkwMlnD/60wnMog9OuzGhPKtVL
> 26oFj4VeBO0LkiuDcYIf3LAblmsRnaxtNFBdat/L2dlBR9eKYXLKYG9LGai0iH+t
> 76TLvuH68f5PZHaxcjYOO5FN6CNFOmHYsyAVsU7smNpRWWJJiw8sSiJju5Sz/Hic
> JNSbw9zFUcIcxNPNVrISlhvTVd4zpld/RaPytHBP/+tFI5gxFBEdSxooqPURVyHw
> nDCCqZyGAnX1jLZNqpHY
> =/JN4
> -----END PGP SIGNATURE-----
> _______________________________________________
> Swan-announce mailing list
> Swan-announce at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-announce
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list