* FIPS: Don't crash on too weak PSK's in FIPS mode, warn for non-FIPS…

… [Andrew]

* FIPS: rsasigkey: Use modulus F4, not 3 (FIPS 186-4, section B.3.1) [Paul]
* pluto: Support for "idXXX" esp/ike transform IDs removed [Andrew,Paul]
* pluto: Do not return whack error when termining an alias connection [Paul]
* pluto: Remove IKE policy bits on passthrough conns [Paul]
* pluto: Minor memory leak fixes [Paul]
* pluto: Fix memory leak due to addresspool reference count error [Antony]
* pluto: Re-add support for ipsec whack --listevents [Antony]
* pluto: Cleanup listed events on shutdown to please leak-detective [Antony]
* pluto: Perform stricter SubjectAltName checks on configured ID's [Paul]
* pluto: Handle *subnets in --route and --unroute via whack [Mika/Tuomo]
* pluto: Unify IKEv1 XAUTH and IKEv2 PAM threading code [Andrew]
* pluto: Use pthread_cancel() (not SIGINT, conflicts with debuggers) [Andrew]
* pluto: Fix memory corruption with XAUTH/PAM threads [Andrew/Hugh]
* pluto: Fix resource leak processing XAUTH password authentication [Andrew]
* pluto: Fix warnings generated by gcc 7.1 [Lubomir Rintel]
* pluto: NIC offload support nic-offload=auto|yes|no (eg mellanox) [Ilan Tayari]
* pluto: Use common function in ikev1 / ikev2 for dpd/liveness actions [Antony]
* NSS: Try harder finding private keys that reside on hardware tokens [Andrew]
* IKEv2: Opportunistic IPsec support for IPSECKEY records [Antony]
* IKEv2: New dnssec-enable=yes|no, dnssec-rootkey-file=, dnssec-anchors= [Paul]
* IKEv2: If CREATE_CHILD_SA superseded retransmit, drop it [Antony]
* IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.1) [Antony]
* IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.2 responder) [Antony]
* IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.3 responder) [Antony]
* IKEv2: Flush ESP/AH proposals on the initiator. It could be stale [Antony]
* IKEv2: State Machine (svm) updates to simplify CREATE_CHILD_SA [Antony]
* IKEv2: DH role is based on message role not Original Initiator role [Antony]
* IKEv2: Return CHILD_SA_NOT_FOUND when appropriate [Antony]
* IKEv2: After an IKE rekey, rehash inherited Child SA to new parent [Antony]
* IKEv2: Rekeying must update SPIs when inheriting a Child SA [Antony]
* IKEv2: Decrypt and verify the paylods before calling processor [Andrew]
* IKEv2: Fragmentation code cleanup [Andrew]
* IKEv2: Drop CREATE_CHILD_SA message when no IKE state found [Antony]
* IKEv2: Do not send a new delete request for the same Child SA [Antony]
* IKEv2: During Child SA rekey, abort when ESP proposals mismatch [Antony]
* IKEv2: OE client check should take responders behind NAT into account [Paul]
* IKEv2: Improved dpdaction=hold processing [Antony]
* IKEv1: Only initiate and create IKE SA for appropriate dpdaction [Antony]
* IKEv1: Re-add SHA2_256 (prefered) and SHA2_512 to IKEv1 defaults [Andrew]
* IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads [Paul]
* IKEv1: Multiple CISCO_SPLIT_INC's cause duplicate spd_routes [Oleg Rosowiecki]
* X509: Improve some failure logging [Paul]
* XFRM: Use proper alignment for IPv4 AH as per RFC4302 Section 3.3.3.2.1 [Paul]
* XFRM: Update including system or local copy of xfrm.h [Paul/Antony]
* XFRM: Remove no longer needed {rt}netlink.h copies [Paul]
* KLIPS: cryptoapi: switch from hash to ahash [Richard]
* KLIPS: Add traffic accounting support [Richard/Paul]
* KLIPS: Support for linux 4.11 [Paul]
* lib: Move the alg_info lookup-by-name code to libswan [Andrew]
* lib: Move all conditionally compiled ike_alg*.c files to libswan.a [Andrew]
* addconn: Replace ttoaddr() with calls supporting DNSSEC [Paul/Antony]
* libswan: Algo code cleanup [Andrew]
* libipsecconf: Load specified RSA keys irrespective of policy [Paul]
* libipsecconf/pluto: Be more strict in authby= & type= combinations [Paul]
* libipsecconf: Fail to load connections with unsatisfied auto= clause [Hugh]
* parser: Numerous algorithm parser fixes, eg. esp=aes_ccm_8_128-null [Andrew]
* algparse: (Experimental) modified to run algorithm parser stand-alone [Andrew]
* newhostkey: Actually append to secrets as the warning claims it will [Paul]
* _updown.netkey: Fix syntax failure when PLUTO_MY_SOURCEIP is not set [Tuomo]
* _updown.netkey,klips: Fix use of printf when updating resolv.conf [Tuomo]
* _updown.netkey: Remove wrong use of PLUTO_PEER_CLIENT netmask [Tuomo]
* _updown: Add MAX_CIDR variable for host netmask [Tuomo]
* ipsec import: Trust bits correction did not always trigger [Tuomo]
* building: Convert lib/ to use mk/library.mk [Andrew]
* building: Work around rhel-6 gcc [Andrew]
* building: Add copy unbound-event.h work around broken unbound installs [Paul]
* packaging: Better split rpm and make variables [Paul]
* packaging: Updates for new requirements for ldns, unbound-devel [Paul]
* testing: Add DNSSEC, Opportunistic IPsec testcases, fixups [Multiple people]
* contrib: Munin plugin for libreswan [Kim/Paul]

bump to 3.21rc5

* bump version to 3.21rc4

bump to 3.21rc2

v3.20 (March 14, 2017)

* pluto: Add ECP dh19(secp256r1), dh20(secp384r1) and dh21(secp521r1) [Andrew]
* pluto: Add dh= aliases for all modp= groups (eg "dh2" for "modp1024") [Paul]
* pluto: Add statistics support to ipsec whack --globalstatus [Paul]
* pluto: Add statistics clearing support using ipsec whack --clearstats [Paul]
* pluto: Fix use-after-free in whack event handler (since v3.19) [Andrew]
* pluto: Cleanup kernel_netlink.c [Hugh]
* pluto: Print AH= algorithm and ESN when established [Paul/Andrew]
* pluto: strip file path from abort messages [Andrew]
* pluto: Support initiating template conn with --remote-host <ipaddr> [Paul]
* pluto/libswan: Change most ttoaddr() to ttoaddr_num() to prevent DNS [Paul]
* pluto: fix use-after-free with EVENT_v2_RELEASE_WHACK [Andrew]
* pluto: orient() asserted on SPLIT_INC without remote-peer-type=cisco [Paul]
         (reported by Oleg Rosowiecki)
* pluto: accurately size a buffer for the decimal representation [Hugh]
         (debian bug 853507)
* pluto: avoid gcc unused variable warnings when USE_KLIPS=false [dkg]
* pluto: Support for Linux systems without IFA_F_TENTATIVE  (CentOS5) [Paul]
* pluto: Ignore uniqueids= for roadwarrior PSK and assume non-unique [Paul]
* IKEv2: CREATE_CHILD support for Parent SA and Child SA rekeying [Antony]
* IKEv2: Various refactoring for CREATE_CHILD support [Antony]
* IKEV2: OE/CAT: Don't send CP request when responder is behind NAT [Antony]
* IKEv2: log first notify payload when we receive an Notify Error [Paul]
* IKEv2: Fix memory leak in DH secret calculation (since v3.9) [Andrew]
         (reported by Eric Andresson)
* IKEv2: If re-entering ikev2_crypto_start(), reset msgid [Paul]
* IKEv2: prevent copying bogus peer id when ID kind is IPv4/IPv6 [Paul]
         (rhbz#1392191)
* IKEv2: suppress DELETE notifies for connections being replaced [Paul]
* IKEv2: re-instate ISAKMP_SA_established() [Paul]
* IKEv1: For IKE (phase 1), prefer 256-bit bit encryption [Andrew]
* IKEv1: Print conn algo's when using XAUTH [Andrew]
* IKEv1: Simplify ike= defaults (drop MODP1024, MD5, add MODP2048) [Andrew]
* IKEv1: Prefer 256-bit keys over 128-bit keys for IKE [Andrew]
* IKEv1: Also call ISAKMP_SA_established() in Aggressive Mode [Paul]
* newhostkey: Convert remaining --configdir for --nssdir [Tuomo]
* barf: Ensure proper macros are used. Add certutil/crlutil output [Paul]
* misc: Fix various spelling errors in code/comments/man pages [dkg]
* packaging: spec files should use 0 and 1, not true and false [David Arnold]
* building: NSS_REQ_AVA_COPY?=true to support new NSS lib export fix [Paul]
* building: Remove no longer needed NSSCERT_CheckCrlTimes() copy [Paul]
* building: fetch: remove support for ancient LDAP version 2 [Tuomo]
* building: move whack to separate programs/whack/ directory [Andrew]
* building: Various Makefile variable cleanups and double link fixes [Andrew]
* building: Don't check runtime for SElinux/systemd with DESTDIR [Paul]
* documentation: added oe-letsencrypt-* example configs [Paul]

tag for testing NSS_REQ_AVA_COPY in fedora

- Improved CREATE_CHILD_SA support

- Delete older instances of connections
- IKEv2: prevent copying bogus peer id when ID kind is IPv4/IPv6
- IKEv2: the initiator send initial_contact if configured
- IKEv1: Proposal cleanup
- pluto: orient() could lead to a crash when using SPLIT_INC without remote-peer-type=cisco

v3.19 (January 15, 2017)

* NSS: Support for configurable nss dir via @IPSEC_NSSDIR@ [dkg/Tuomo]
* FIPS: Only pluto needs a .hmac file, reducing crypto boundary [Paul]
* FIPS: do not allow DBG_PRIVATE to be set when running in FIPS mode [Paul]
* FIPS: Ignore failureshunt=passthrough and negotiationshunt=passthrough [Paul]
* FIPS: Filter default proposals of non-FIPS allowed proposals [Andrew]
* FIPS: Added CAVP test for pluto GCM code [Andrew]
* FIPS: More cleanup of crypto related structs and functions [Andrew]
* FIPS: Implement SHA based PRFs directly in NSS [Andrew]
* FIPS: Support for CAVP testing 'HMAC construct' based SHA PRF code [Andrew]
* IKEv2: Don't crash on bogus mixed protocol Delete Payloads [Hugh/Paul]
* IKEv2: Add asymmetric AUTH support (leftauth= and rightauth=) [Antony/Paul]
* IKEv2: refactored AUTH handling payload into v2_check_auth() [Paul]
* IKEv2: support CERT chain sending [Paul]
* IKEv2: Allow CERT and CERTREQ payloads multiple times [Paul]
* IKEv2: do not attempt to send notify in reply to IKE_AUTH reply [Paul]
* IKEv2: When receiving DELETE, ensure expire+restart when needed [Antony]
* IKEv1: If a queued up DPD probe finds no IKE SA, create a new one [Paul]
* IKEv1: accept_delete() check if IKE SA is shared before deleting [Paul]
* IKEv1: Remove ADNS, DNS continuations and IKEv1 OE code [Paul/Antony]
* IKEv1: Schedule IPsec SA REPLACE immediately when receiving DELETE [Antny]
* IKEv1: Some IKE SA failure on initiator could lead to hanging whack [Paul]
* KLIPS: fix for unregister_netdevice() for Linux 3.6.11 and up [Richard/Paul]
* XFRM: EXPERIMENTAL Support for configuring IP address on the VTI device [Paul]
        keyword: leftvti=address/mask
* XFRM: Fix NAT-T support when userland compiled without KLIPS support [Paul]
* X509: Obsolete /etc/ipsec.d/crls (load_crls()) and whack --rereadcrls [Paul]
* X509: New whack --fetchcrls (alias ipsec crls) to trigger a fetch [Paul]
* X509: Iterate all X.509 certs and try to fetch their crls [Kim]
* X509: Start a fetch for CRLs 5 seconds after startup [Kim]
* X509: --rereadcrls no longer overwrites newer CRLs with older ones [Paul]
* X509: log the NSS error when CERT_ImportCerts() fails [Paul]
* X509: Don't attempt to fetch crl->uri when not present [Paul/Matt]
* X509: Additional OCSP options to tweak the cache and fetch method [Paul]
        (new keywords: ocsp-method ocsp-cache-size ocsp-cache-min-age
                       ocsp-cache-max-age)
* X509: Fix memory leak in certificate handling (lsbz#278) [William Rios]
* X509: Fix memory leak in certificate chain handling [Matt]
* pluto: close whack socket in add_pending when dup pending is skipped [Hugh]
* pluto: Avoid adding duplicate bare shunts causing lockup [Paul]
* pluto: drop modp1024 (DH2) from IKEv1 "ike=" default list [Andrew]
* pluto: send_packet() now refuses to send a packet to 0.0.0.0 [Paul]
* pluto: find_hostpair ignore CK_INSTANCES which are ID_NULL [Antony]
* pluto: Fix ca name and generalName leak lsbz#276 [Bill Rios]
* pluto: EXPERIMENTAL SECCOMP support (seccomp=enabled|tolerant|disabled) [Paul]
* pluto: connection instances need their own reqid [Antony]
         (this resolves multiple clients behind same NAT router issue)
* pluto: Use a global reqid counter instead of looping every time [Paul]
* pluto: use sets instead of nested loops for transform processing [Andrew]
* pluto: Prefer not switching connections when possible [Paul/Hugh]
* pluto: Move unique mark from rw_instantiate() to instantiate() for OE [Paul]
* pluto: log more information when a bare shunt is missing [Hugh]
* pluto: redo process_encrypted_informational_ikev2 [Hugh]
* pluto: Add new config option encapsulation=auto|yes|no [Paul/Patrick Kerpan]
         replacing forceencaps=yes|no
* pluto: No longer log bogus reapchildren warning [Paul]
* libipsecconf: libipsecconf: remove last remnants of manual keying [Paul]
* libipsecconf: remove auth= alias for phase2= [Paul]
* _updown.netkey: Move addcat call from route-host to up-client [Paul]
* ipsec: initnss|import use --nssdir for nssdb directory option [Tuomo]
* newhostkey: use --nssdir for nssdb directory option [Tuomo]
* showhostkey: use --nssdir for nssdb directory option [Tuomo]
* barf: minor improvements with systemd/journalctl [Paul]
* verify: fix "with FIPS" output to print OK [Paul]
* _stackmanager: add cmac and chacha20poly1305 to modprobe list [Paul]
* building: libreswan assumes -std=gnu99 when building [Andrew]
* building: USE_EXTRACRYPTO replaced by USE_SERPENT and USE_TWOFISH [Paul]
* building: Disable DH22 by default. To re-enable use USE_DH22=true [Paul]
* building: work around flex 2.5.4 (CentOS 5); use: -o/output/file [Andrew]
* sysvinit: remove unnecessary warnings about already stopped pluto [Tuomo]
* initsystems: Enable "systemctl help ipsec" [dkg]
* testing: various web output fixes (see testing.libreswan.org) [Andrew]
* testing: various test updates / additions [Paul/Antony]
* documentation: fixup changes in GPL 2.0 / LGPL like FSF address [dkg]
* Bugtracker bugs fixed:
   libreswan#270 newhostkey: text output produces 1 character bug in pubkey [Andew]
   libreswan#272 Option --leak-detective causes assertion failure [Bill / Paul]
   libreswan#277 pluto: fix pluto events leak in timer_event_cb [Bill Rios]
   libreswan#152: ipsec whack --initiate for xauth does not release whack [Paul/Hugh]

v3.18 (July 27, 2016)

* SECURITY: CVE-2016-5391: IKEv2 proposal lacking DH causes restart [Andrew]
* XFRM: EXPERIMENTAL Support for NAT OE Client Address Translation (leftcat=) [Antony]
* XFRM: EXPERIMENTAL Support for routed-VPNs using VTI [Paul/Tuomo]
        keywords: vti-interface=<name> vti-routing=yes|no vti-shared=yes|no
* XFRM: EXPERIMENTAL Support for Traffic Flow Confidentiality tfc=XXX [Paul]
* KLIPS: Fix for /proc/net/pf_key oops on < 4.4 [Erik Andersson]
* KLIPS: Fix overwriting the sk pointer in 4.4 kernels [Ofer Heifetz]
* FIPS: Only the pluto binary needs a fipscheck .hmac file for self-test [Paul]
* FIPS: Change SA_LIFE_DURATION_MAXIMUM from 1 day to 8h [Paul]
* FIPS: Do not allow Linux-style sha2 truncation for ESP in FIPS mode [Paul]
* FIPS: Allow PSK in FIPS mode. This was erroneously not allowed [Paul]
* FIPS: Added new ipsec whack --fipsstatus [Paul]
* IKEv2: For default proposals, prefer MODP2048 over MODP1536 [Andrew]
* IKEv2: For proposals like ike=aes-sha2, prefer AES_256 over AES_128 [Andrew]
* IKEv2: For default ESP proposals, include and prefer AES_GCM [Andrew]
* IKEv2: For default ESP/AH proposals, do not propose MD5 integrity [Andrew]
* IKEv2: Add MODP3072 to defaults to ease interop with strongswan [Andrew]
* IKEv2: Prefer sha2-512 over sha2-256 for ESP to avoid linux bug [Andrew]
* IKEv2: fix use of ikev2_cert_req_fields [Lubomir Rintel]
* IKEv2: Extend and improve notify handling [Paul]
* IKEv2: Update ike endpoint as per rfc7296#section-2.23 [Antony/Paul]
* IKEv2: If first liveness probe failed, we never noticed liveness failure [Paul]
* pluto: Extend mark= support for mark-in= and mark-out= [Paul]
* pluto: implement unique marks by using mark=-1 [Paul]
* pluto: Add systemd watchdog support via USE_SYSTEMD_WATCHDOG [Matt/Paul]
* pluto: Follow connaddrfamily when resolving hostnames [Daniel M. Weeks]
* pluto: Check enum names consistency on startup [Hugh]
* pluto: Log mismatched DH group (KE payload) to log (not debug) [Andrew]
* pluto: Don't try to delete non-existing ipsec sa's (github libreswan#50) [Paul]
* pluto: Prevent double free of id data [Hugh]
* pluto: Avoid crashing on gaining remote ip locally (rhbz#1229766) [Paul]
* pluto: ESN could use uninitialised values and fail [Paul/Andrew]
* X509: Try subsequent crl distribution points when first one fails [Kim]
* whack: Display IPv4 lease address in --trafficstatus [Andrew]
* libipsecconf: New keyword left/rightckaid=XXX [Andrew]
* libipsecconf: Remove legacy keyword subnetwithin= [Hugh]
* libipsecconf: Clean out kv_auto / kv_manual attributes [Hugh]
* updown: Add SPI_IN= and SPI_OUT= to updown scripts [Paul]
* programs: Removed obsoleted ikeping and livetest [Paul]
* newhostkey: No longer touch any secret files [Andrew]
* showhostkey: Only look at NSS - don't require ipsec.secrets [Andrew]
* libswan: Fix unbound dnsctx handling [Hugh/Paul]
* libswan/libipsecconf: Clean up SECRETS code [Andrew]
* libswan: Delete getNSSPassword; replaced by lsw_nss_get_password [Andrew]
* addconn: Find peer IP address when resolving default route [Daniel M. Weeks]
* barf: If systemd detected, use journalctl to get logs [Paul]
* building: The make variable NSSLIBS was renamed to NSS_LDFLAGS [Andrew]
* building: Fix building without DNSSEC support [Hugh/Paul]
* packaging: Updates for debian packaging [dkg]
* initsystem: Add docker support using 'make INITSYSTEM=docker' [Kim]
* ipsec import: Add --configdir|--ipsecdir option for nss db location [Tuomo]
* _import_crl: Fix to work with nsspasswd [Andrew]
* _stackmanager: Remove loading of hardware random modules [Tuomo]
* _stackmanager: hide error if /proc/sys/net is read-only (i.e. docker) [Kim]
* ipsec: remove run by root check for Neutron/VPNaaS [Tuomo]
* ipsec: add option [--configdir|--ipsecdir /etc/ipsec.d] [Tuomo]
* testing: Various improvements for running tests, include web tree [Andrew]
* testing: New makefile targets, see 'make kvm-help' [Andrew]
* testing: pluto support for --expire-bare-shunt <interval> [Paul]

bump to v3.18dr3