v3.29 (June 10, 2019)

* SECURITY: Fixes CVE-2019-10155 https://libreswan.org/security/CVE-2019-10155
* programs: Change to /proc/sys/net/core/xfrm_acq_expires to detect XFRM [Paul]
* barf: Fix shell script parse error and small cleanup [Tuomo/Hugh]
* packaging: fedora30 requires gcc to be listed as BuildRequires: [Paul]
* packaging: rhel6 doesn't need USE_AVA_COPY=true or WERROR_CFLAGS= [Tuomo]
* packaging/rhel6: remove -lrt, not needed any more [Tuomo]
* systemd: change Restart default to on-failure [Tuomo]
* building: Makefiles: Use RT_LDFLAGS for glibc < 2.17 support [Tuomo]
* building: userland-cflags.mk: add RT_LDFLAGS= for older glibc [Tuomo]

v3.28 (May 20, 2019)

* KLIPS: Disable KLIPS userland support per default [Paul]
         WARNING: Support for KLIPS will be removed in 2019
* MAST: Removed support for MAST variant of KLIPS stack [Paul]
* IKE: Change default connection from IKEv1 to IKEv2 [Paul]
* IKEv2: Don't try to encrypt notify response without SKEYSEED [Andrew/Paul/Hugh]
* IKEv2: ikev2= keyword changed to only accept "yes" or "no" [Paul]
* IKEv2: Support for REDIRECT (RFC 5685) [Vukasin Karadzic/GSoC]
         (new keywords redirect-to, accept-redirect, global-redirect=
          global-redirect-to and new ipsec whack --redirect command
* IKEv2: Initialize daily secret used for DCOOKIES [Paul/Andrew]
* IKEv2: Extend narrowing code to support protoports [Andrew/Paul]
* IKEv2: Fix bug that prevented AH from rekeying [Andrew]
* IKEv2: IKE SA rekey could lead to losing track of Child SA [Andrew/Antony]
* IKEv2: A spurious DH calculation was performed and disgarded [Andrew]
* IKEv2: Support for IPCOMP (compress=yes) [Paul]
* IKEv2: Initialize NAT keepalives check on IKE SA establishment [Paul]
* IKEv2: Only sent NAT keepalives for IKE states (supresses IPsec dups) [Paul]
* IKEv2: Timeout in receiving IKE_AUTH reply would abort connection [Paul]
* IKEv2: Add ECP384, ECP521 and CURVE25519 to default IKEv2 proposal [Paul]
* IKEv2: Remove SHA1 from default IKEv2 proposal [Paul]
* IKEv2: Delete on auto=start conn would not restart (introduced in 3.23) [Paul]
* IKEv2: Compact proposals to prevent fragmentation of IKE_INIT [Andrew]
* IKEv2: Fix opportunistic group policy on /32 groupinstances on delete [Paul]
* IKEv2: Fix opportunistic /32 on non-defaultroute interface [Paul]
* IKEv2: Do not send two requests for IKEv2_INTERNAL_IP4_ADDRESS [Paul]
* IKEv2: Show payload structure of received packet in RFC notation [Andrew]
* IKEv2: Release whack when peer ID is wrong [Paul]
* IKEv2: Hardened PPK code and fixed memory leaks [Hugh]
* IKEv2: Use less resources under DDoS attack to send/process COOKIES [Andrew]
* IKEv2: Delete partial Child SA states that can never establish [Paul]
* IKEv2: Remove SHA1 from default proposals [Paul]
* IKEv2: Add ECP groups and Curve25519 to default proposal [Paul]
* IKEv2: Fix AH rekeying (handle not having encrypter [Paul]
* IKEv2: NAT-T keepalives did not start if only IKEv2 conns were in use [Paul]
* IKEv2: Drop IKE_SA_INIT requests with non-zero SPIr [Andrew]
* IKEv2: On rekey, sometimes a CHILD SA was lost (wrong hash slot) [Andrew]
* IKEv1: Don't leave a dangling pointer after IKE SA delete [Paul/Hugh]
* IKEv1: Only sent NAT keepalives for IPsec states (supresses 1 dup) [Paul]
* IKEv1: Do not activate DPD when peer does not support it [Paul]
* IKEv1: Reject key sizes <= 0 properly instead of crashing [Paul]
* IKEv1: Fix Aggressive Mode interop with Volans Technology [wuwei29]
* IKEv1: Remove bogus "duplicate Delete" check causing Windows 1m outage [Paul]
* IKEv1: If whack socket not there for passwd input, return STF_FATAL [Paul]
* IKEv1: Remove Win98 workaround ignoring IPsec SA deletes in first 60s [Paul]
* X509: Do not keep received CERTs beyond the connection lifetime [Andrew]
* X509: Support for NSS IPsec profiles mbz#1252891 [Kai Engbert/Paul]
* X509: Don't fail validation on critical flag in Key Usage payloads [Paul]
* X509: Fix ocsp-method=get|post to actually skip get when asked) [Stepan Broz]
* X509: Fix various leaks [Hugh, Andrew]
* X509: Cache contents read from NSS database for performance [Andrew]
* pluto: Re-initialize (w backoff) conns that should remain "up" [Paul/Hugh]
* pluto: Use any sent IKE message to reset the DPD/liveness counter [Paul]
* pluto: Add timing information to packet processing [Andrew]
* pluto: Significant performance improvements for conns and certs [Andrew]
* pluto: Simplify state lookups and SPI passing [Andrew]
* pluto: Speed up state lookups by only looking at proper hash chain [Andrew]
* pluto: metric= value should accept values > 255 [Tuomo]
* pluto: New "cpu-usage" plutodebug option displaying timing info [Andrew/Paul]
* pluto: Refuse to load connections with TFC and AH or Transport Mode [Paul]
* pluto: Fix memory leak in CERTREQ sending [Hugh]
* pluto: Revive (with back-off) auto=start conns that receive Delete/Notify [Paul]
* pluto: Show all activated impairments in ipsec status [Andrew]
* pluto: Do not load a connection if its certificate has a problem [Andrew]
* pluto: Handle case when external use deletes certificate from NSS [Andrew]
* pluto: Fix resource leaks [Andrew/Hugh]
* pluto: Improve and extend pluto statistics [Paul]
* pluto: Deleting a connection should bring it down first to run _updown [Paul]
* pluto: Revive auto=start conns that receive Delete/Notify [Paul/Hugh/Andrew]
* pluto: Refuse to load connections with unsupported type=transport [Paul]
* pluto: Refuse to load connections with TFC and AH or Transport Mode [Paul]
* addconn: Fix crash on startup with dnssec-enable=no [Stepan Broz]
* libswan: Only use valid ephemeral ports for libunbound context [Stepan Broz]
* libswan: Do not process DNSSEC root key or trust anchors when disabled [Paul]
* libipsecconf: conn %default content could get overwritten rhbz#1704085 [Hugh]
* libipsecconf: Allow IKEv2 style ike/esp proposals using '+' symbol [Andrew]
  (example: ike=aes_gcm+chacha20_poly1305,aes-sha2+sha1)
* libipsecconf: Updated defaults for filling in proposal elements [Andrew]
  (drop sha1, sha2_512 before sha2_256 for esp, lots of new DH groups)
* libipsecconf: Be more tolerant of duplicate proposals and 'none' DH [Andrew]
* confreadwrite: Fix double host printing, line and bad ikev2=UNKNOWN [Paul]
* ipsec: Add "ipsec traffic" as shorthand for "ipsec trafficstatus" [Paul]
* ipsec: Add "ipsec brief" as shorthand for "ipsec briefcstatus" [Paul]
* _stackmanager: Do not attempt to load PF_KEY (af_key.ko) module [Paul]
* whack: Fix option name to and documentation of ms-dh-downgrade [Tuomo]
* whack: Two new impairments: del-with-notify and bad-ikev2-xchg [Andrew/Paul]
* whack: Fix non operational connection flags / arguments [Daniel Kautz]
* whack: Add new --briefstatus which skips showing all states [Paul]
* auto: Fix replace operation for when changing from subnet= to subnets= [wuwei29]
* verify: Removed broken IP forwarding check [Paul]
* FIPS: X.509 minimum public key size check was rejecting valid keys [Paul]
* FIPS: Disallow AES-XCBC from PRF/INTEG, Allow AES-GMAC [Paul]
* FIPS: Fixup FIPS_IKE_SA_LIFETIME_MAXIMUM to 24h as per NIST SP 800-77 [Paul]
* FIPS: Force IKE maximum lifetime of 24h (default is 1h) [Paul/Vukasin]
* XFRM: Use netlink for last remaining obsolete PF_KEY API API calls [Antony]
* XFRM: Clean up and aadd logging to IPsec SA for nic-offload= [Hugh/Paul]
* XFRM: Set default XFRM_LIFETIME_DEFAULT to 30 (was 300) [Paul]
* libswan: Fix leaks in badly formed secrets/ppk_id [Vukasin Karadzic]
* libswan: Don't crash on mangled PSK or PPK secrets [Vukasin Karadzic]
* initsystems/systemd: Install tmpfiles config when installing unitfile [Tuomo]
* barf: No longer look for netstat, ifconfig and mii-tool [Paul]
* building: Sort all wildcarded object files for build reproducibility [dkg]
* building: Update NSS includes to not use obsoleted header files [Paul/Andrew]
* building: USE_NSS_AVA_COPY ?= false, only needed with NSS < 3.30 [Tuomo]
* building: USE_UNBOUND_EVENT_H_COPY ?= false, enable only for [Tuomo]
            unbound <= 1.7.3 without unbound-event.h
* building: Fix UNBOUND_VERSION testing so result compiles on Fedora 29 [Hugh]
* building: USE_NSS_IPSEC_PROFILE ?= true, Requires nss >= 3.41 [Tuomo]
* building: Support for unbound > 1.8.0 [Antony]
* building: Update XFRM headers [Antony]
* building: Add 'make install-rpm-dep' and 'make install-deb-dep' [Antony]
* testing: Lots of new and improved test cases [lots of people]
* packaging: Add a spec file for RHEL8/CentOS8 [Paul]
* packaging: debian: explicitly set ARCH for reproducibility [dkg]
* packaging: debian updates [Antony/Paul]

v3.27 (October 7, 2018)

* XFRM: SA marks must be included for delete operation [Tijs Van Buggenhout]
* pluto: Resolve a crasher in ECDSA freeing code [Hugh/Sahana]
* pluto: Resolve a hang when recursively loading same config file [Hugh]
* pluto: Refuse to load conns with different subnet address families [Paul]
* IKEv2: Fix regression on ID_NULL causing a new conn instance [Paul]
* IKEv1: Drop duplicates when not a reply [Andrew]
* IKEv1: Don't respond with errors to invalid encrypted packets [Andrew]
* IKEv1: Don't print empty informational warning on delete payload [Paul]
* IKEv1: Don't add spurious ESP-NULL proposal to AH proposals [Andrew]
* whack: Release whack socket on IKE_AUTH errors [Andrew]
* libswan: fix buffer size to getnameinfo() call in resolve_ppp_peer() [Hugh]
* libipsecconf: Don't accidentally clear modecfgdomains= entries [Andrew]
* building: Fixup NSS includes and links (fixes Debian builds) [Andrew/Paul]
* documentation: Update (L)GPL license links and http -> https links [dkg]
* Bugtracker bugs fixed:
   libreswan#177 left=%defaultroute not working when "src" in the default route [Kim]
   libreswan#80 VTI interface vanishes when peer goes down and up [yu-shiba]

v3.26 (September 16, 2018)

* IKEv2: Support for RSA-PSS (RFC 7427) via authby=rsa-sha2 [Sahana Prasad]
* IKEv2: Support for ECDSA (RFC 7427) via authby=ecdsa-sha2 [Sahana Prasad]
* IKEv2: Use DER handling code of NSS instead of our custom code [Andrew]
* IKEv2: Fix core dump when impaired and proposing esp=null-none [Andrew]
* IKEv2: Fix traffic selector lookup for asymmetric conns [Andrew/Paul]
* IKEv2: Add IKE and ESP support for chacha20poly1305 (RFC 7634) [Andrew]
* IKEv2: Fix leaks in ikev2_calculate_rsa_hash [Hugh]
* IKEv2: Simplify proposal generating [Hugh]
* IKEv1: Fix handling XAUTH empty passwords [Andrew]
* IKEv1: Fix XAUTH message padding [Hugh]
* IKEv1: Various code cleanup, next payload handling [Hugh]
* IKEv1: fix optional key-length regression (in v3.25) with ESP prop [Andrew]
* IKEv1: Don't delete replaced IKE SA, it confuses third party clients [Paul]
* pluto: Relax strictness of DH in ESP/AH proposals [Andrew]
* pluto: Fix for two roadwarriors using ID_IPv4 behind same NAT [Paul]
* pluto: Do not hand out old lease address for authby=secret conns [Paul]
* pluto: new --selftest option that exits pluto after startup tests [Paul]
* pluto: Updated known Vendor ID table [Paul]
* XFRM:  Don't call init_pfkey() on boot so Linux upstream can kill it [Andrew]
*_unbound-hook: Fixup adding IPv4 pubkey, unbound now quotes arg as 1 [Paul]
* building: Fix listed patches for debian build [Paul]
* building: enable DH31 (curve25519) per default [Paul]
* testing: prepare to migrate from f22 to f28 [Andrew, Antony, Paul]
* Bugtracker bugs fixed:
   libreswan#166 IPsec/XAuth reusing lease for multiple clients behind same NAT [Paul]

v3.25 (June 27, 2018)

* IKEv2: MOBIKE Initiator support (RFC 4555) [Antony]
* IKEv2: Support for IKE SA rekeying RFC7296 1.3.2, initiator [Antony]
* IKEv2: Support for IPsec SA rekeying RFC7296 1.3.3, initiator [Antony]
* IKEv2: Support for IKE SA reauth=yes|no RFC7296  2.8.3 [Antony]
* IKEv2: Temporarilly disable Liveness/DPD when MOBIKE kick in [Antony]
* IKEv2: No longer allow contradicting esp= and pfs= options [Andrew]
* IKEv2: PPK support for authby=rsasig [Vukasin Karadzic]
* IKEv2: IANA INTERNAL_DNSSEC_TA allocation added [Paul]
* IKEv2: Add PPK support to authby=rsasig [Vukasin]
* IKEv2: Don't calculate NO_PPK_AUTH when the POLICY is INSIST [Vukasin]
* IKEv2: fix PPK when responder is ppk=no but has a valid PPKID [Paul/Vukasin]
* IKEv2: Support for protoport based Opportunistic IPsec [Paul]
* IKEv2: Support multiple authby values (eg authby=rsasig,null) [Paul]
* IKEv2: Support for AUTHNULL fallback via private use Notify [Vukasin]
* IKEv2: Fix v3.23 regression causing liveness check to always fail [Tuomo]
* IKEv2: Support for Microsoft rekey bug: ms-dh-downgrade=yes|no [Andrew/Paul]
* IKEv2: Allow switching between OE instances with different protoports [Paul]
* IKEv2: process INITIAL_CONTACT and delete old states from a connection [Paul]
* IKEv2: Only retransmit fragments on receiving first fragment [Andrew]
* IKEv2: When sending fragments, also update st_msgid_lastreplied [Paul]
* IKEv2: Encrypt IKE_AUTH reply when authenticaion failed [Andrew]
* IKEv2: Fix handling of corrupt encrypted packets [Andrew]
* IKEv2: Do not call ISAKMP_SA_established() during CREATE_CHILD_SA [Paul]
* IKEv2: When receiving Initial Contact, delete old IPsec SA's [Paul]
* IKEv2: Harden IP triggered OE with new dns-match-id=yes|no [AntonyPaul]
* IKEv2: Add PRF/INTEG support for AES_XCBC / AES_CMAC [Andrew]
* IKEv2: permit DH=none (as in esp=aes;none,aes;dh22) [Andrew]
* IKEv1: Prevent crashes with IKEv1 mistakenly allowing narrowing=yes [Paul]
* IKEv1: DPD was not getting scheduled (bug introduced in 3.23) [Paul]
* IKEv1: modecfg_send_set() must not ignore failure of modecfg_resp() [Hugh]
* X509: Extend support for wildcard certs matching remote peer ID [Paul/Hugh]
* X509: Support PKCS7 for Microsoft interop with intermediate certs [Andrew]
* X509: Handle CRL fetching in separate thread [Andrew]
* pluto: Obsoleted connaddrfamily= (fixes 6in4 and 4in6) [Paul]
* pluto: New hostaddrfamily= and clientaddrfamily= (only needed w DNS) [Paul]
* pluto: Cleanup of state/md passing code [Andrew]
* pluto: Allow switching back from wrong instance to template conn [Paul]
* pluto: disentangle IKEv1 and IKEv2 packet sending code [Andrew]
* pluto: Allow rightsubnets= without leftsubnet(s)= [Paul]
* pluto: don't share IP leases for authby=secret (in case of group ID) [Paul]
* pluto: Parser bug prevented 4in6 config [mhuntxu at github, Daniel M. Weeks]
* pluto: Find and delete old connection/states with same ID [Paul/Hugh]
* pluto: traffic log (and updown) line had in/out bytes swapped [Paul/Tuomo]
* pluto: Fix memory/fd leaks found by Coverity and in cert code [Hugh/Andrew]
* pluto: Improve SPD longest prefix to priority calculation [Andrew/Paul/Hugh]
* addconn: Fix auto=route and auto=start processing [Paul]
* whack/auto: Ensure all status and list commands return no error code [Paul]
* KLIPS: Replace deprecated blkcipher with skcipher crypto API [Tijs Van Buggenhout]
* FIPS: Support new NIST ACVP protocol with cavp tool cmdline args [Andrew]
* FIPS: Don't attempt HMAC integrity test on rsasigkey (rhbz#1544143) [Paul]
* FIPS: Don't allow RSA keys < 3072 [Matt/Paul]
* FIPS: Enable our PRF aes_xcbc wrapper on NSS hash code in FIPS mode [Andrew]
* FIPS: Raise minimum RSA key length allowed to 3072 [Paul]
* CAVP: Add -<acvp-key> <acvp-value> and -json(output) options to CAVP [Andrew]
* portexcludes: new command ipsec portexcludes (see portexcludes.conf) [Paul]
* _updown.netkey: fix deleting routes when half routes are used [Tuomo]
* _updown.netkey: don't delete VTI interfaces until we can refcount [Tuomo]
* _updown.netkey: fix unroute: "need at least a destination address" [Tuomo]
* _updown.netkey: don't do proxyarp for direct host-host tunnels [Tuomo]
* _updown.netkey: force routing if we don't have route to remote network [Tuomo]
* _unbound-hook: Pass all IPSECKEY's to pluto, not just the first [Paul]
* contrib/python-swan: module to check if trafic get be encrypted [Kim]
* contrib/c-swan: example code to check if trafic get be encrypted [Kim]
* building: added USE_GLIBC_KERN_FLIP_HEADERS (default off) [Paul]
* building: when ElectricFence enabled, add extra system calls to seccomp [Andrew]
* ipsec: add checknss option --settrusts to reset CA trusts in nss db [Tuomo]
* _updown.netkey: force routing when necessary for IPsec to work [Tuomo]
* _updown.netkey: do not proxyarp for host-host tunnels [Tuomo]
* look: sort XFRM output by priority [Andrew]
* Bugtracker bugs fixed:
   libreswan#311: segfault in crl fetching git master f5b17dc [Andrew, Tuomo]
   libreswan#314: IPv6 default route is deleted by mistake
   libreswan#318: vti interface gets down on previous initiator if roles switch [Tuomo]
   libreswan#320: nsspassword file location is half implemented
   libreswan#328: Addcon crash on duplicit "left" or "leftid" keys in conn config [Stepan Broz]

v3.23 (January 25, 2018)

* IKEv2: MOBIKE support (RFC 45555) [Antony/Paul]
* IKEv2: Add support for modecfgdns= and modecfgdomains= like for IKEv1 [Paul]
* IKEv2: EXPERIMENTAL: Support for Postquantim Preshared Keys [Vukasin Karadzic]
         based on draft-ietf-ipsecme-qr-ikev2-01 (using private use numbers)
         new option: ppk=yes|no|insist (default no)
* pluto: Fix DEFAULT_RUNDIR to be set so it is really configurable [Tuomo]
* pluto: Add support IDr payload (You Tarzan, me Jane) [Paul]
* pluto: pass state to send_crypto_helper_request() [Andrew]
* pluto: Internal time/scheduling changes, micro-seconds logging [Andrew]
* pluto: make counts of states consistently "unsigned" [Hugh]
* pluto/lib: Remove obsoleted/unused %myid support [Paul]
* pluto: add --impair replay-forward,replay-backward [Andrew]
* pluto: add --impair dup-incoming-packets [Andrew]
* pluto: Rework nic offload detection code [Aviv Heller]
* pluto: Retry send on -EAGAIN in check_msg_errqueue() (upto 32x) [Paul/Hugh]
* pluto: Pull latest kernel traffic counters before logging/deleting SA [Paul]
* pluto: STF_INLINE, STF_TOOMUCHCRYPTO no longer needed in helpers [Andrew]
* pluto: Replace socket queues with a simple queue and mutex+cont [Andrew]
* pluto: Do not send DPD/liveness probes for replaced inactive IPsec SAs [Paul]
* pluto: crypto processing cleanup [Andrew]
* XFRM: XFRM_MIGRATE support, used for MOBIKE [Antony]
* XFRM: Listen to NETLINK_ROUTE messages from kernel for MOBIKE [Antony]
* XFRM: Fix unique marks accidentally setting -1 instead of random [Paul]
* XFRM: Only install IPv6 holes when system has configured IPv6 [Antony]
* XFRM: Add support for decap-dscp=yes|no (default no) [Paul]
* XFRM: Add support for nopmtudisc=yes|no (default no) [Paul]
* KLIPS: Support kernels 4.14+ with renamed dev->priv_destructor [Paul]
* KLIPS: updown fixes for IPv6 default route and metric/mtu settings [Wolfgang]
* SECCOMP: Update syscall whitelist for use of libunbound [Paul]
* IKEv1: better handle ESP with no integrity vs unknown integrity [Andrew]
* IKEv1: Fix packet retransmit code wrf timeouts vs duplucates [Andrew]
* IKEv1: Prevent duplicate responder states on retransmision [Andrew]
* IKEv1: Don't linger R1 states for 1h but use configured timeouts [Paul]
* IKEv2: nat_traversal_change_port_lookup() code moved [Antony]
* IKEv2: Macros could misinterpret some IKE/IPsec states [Paul/Antony]
* IKEv2: Updated Group transforms to comply with RFC 8247 [Paul]
* PAM: Don't cancel pam threads (unsupported!) but drop results instead [Andrew]
* _updown: Fix resolv.conf handling (github libreswan#130) [Tuomo]
* _updown: Fix POINTPOINT interfaces not to use nexthop [Tuomo]
* _updown.netkey: Add source ip to dev lo by default [Tuomo]
* Makefiles: Fix INC_MANDIR to be share/man and add FINALMANDIR [Tuomo]
* packaging: Move debian/ to packaging ('make deb' still works) [Antony]
* contrib: Added ipsec-dyndns to demonstrante how push an IPSECKEY [Paul]
* Bugtracker bugs fixed:
   libreswan#313: changesource in updown_klips doesn't respect PLUTO_METRIC [Wolfgang]
   libreswan#314: IPv6 default route is deleted by mistake [Wolfgang]

3.23rc4

3.23rc3

v3.23 (unrelased)

* pluto: Fix DEFAULT_RUNDIR to be set so it is really configurable [Tuomo]
* _updown: Fix resolv.conf handling (github libreswan#130) [Tuomo]
* _updown: Fix POINTPOINT interfaces not to use nexthop [Tuomo]
* Makefiles: Fix INC_MANDIR to be share/man and add FINALMANDIR [Tuomo]

v3.22 (October 22, 2017)

* IKEv2: EXPERIMENTAL: unbound DNS server ipsecmod support [Opportunistic IPsec]
* IKEv2: Initial support for RFC 7427 Digital Signature [Sahana Prasad/GSoC]
* IKEv2: Do not include INTEG=NONE in AEAD IKE proposals [Andrew]
* IKEv2: Accept both ESP=AEAD+NONE and ESP=AEAD in proposals [Andrew]
         (See also: https://www.rfc-editor.org/errata/eid5109)
* IKEV2: Fix interop with old pluto that rejected esp=aead+none [Andrew]
* IKEv2: Add support for GMAC via esp=null_auth_aes_gcm [Andrew]
* IKEv2: Fragmentation code cleanup and memory leak fixes [Andrew]
* IKEv1: Fix XAUTH retransmits and packet storage [Antony]
* IKEv1: Perform custom state change for XAUTH without ModeCFG [Paul]
* IKEv1: Add support for nat-ikev1-method=none [Paul]
* IKEv1: XAUTH password length wasn't consistent at 128 [Stepan Broz]
* pluto: Natively install ICMPv6 neighbour discovery holes [Mayank Totale/GSoC]
* pluto: Fixup XAUTH/PAM thread cancelation handling [Andrew/Antony]
* pluto: Change default rundir from /var/run/pluto to /run/pluto [Paul]
* pluto: Various ike_alg parsing updates [Andrew]
* pluto: Various cleanups in addresspool and XAUTH code [Hugh]
* pluto: Fix missing ntohl() on the SPI numbers in ipsec status [Paul]
* pluto: Various memory leak fixes [Antony,Paul,Hugh]
* pluto: Make ioctl(SIOCGIFFLAGS) failure for labeled devices non-fatal [Paul]
* pluto: Give IKE traffic preference via SO_PRIO [Paul]
* pluto: New setup options: ike-socket-errqueue= , ike-socket-bufsiza=e [Paul]
* pluto: Improve whack --listevents with libevent [Antony]
* pluto: Fixup NIC offload support [Antony, Hugh]
* pluto: Track and try the number of EAGAIN errors on IKE socket [Hugh/Paul]
* pluto: Prevent spurious initiating states on responder-only conn [Antony]
* pluto: don't call sanitize_string() in fmt_log() as it is expensive [Paul]
* pluto: No longer need to specify null for AEAD, can use esp=aes_gcm [Andrew]
* pluto: Increase default nhelpers for 1 CPU (2) and 2 CPUs (4) [Paul]
* pluto: New option logip= (default yes) to disable log of incoming IPs [Paul]
* pluto: signal handling cleanup [Andrew/Hugh]
* pluto: Don't try to retransmit unsent packet [Paul/Hugh]
* pluto: state hashing improvements [Andrew]
* pluto: Fix erranious connecting switching (bug in v3.21) [Paul]
* pluto: when deleting parent, don't deschedule DH for wrong child [Andrew]
* pluto: dpdaction=restart fixup when using %any [Antony]
* pluto: Don't die on labeled interfaces without SIOCGIFFLAGS support [Paul]
* addconn: left=%defaultroute would fail if >500 host routes [Kim]
* showhotkey/rsasigkey: Fixup mismatch of public key display [Andrew]
* FIPS: Some selftests did not run properly under FIPS mode [Andrew]
* KLIPS: Removed old premade patches, use make targets instead [paul]
* updown Don't remove source ip if it's still used (rhbz#1492501) [Tuomo]
* updown: Allow disabling via leftupdown="" or leftupdown="%disabled" [Paul]
* updown: SPI numbers were missing ntohl() conversion [Paul]
* various: phase out --ctlbase for --ctlsocket and --rundir [Paul]
* libipsecconf: reject unavailable kernel algorithms in parser [Andrew]
* libswan/pluto: throw a clearer error for broken libunbound [Paul]
* libswan/pluto: Cleanup logging and tighten logging lock [Andrew]
* libswan/pluto: Greatly optimize logging code [Andrew]
* libswan/pluto: Some logging algorithm renames for more consistency [Andrew]
* building: remove -fexceptions; breaks pthread_cleanup_push [Andrew]
* packaging: Update debian/ and move to packaging/debian [Antony]
* packaging: Update fedora/rhel spec files [Tuomo]
* testing: --impair-foo changed to --impair foo [Andrew]
* testing: Some new impair options for testing [Andrew,Sahana,Paul]
* testing: Allow null encryption with null auth for testing [Andrew]
* Bugtracker bugs fixed:
   libreswan#294: Bug in public key reported by rsasigkey [Tijs Van Buggenhout/Andrew]
   libreswan#299: Fix overlapping addresspool and static lease from passwd file [Antony]
   libreswan#300: Fix bug in v3.21 that rejected hardcodes certs without a CA [Paul]
   libreswan#302: IKEv1-only and IKEv2-only must not share IKE SA [Paul]
   libreswan#303: xauth password length limited to 64 bytes [Stepan Broz]