+strongswan-5.9.12
+-----------------
+
+- The cert-enroll script handles the initial enrollment of an X.509
+ host certificate with a PKI server via the EST or SCEP protocols.
+
+ Run as a systemd timer or via a crontab entry the script daily
+ checks the expiration date of the host certificate. When a given
+ deadline is reached, the host certificate is automatically renewed
+ via EST or SCEP re-enrollment based on the possession of the old
+ private key and the matching certificate.
+
+
+strongswan-5.9.11
+-----------------
+
+- A deadlock in the vici plugin has been fixed that could get triggered when
+ multiple connections were initiated/terminated concurrently and control-log
+ events were raised by the watcher_t component.
+
+- CRLs have to be signed by a certificate that has the cRLSign keyUsage bit
+ encoded (even if it's a CA), or a CA certificate without keyUsage extension.
+
+- Optional CA labels in EST server URIs are supported by `pki --est/estca`.
+
+- CMS-style signatures in PKCS#7 containers are supported by the pkcs7 and
+ openssl plugins, which allows verifying RSA-PSS and ECDSA signatures.
+
+- Fixed a regression in the server implementation of EAP-TLS with TLS 1.2 or
+ earlier that was introduced with 5.9.10.
+
+- Ensure the TLS handshake is complete in the EAP-TLS client with TLS <= 1.2.
+
+- kernel-libipsec can process raw ESP packets on Linux (disabled by default) and
+ gained support for trap policies.
+
+- The dhcp plugin uses an alternate method to determine the source address
+ for unicast DHCP requests that's not affected by interface filtering.
+
+- Certificate and trust chain selection as initiator has been improved in case
+ the local trust chain is incomplete and an unrelated certreq is received.
+
+- ECDSA and EdDSA keys in IPSECKEY RRs are supported by the ipseckey plugin.
+
+- To bypass tunnel mode SAs/policies, the kernel-wfp plugin installs bypass
+ policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer.
+
+- Stale OCSP responses are now replace in-place in the certificate cache.
+
+- Fixed parsing of SCEP server capabilities by `pki --scep/scepca`.
+
+
+strongswan-5.9.10
+-----------------
+
+- Fixed a vulnerability related to certificate verification in TLS-based EAP
+ methods that leads to an authentication bypass followed by an expired pointer
+ dereference that results in a denial of service and possibly even remote code
+ execution.
+ This vulnerability has been registered as CVE-2023-26463.
+
+- Added support for full packet hardware offload for IPsec SAs and policies with
+ Linux 6.2 kernels to the kernel-netlink plugin.
+
+- TLS-based EAP methods now use the standardized key derivation when used
+ with TLS 1.3.
+
+- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
+ implementing the "protected success indication".
+
+- With the `prefer` value for the `childless` setting, initiators will create
+ a childless IKE_SA if the responder supports the extension.
+
+- Routes via XFRM interfaces can optionally be installed automatically by
+ enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
+
+- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
+ issues with name resolution if they are supported by the kernel.
+
+- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
+ PKCS#10 certificate signing request.
+
+- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
+ (replace them completely, or adding/removing specific flags).
+
+- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
+ IPsec SAs instead of the policies.
+
+- For libcurl with MultiSSL support, the curl plugin provides an option to
+ select the SSL/TLS backend.
+
+
+strongswan-5.9.9
+----------------
+
+- The charon.reqid_base setting allows specifying the first reqid that's
+ automatically assigned to a CHILD_SA.
+
+- The path/command for resolvconf(8) used by the resolve plugin is now
+ configurable.
+
+- The resolve plugin doesn't generate unique interface names for name servers
+ anymore. Instead, all available name servers are associated with a single,
+ configurable interface name.
+
+- Serial numbers of certificates and CRLs are now always returned in canonical
+ form (i.e. without leading zeros).
+
+- The kernel-netlink plugin now logs extended ACK error/warning messages.
+
+
+strongswan-5.9.8
+----------------
+
+- Fixed a vulnerability related to accessing untrusted OCSP URIs and CDPs in
+ certificates that could lead to a denial-of-service attack.
+ This vulnerability has been registered as CVE-2022-40617.
+
+- The pki --scep|--scepca commands support the HTTP-based "Simple Certificate
+ Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecated
+ scepclient that has been removed.
+
+- The pki --est|estca commands support the HTTPS-based "Enrollment over Secure
+ Transport" (RFC 7030 EST) protocol.
+
+- The pki --req command can create a certificate request based on an existing
+ PKCS#10 template by replacing the public key and re-generating the signature
+ with the new private key.
+
+- For IKEv2, the ike_updown() "up" event and the state change to IKE_ESTABLISHED
+ are now triggered after all IKE-related tasks are done.
+
+- The ike_cfg_t object is now always replaced together with the peer_cfg_t
+ object that's set on an IKE_SA during authentication.
+
+- The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests
+ can be completed successfully with just the default plugins.
+
+- The socket plugins don't set the SO_REUSEADDR option anymore on the IKE UDP
+ sockets, so an error is triggered if e.g. two daemons (e.g. charon and
+ charon-systemd) are running concurrently using the same ports.
+
+- The charon.rsa_pss_trailerfield setting generates an algorithmIdentifier with
+ explicit trailerField.
+
+
+strongswan-5.9.7
+----------------
+
+- The IKEv2 key derivation is now delayed until the keys are actually needed for
+ the next message. Instead of deriving the keys while processing an IKE_SA_INIT
+ request, it's delayed until the corresponding IKE_AUTH request is received.
+ DH implementations now must do costly public key validation and the key
+ derivation in get_shared_secret().
+
+- Inbound IKEv2 messages are not parsed immediately anymore, instead we first
+ check a request's MID and compare its hash to that of the previous request to
+ decide if it's a valid retransmit (for fragmented message we only keep track
+ of the first fragment, so we don't have to wait for all fragments and
+ reconstruct the message, which we did before).
+
+- The retransmission logic in the dhcp plugin has been fixed so that four
+ retransmits are sent per DHCP request over a total of 15 seconds (previously,
+ it could happen that all were sent within the same second without any time
+ to actually wait for a response).
+
+- The connmark plugin now considers configured masks in installed firewall
+ rules, which allows using the upper parts of the mark value for other
+ purposes. Just consider that the daemon might have to be restarted regularly
+ to reset the global unique mark counter as that's unaware of any masks.
+
+- Child config selection has been improved as responder in cases where multiple
+ children use transport mode traffic selectors.
+
+- The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings.
+
+- The openssl plugin supports AES and Camellia in CTR mode.
+
+
+strongswan-5.9.6
+----------------
+
+- The IKEv2 key derivation, in particular prf+, has been modularized to simplify
+ certification (e.g. FIPS-140) via an already certified third-party library.
+ The botan, openssl and wolfssl plugins implement the key derivation for
+ HMAC-based PRFs via their respective HKDF implementation. A generic
+ implementation is provided by the new kdf plugin.
+
+- Labeled IPsec with IKEv2 is supported in an SELinux and a proprietary simple
+ mode. In SELinux mode, traffic that matches a trap policy with generic
+ context (e.g. system_u:object_r:ipsec_spd_t:s0) triggers the negotiation of
+ CHILD_SAs with a specific label. With the simple mode, labels are not set on
+ SAs/policies but can be used as identifier to select specific child configs.
+
+- DoS protection has been improved: COOKIE secrets are now switched based on a
+ time limit (2 min.), a new per-IP threshold (default 3) is used to trigger
+ them, and unprocessed IKE_SA_INITs are already counted as half-open IKE_SAs.
+
+- Initiating duplicate CHILD_SAs within the same IKE_SA is largely prevented.
+
+- Immediately initiating a CHILD_SA with trap policies is now possible via
+ `start_action=trap|start`.
+
+- If the source address is unknown when initiating an IKEv2 SA, a NAT situation
+ is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing
+ asymmetric enabling of UDP-encapsulation.
+
+- Installing unnecessary exclude routes for VPN servers on FreeBSD is avoided.
+
+- The new `map_level` option for syslog loggers allows mapping log levels
+ to syslog levels starting at the specified number.
+
+- The addrblock plugin allows limiting the validation depth of issuer addrblock
+ extensions.
+
+- The default AEAD ESP proposal (sent since 5.9.0) now includes `noesn` to make
+ it standards-compliant.
+
+- Individual CHILD_SAs can be queried via the `list-sas` vici command (or
+ `swanctl --list-sas ), either by unique ID or name.
+
+- Compatibility with OpenSSL 3.0 has been improved.
+
+
+strongswan-5.9.5
+----------------
+
+- Fixed a vulnerability in the EAP client implementation that was caused by
+ incorrectly handling early EAP-Success messages. It may allow to bypass the
+ client and in some scenarios even the server authentication, or could lead to
+ a denial-of-service attack.
+ This vulnerability has been registered as CVE-2021-45079.
+
+- Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now
+ establish a secure session via RSA encryption or an ephemeral ECDH key
+ exchange, respectively. The session allows HMAC-based authenticated
+ communication with the TPM 2.0 and the exchanged parameters can be encrypted
+ where necessary to guarantee confidentiality (e.g. when using the TPM as RNG).
+
+- Basic support for OpenSSL 3.0 has been added, in particular, the new
+ load_legacy option (enabled by default) allows loading the "legacy" provider
+ for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the
+ existing fips_mode option allows explicitly loading the "fips" provider e.g.
+ if it's not activated in OpenSSL's fipsmodule.cnf.
+
+- The MTU of TUN devices created by the kernel-pfroute plugin on macOS and
+ FreeBSD is now configurable and reduced to 1400 bytes, by default. This also
+ fixes an issue on macOS 12 that prevented the detection of virtual IPs
+ installed on such TUN devices.
+
+- When rekeying CHILD_SAs, the old outbound SA is now uninstalled shortly after
+ the new SA has been installed on the initiator/winner. This is useful for
+ IPsec implementations where the ordering of SAs is unpredictable and we can't
+ set the SPI on the outbound policy to switch to the new SA while both are
+ installed.
+
+- The sw-collector utility may now iterate through APT history logs processed
+ by logrotate.
+
+- The openssl plugin now only announces the ECDH groups actually supported by
+ OpenSSL (determined via EC_get_builtin_curves()).
+
+
+strongswan-5.9.4
+----------------
+
+- Fixed a denial-of-service vulnerability in the gmp plugin that was caused by
+ an integer overflow when processing RSASSA-PSS signatures with very large
+ salt lengths.
+ This vulnerability has been registered as CVE-2021-41990.
+
+- Fixed a denial-of-service vulnerabililty in the in-memory certificate cache
+ if certificates are replaced and a very large random value caused an integer
+ overflow.
+ This vulnerability has been registered as CVE-2021-41991.
+
+- Fixed a related flaw that caused the daemon to accept an infinite number of
+ versions of a valid certificate by modifying the parameters in the
+ signatureAlgorithm field of the outer X.509 Certificate structure.
+
+- AUTH_LIFETIME notifies are now only sent by a responder if it can't
+ reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP)
+ or the use of virtual IPs.
+
+- Serial number generation in several pki sub-commands has been fixed so they
+ don't start with an unintended zero byte.
+
+- Initialize libtpmtss in all programs and library that use it.
+
+- Migrated testing scripts to Python 3.
+
+
+strongswan-5.9.3
+----------------
+
+- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
+
+- Added AES_CCM and SHA-3 signature support to openssl plugin.
+
+- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
+ available, before verifying signatures, which avoids unnecessary signature
+ verifications after a CA key rollover if both certificates are loaded.
+
+- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
+ previously depended on a version check.
+
+- charon-nm now supports using SANs as client identities, not only full DNs.
+
+- charon-tkm now handles IKE encryption.
+
+- A MOBIKE update is sent again if a a change in the NAT mappings is detected
+ but the endpoints stay the same.
+
+- Converted most of the test case scenarios to the vici interface
+
+
strongswan-5.9.2
----------------
-- Together with a Linux 5.8 kernel supporting the IMA measurement of the
- grub bootloader and the Linux kernel, the strongSwan Attestation IMC
- allows to do remote attestation of the complete boot phase. A recent
- TPM 2.0 device with a SHA-256 PCR bank is required, so that both BIOS
- and IMA file measurements are based on SHA-256 hashes.
-
+- Together with a Linux 5.8 kernel supporting the IMA measurement of the GRUB
+ bootloader and the Linux kernel, the strongSwan Attestation IMC allows to do
+ remote attestation of the complete boot phase. A recent TPM 2.0 device with a
+ SHA-256 PCR bank is required, so that both BIOS and IMA file measurements are
+ based on SHA-256 hashes.
+
+- Our own TLS library (libtls) that we use for TLS-based EAP methods and PT-TLS
+ gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and
+ Pascal Knecht (client and server) for their work on this.
+ Because the use of TLS 1.3 with these EAP methods is not yet standardized (two
+ Internet-Drafts are being worked on), the default maximum version is currently
+ set to TLS 1.2, which is now also the default minimum version. However the TNC
+ test scenarios using PT-TLS transport already use TLS 1.3.
+
+- Other improvements for libtls also affect older TLS versions. For instance, we
+ added support for ECDH with Curve25519/448 (DH groups may also be configured
+ now), for EdDSA keys and certificates and for RSA-PSS signatures. Support for
+ old and weak cipher suites has been removed (e.g. with 3DES and MD5) as well
+ as signature schemes with SHA-1.
+
+- The listener_t::ike_update event is now also called for MOBIKE updates. Its
+ signature has changed so we only have to call it once if both addresses/ports
+ have changed (e.g. for an address family switch). The event is now also
+ exposed via vici.
+
+- The farp plugin has been ported to macOS and FreeBSD. Thanks to Dan James for
+ working on this.
+
+- To fix DNS server installation with systemd-resolved, charon-nm now creates a
+ dummy TUN device again (was removed with 5.5.1).
+
+- The botan plugin can use rng_t implementations provided by other plugins when
+ generating keys etc. if the Botan library supports it.
+
+- charon-tkm now supports multiple CAs and is configured via vici/swanctl.
+
+- Simple glob patterns (e.g. include conf.d/*.conf) now also work on Windows.
+ Handling of forward slashes in paths on Windows has also been improved.
+
+- The abbreviations for the 'surname' and 'serial number' RDNs in ASN.1 DNs have
+ been changed to align with RFC 4519: The abbreviation for 'surname' is now
+ "SN" (was "S" before), which was previously used for 'serial number' that can
+ now be specified as "serialNumber" only.
+
+- An issue with Windows clients requesting previous IPv6 but not IPv4 virtual
+ IP addresses has been fixed.
+
+- ike_sa_manager_t: Checking out IKE_SAs by config is now atomic (e.g. when
+ acquires for different children of the same connection arrive concurrently).
+ The checkout_new() method has been renamed to create_new(). A new
+ checkout_new() method allows registering a new IKE_SA with the manager before
+ checking it in, so jobs can be queued without losing them as they can block
+ on checking out the new SA.
+
strongswan-5.9.1
----------------
keying protocols. The feature-set of IKEv1 in charon is almost on par with
pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
- mode. Information for interoperability and migration is available at
- https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
+ mode.
- Charon's bus_t has been refactored so that loggers and other listeners are
now handled separately. The single lock was previously cause for deadlocks
- The IKEv2 High Availability plugin has been integrated. It provides
load sharing and failover capabilities in a cluster of currently two nodes,
- based on an extend ClusterIP kernel module. More information is available at
- https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
+ based on an extend ClusterIP kernel module.
The development of the High Availability functionality was sponsored by
secunet Security Networks AG.
----------------
- IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can
- be found on wiki.strongswan.org.
+ be found in the documentation.
- ipsec statusall shows the number of bytes transmitted and received over
ESP connections configured by the IKEv2 charon daemon.
simulate a NAT situation and trick the other peer into NAT mode (IKEv2 only).
- Preview of strongSwan Manager, a web based configuration and monitoring
- application. It uses a new XML control interface to query the IKEv2 daemon
- (see https://wiki.strongswan.org/wiki/Manager).
+ application. It uses a new XML control interface to query the IKEv2 daemon.
- Experimental SQLite configuration backend which will provide the configuration
interface for strongSwan Manager in future releases.
strongswan-4.1.4
----------------
-- The pluto IKEv1 daemon now exhibits the same behaviour as its
+- The pluto IKEv1 daemon now exhibits the same behavior as its
IKEv2 companion charon by inserting an explicit route via the
_updown script only if a sourceip exists. This is admissible
since routing through the IPsec tunnel is handled automatically
projects / thirdparty / strongswan.git / blobdiff