+strongswan-5.0.4
+----------------
+
+- Fixed a security vulnerability in the openssl plugin which was reported by
+ Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944.
+ Before the fix, if the openssl plugin's ECDSA signature verification was used,
+ due to a misinterpretation of the error code returned by the OpenSSL
+ ECDSA_verify() function, an empty or zeroed signature was accepted as a
+ legitimate one.
+
+- The handling of a couple of other non-security relevant openssl return codes
+ was fixed as well.
+
+- The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its
+ TCG TNC IF-MAP 2.1 interface.
+
+- The charon.initiator_only option causes charon to ignore IKE initiation
+ requests.
+
+- The openssl plugin can now use the openssl-fips library.
+
+
+strongswan-5.0.3
+----------------
+
+- The new ipseckey plugin enables authentication based on trustworthy public
+ keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
+ To do so it uses a DNSSEC enabled resolver, like the one provided by the new
+ unbound plugin, which is based on libldns and libunbound. Both plugins were
+ created by Reto Guadagnini.
+
+- Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
+ available to an IMV. The OS IMV stores the AR identity together with the
+ device ID in the attest database.
+
+- The openssl plugin now uses the AES-NI accelerated version of AES-GCM
+ if the hardware supports it.
+
+- The eap-radius plugin can now assign virtual IPs to IKE clients using the
+ Framed-IP-Address attribute by using the "%radius" named pool in the
+ rightsourceip ipsec.conf option. Cisco Banner attributes are forwarded to
+ Unity-capable IKEv1 clients during mode config. charon now sends Interim
+ Accounting updates if requested by the RADIUS server, reports
+ sent/received packets in Accounting messages, and adds a Terminate-Cause
+ to Accounting-Stops.
+
+- The recently introduced "ipsec listcounters" command can report connection
+ specific counters by passing a connection name, and global or connection
+ counters can be reset by the "ipsec resetcounters" command.
+
+- The strongSwan libpttls library provides an experimental implementation of
+ PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
+
+- The charon systime-fix plugin can disable certificate lifetime checks on
+ embedded systems if the system time is obviously out of sync after bootup.
+ Certificates lifetimes get checked once the system time gets sane, closing
+ or reauthenticating connections using expired certificates.
+
+- The "ikedscp" ipsec.conf option can set DiffServ code points on outgoing
+ IKE packets.
+
+- The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
+ clients that cannot be configured without XAuth authentication. The plugin
+ simply concludes the XAuth exchange successfully without actually performing
+ any authentication. Therefore, to use this backend it has to be selected
+ explicitly with rightauth2=xauth-noauth.
+
+- The new charon-tkm IKEv2 daemon delegates security critical operations to a
+ separate process. This has the benefit that the network facing daemon has no
+ knowledge of keying material used to protect child SAs. Thus subverting
+ charon-tkm does not result in the compromise of cryptographic keys.
+ The extracted functionality has been implemented from scratch in a minimal TCB
+ (trusted computing base) in the Ada programming language. Further information
+ can be found at http://www.codelabs.ch/tkm/.
+
strongswan-5.0.2
----------------
- The integration test environment was updated and now uses KVM and reproducible
guest images based on Debian.
+
strongswan-5.0.1
----------------
- All crypto primitives gained return values for most operations, allowing
crypto backends to fail, for example when using hardware accelerators.
+
strongswan-5.0.0
----------------
./configure switch.
- The new libstrongswan constraints plugin provides advanced X.509 constraint
- checking. In additon to X.509 pathLen constraints, the plugin checks for
+ checking. In addition to X.509 pathLen constraints, the plugin checks for
nameConstraints and certificatePolicies, including policyMappings and
policyConstraints. The x509 certificate plugin and the pki tool have been
enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf
projects / people / ms / strongswan.git / blobdiff