]> git.ipfire.org Git - thirdparty/strongswan.git/blame - NEWS
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
testing: Fixed typo of mfg1 to mgf1 plugin
[thirdparty/strongswan.git] / NEWS
CommitLineData
80dec436
TB		 1strongswan-5.9.7
2----------------
3
4- The IKEv2 key derivation is now delayed until the keys are actually needed for
5 the next message. Instead of deriving the keys while processing an IKE_SA_INIT
6 request, it's delayed until the corresponding IKE_AUTH request is received.
7 DH implementations now must do costly public key validation and the key
8 derivation in get_shared_secret().
9
10- Inbound IKEv2 messages are not parsed immediately anymore, instead we first
11 check a request's MID and compare its hash to that of the previous request to
12 decide if it's a valid retransmit (for fragmented message we only keep track
13 of the first fragment, so we don't have to wait for all fragments and
14 reconstruct the message, which we did before).
15
16- The retransmission logic in the dhcp plugin has been fixed so that four
17 retransmits are sent per DHCP request over a total of 15 seconds (previously,
18 it could happen that all were sent within the same second without any time
19 to actually wait for a response).
20
21- The connmark plugin now considers configured masks in installed firewall
22 rules, which allows using the upper parts of the mark value for other
23 purposes. Just consider that the daemon might have to be restarted regularly
24 to reset the global unique mark counter as that's unaware of any masks.
25
26- Child config selection has been improved as responder in cases where multiple
27 children use transport mode traffic selectors.
28
29- The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings.
30
31- The openssl plugin supports AES and Camellia in CTR mode.
32
33
8ce4105f
TB		 34strongswan-5.9.6
35----------------
36
37- The IKEv2 key derivation, in particular prf+, has been modularized to simplify
38 certification (e.g. FIPS-140) via an already certified third-party library.
39 The botan, openssl and wolfssl plugins implement the key derivation for
40 HMAC-based PRFs via their respective HKDF implementation. A generic
41 implementation is provided by the new kdf plugin.
42
43- Labeled IPsec with IKEv2 is supported in an SELinux and a proprietary simple
44 mode. In SELinux mode, traffic that matches a trap policy with generic
45 context (e.g. system_u:object_r:ipsec_spd_t:s0) triggers the negotiation of
46 CHILD_SAs with a specific label. With the simple mode, labels are not set on
47 SAs/policies but can be used as identifier to select specific child configs.
48
49- DoS protection has been improved: COOKIE secrets are now switched based on a
50 time limit (2 min.), a new per-IP threshold (default 3) is used to trigger
51 them, and unprocessed IKE_SA_INITs are already counted as half-open IKE_SAs.
52
53- Initiating duplicate CHILD_SAs within the same IKE_SA is largely prevented.
54
55- Immediately initiating a CHILD_SA with trap policies is now possible via
56 `start_action=trap|start`.
57
58- If the source address is unknown when initiating an IKEv2 SA, a NAT situation
59 is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing
60 asymmetric enabling of UDP-encapsulation.
61
62- Installing unnecessary exclude routes for VPN servers on FreeBSD is avoided.
63
64- The new `map_level` option for syslog loggers allows mapping log levels
65 to syslog levels starting at the specified number.
66
67- The addrblock plugin allows limiting the validation depth of issuer addrblock
68 extensions.
69
70- The default AEAD ESP proposal (sent since 5.9.0) now includes `noesn` to make
71 it standards-compliant.
72
73- Individual CHILD_SAs can be queried via the `list-sas` vici command (or
74 `swanctl --list-sas ), either by unique ID or name.
75
76- Compatibility with OpenSSL 3.0 has been improved.
77
78
de15386d
TB		 79strongswan-5.9.5
80----------------
81
4f560557
TB		 82- Fixed a vulnerability in the EAP client implementation that was caused by
83 incorrectly handling early EAP-Success messages. It may allow to bypass the
84 client and in some scenarios even the server authentication, or could lead to
85 a denial-of-service attack.
86 This vulnerability has been registered as CVE-2021-45079.
87
de15386d
TB		 88- Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now
89 establish a secure session via RSA encryption or an ephemeral ECDH key
90 exchange, respectively. The session allows HMAC-based authenticated
91 communication with the TPM 2.0 and the exchanged parameters can be encrypted
92 where necessary to guarantee confidentiality (e.g. when using the TPM as RNG).
93
94- Basic support for OpenSSL 3.0 has been added, in particular, the new
95 load_legacy option (enabled by default) allows loading the "legacy" provider
96 for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the
97 existing fips_mode option allows explicitly loading the "fips" provider e.g.
98 if it's not activated in OpenSSL's fipsmodule.cnf.
99
100- The MTU of TUN devices created by the kernel-pfroute plugin on macOS and
101 FreeBSD is now configurable and reduced to 1400 bytes, by default. This also
102 fixes an issue on macOS 12 that prevented the detection of virtual IPs
103 installed on such TUN devices.
104
105- When rekeying CHILD_SAs, the old outbound SA is now uninstalled shortly after
106 the new SA has been installed on the initiator/winner. This is useful for
107 IPsec implementations where the ordering of SAs is unpredictable and we can't
108 set the SPI on the outbound policy to switch to the new SA while both are
109 installed.
110
111- The sw-collector utility may now iterate through APT history logs processed
112 by logrotate.
113
114- The openssl plugin now only announces the ECDH groups actually supported by
115 OpenSSL (determined via EC_get_builtin_curves()).
116
117
0eb1d6c0
AS		 118strongswan-5.9.4
119----------------
120
fed5c7e0
TB		 121- Fixed a denial-of-service vulnerability in the gmp plugin that was caused by
122 an integer overflow when processing RSASSA-PSS signatures with very large
123 salt lengths.
124 This vulnerability has been registered as CVE-2021-41990.
125
126- Fixed a denial-of-service vulnerabililty in the in-memory certificate cache
127 if certificates are replaced and a very large random value caused an integer
128 overflow.
129 This vulnerability has been registered as CVE-2021-41991.
130
131- Fixed a related flaw that caused the daemon to accept an infinite number of
132 versions of a valid certificate by modifying the parameters in the
133 signatureAlgorithm field of the outer X.509 Certificate structure.
134
135- AUTH_LIFETIME notifies are now only sent by a responder if it can't
136 reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP)
137 or the use of virtual IPs.
138
139- Serial number generation in several pki sub-commands has been fixed so they
140 don't start with an unintended zero byte.
141
0eb1d6c0
AS		 142- Initialize libtpmtss in all programs and library that use it.
143
1b21a00f
AS		 144- Migrated testing scripts to Python 3.
145
0eb1d6c0 146
09df86c0
AS		 147strongswan-5.9.3
148----------------
149
150- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
151
0fc8cf00
TB		 152- Added AES_CCM and SHA-3 signature support to openssl plugin.
153
154- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
155 available, before verifying signatures, which avoids unnecessary signature
156 verifications after a CA key rollover if both certificates are loaded.
157
158- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
159 previously depended on a version check.
160
161- charon-nm now supports using SANs as client identities, not only full DNs.
162
163- charon-tkm now handles IKE encryption.
164
165- A MOBIKE update is sent again if a a change in the NAT mappings is detected
166 but the endpoints stay the same.
167
d4156735
AS		 168- Converted most of the test case scenarios to the vici interface
169
09df86c0 170
fcb595f9
AS		 171strongswan-5.9.2
172----------------
173
d65d4eab
TB		 174- Together with a Linux 5.8 kernel supporting the IMA measurement of the GRUB
175 bootloader and the Linux kernel, the strongSwan Attestation IMC allows to do
176 remote attestation of the complete boot phase. A recent TPM 2.0 device with a
177 SHA-256 PCR bank is required, so that both BIOS and IMA file measurements are
178 based on SHA-256 hashes.
179
180- Our own TLS library (libtls) that we use for TLS-based EAP methods and PT-TLS
181 gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and
182 Pascal Knecht (client and server) for their work on this.
183 Because the use of TLS 1.3 with these EAP methods is not yet standardized (two
184 Internet-Drafts are being worked on), the default maximum version is currently
356f8735
AS		 185 set to TLS 1.2, which is now also the default minimum version. However the TNC
186 test scenarios using PT-TLS transport already use TLS 1.3.
d65d4eab
TB		 187
188- Other improvements for libtls also affect older TLS versions. For instance, we
189 added support for ECDH with Curve25519/448 (DH groups may also be configured
190 now), for EdDSA keys and certificates and for RSA-PSS signatures. Support for
191 old and weak cipher suites has been removed (e.g. with 3DES and MD5) as well
192 as signature schemes with SHA-1.
193
194- The listener_t::ike_update event is now also called for MOBIKE updates. Its
195 signature has changed so we only have to call it once if both addresses/ports
196 have changed (e.g. for an address family switch). The event is now also
197 exposed via vici.
198
199- The farp plugin has been ported to macOS and FreeBSD. Thanks to Dan James for
200 working on this.
201
202- To fix DNS server installation with systemd-resolved, charon-nm now creates a
203 dummy TUN device again (was removed with 5.5.1).
204
205- The botan plugin can use rng_t implementations provided by other plugins when
206 generating keys etc. if the Botan library supports it.
207
208- charon-tkm now supports multiple CAs and is configured via vici/swanctl.
209
210- Simple glob patterns (e.g. include conf.d/*.conf) now also work on Windows.
211 Handling of forward slashes in paths on Windows has also been improved.
212
213- The abbreviations for the 'surname' and 'serial number' RDNs in ASN.1 DNs have
214 been changed to align with RFC 4519: The abbreviation for 'surname' is now
215 "SN" (was "S" before), which was previously used for 'serial number' that can
216 now be specified as "serialNumber" only.
217
218- An issue with Windows clients requesting previous IPv6 but not IPv4 virtual
219 IP addresses has been fixed.
220
221- ike_sa_manager_t: Checking out IKE_SAs by config is now atomic (e.g. when
222 acquires for different children of the same connection arrive concurrently).
223 The checkout_new() method has been renamed to create_new(). A new
224 checkout_new() method allows registering a new IKE_SA with the manager before
225 checking it in, so jobs can be queued without losing them as they can block
226 on checking out the new SA.
227
fcb595f9 228
f3d96b7b
AS		 229strongswan-5.9.1
230----------------
231
dff243a1
TB		 232- Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI
233 measurements introduced with the Linux 5.4 kernel.
234
235- Nonces in OCSP responses are not enforced anymore and only validated if a
236 nonce is actually contained.
237
238- Fixed an issue when only some fragments of a retransmitted IKEv2 message were
239 received, which prevented processing a following fragmented message.
240
241- All queued vici messages are now sent to subscribed clients during shutdown,
242 which includes ike/child-updown events triggered when all SAs are deleted.
243
244- CHILD_SA IP addresses are updated before installation to allow MOBIKE updates
245 while retransmitting a CREATE_CHILD_SA request.
246
247- When looking for a route to the peer, the kernel-netlink plugin ignores the
248 current source address if it's deprecated.
249
250- The file and syslog loggers support logging the log level of each message
251 after the subsystem (e.g. [IKE2]).
252
253- charon-nm is now properly terminated during system shutdown.
254
255- Improved support for EdDSA keys in vici/swanctl, in particular, encrypted
256 keys are now supported.
257
258- A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID
259 to prevent Cisco devices from narrowing a 0.0.0.0/0 traffic selector.
260
261- The openssl plugin accepts CRLs issued by non-CA certificates if they contain
262 the cRLSign keyUsage flag (the x509 plugin already does this since 4.5.1).
263
264- Attributes in PKCS#7 containers, as used in SCEP, are now properly
265 DER-encoded, i.e. sorted.
266
267- The load-tester plugin now supports virtual IPv6 addresses and IPv6 source
268 address pools.
f3d96b7b
AS		 269
270
12e4dbb2
AS		 271strongswan-5.9.0
272----------------
273
ce5f9b83
TB		 274- We prefer AEAD algorithms for ESP and therefore put AES-GCM in a default AEAD
275 proposal in front of the previous default proposal.
276
277- The NM backend now clears cached credentials when disconnecting, has DPD and
278 and close action set to restart, and supports custom remote TS via 'remote-ts'
279 option (no GUI support).
280
281- The pkcs11 plugin falls back to software hashing for PKCS#1v1.5 RSA signatures
282 if mechanisms with hashing (e.g. CKM_SHA256_RSA_PKCS) are not supported.
283
284- The owner/group of log files is now set so the daemon can reopen them if the
285 config is reloaded and it doesn't run as root.
286
287- The wolfssl plugin (with wolfSSL 4.4.0+) supports x448 DH and Ed448 keys.
288
289- The vici plugin stores all CA certificates in one location, which avoids
290 issues with unloading authority sections or clearing all credentials.
291
292- When unloading a vici connection with start_action=start, any related IKE_SAs
293 without children are now terminated (including those in CONNECTING state).
294
295- The hashtable implementation has been changed so it maintains insertion order.
296 This was mainly done so the vici plugin can store its connections in a
297 hashtable, which makes managing high numbers of connections faster.
298
299- The default maximum size for vici messages (512 KiB) can now be changed via
300 VICI_MESSAGE_SIZE_MAX compile option.
301
302- The charon.check_current_path option allows forcing a DPD exchange to check if
303 the current path still works whenever interface/address-changes are detected.
304
305- It's possible to use clocks other than CLOCK_MONOTONIC (e.g. CLOCK_BOOTTIME)
306 via TIME_CLOCK_ID compile option if clock_gettime() is available and
307 pthread_condattr_setclock() supports that clock.
308
309- Test cases and functions can now be filtered when running the unit tests.
d4704229 310
12e4dbb2 311
3273667b
AS		 312strongswan-5.8.4
313----------------
314
315- In IKEv1 Quick Mode make sure that a proposal exists before determining
316 lifetimes (fixes crash due to null pointer exception).
317
318- OpenSSL currently doesn't support squeezing bytes out of a SHAKE128/256
319 XOF (eXtended Output Function) multiple times. Unfortunately,
320 EVP_DigestFinalXOF() completely resets the context and later calls not
321 simply fail, they cause a null-pointer dereference in libcrypto. This
322 fixes the crash at the cost of repeating initializing the whole state
323 and allocating too much data for subsequent calls.
324
325
298c389b
TB		 326strongswan-5.8.3
327----------------
328
329- Updates for the NM backend (and plugin), among others: EAP-TLS authentication,
330 configurable local and remote IKE identities, custom server port, redirection
331 and reauthentication support.
332
333- Previously used reqids are now reallocated to workaround an issue on FreeBSD
334 where the daemon can't use reqids > 16383.
335
336- On Linux, throw type routes are installed for passthrough policies. They act
337 as fallbacks on routes in other tables and require less information, so they
338 can be installed earlier and are not affected by updates.
339
340- For IKEv1, the lifetimes of the selected transform are returned to the
341 initiator, which is an issue with peers that propose different lifetimes in
342 different transforms. We also return the correct transform and proposal IDs.
343
344- IKE_SAs are not re-established anymore if a deletion has been queued.
345
346- Added support for Ed448 keys and certificates via openssl plugin and pki tool.
347 The openssl plugin also supports SHA-3 and SHAKE128/256.
348
349- The use of algorithm IDs from the private use ranges can now be enabled
350 globally, to use them even if no strongSwan vendor ID was exchanged.
351
352
ccaedf87
AS		 353strongswan-5.8.2
354----------------
355
174bfe51
TB		 356- Identity-based CA constraints are supported via vici/swanctl.conf. They
357 enforce that the remote's certificate chain contains a CA certificate with a
358 specific identity. While similar to the existing CA constraints, they don't
359 require that the CA certificate is locally installed such as intermediate CA
360 certificates received from peers. Compared to wildcard identity matching (e.g.
361 "..., OU=Research, CN=*") this requires less trust in the intermediate CAs (to
362 only issue certificates with legitimate subject DNs) as long as path length
363 basic constraints prevent them from issuing further intermediate CAs.
364
365- Intermediate CA certificates may now be sent in hash-and-URL encoding by
366 configuring a base URL for the parent CA.
367
ccaedf87
AS		 368- Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
369 based on AES-CTR and SHA2-HMAC modes. Currently used by gmp and ntru plugins.
370
174bfe51
TB		 371- Random nonces sent in an OCSP requests are now expected in the corresponding
372 OCSP responses.
373
374- The kernel-netlink plugin ignores deprecated IPv6 addresses for MOBIKE.
375 Whether temporary or permanent IPv6 addresses are included depends on the
376 charon.prefer_temporary_addrs setting.
377
378- Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the
379 kernel.
380
381- Unique section names are used for CHILD_SAs in vici child-updown events and
382 more information (e.g. statistics) are included for individually deleted
383 CHILD_SAs (in particular for IKEv1).
384
385- So fallbacks to other plugins work properly, creating HMACs via openssl plugin
386 now fails instantly if the underlying hash algorithm isn't supported (e.g.
387 MD5 in FIPS-mode).
388
389- Exponents of RSA keys read from TPM 2.0 via SAPI are now correctly converted.
390
391- Routing table IDs > 255 are supported for custom routes on Linux.
392
393- The D-Bus config file for charon-nm is now installed in
394 $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d.
395
396- INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same
397 exchange type and using the same message ID as the request.
398
399- IKEv2 SAs are immediately destroyed when sending or receiving INVALID_SYNTAX
400 notifies in authenticated messages.
401
ccaedf87 402
82cd511c
TB		 403strongswan-5.8.1
404----------------
405
406- RDNs in Distinguished Names can now optionally be matched less strict. The
407 global option charon.rdn_matching takes two alternative values that cause the
408 matching algorithm to either ignore the order of matched RDNs or additionally
409 accept DNs that contain more RDNs than configured (unmatched RDNs are treated
410 like wildcard matches).
411
412- The updown plugin now passes the same interface to the script that is also
413 used for the automatically installed routes, i.e. the interface over which the
414 peer is reached instead of the interface on which the local address is found.
415
416- TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple
417 IKE_SAs use the same private key concurrently.
418
419
08a73261
AS		 420strongswan-5.8.0
421----------------
422
23ff1055
TB		 423- The systemd service units have been renamed. The modern unit, which was called
424 strongswan-swanctl, is now called strongswan (the previous name is configured
425 as alias). The legacy unit is now called strongswan-starter.
426
427- Support for XFRM interfaces (available since Linux 4.19) has been added.
428 Configuration is possible via swanctl.conf. Interfaces may be created
429 dynamically via updown/vici scripts, or statically before or after
430 establishing the SAs. Routes must be added manually as needed (the daemon will
431 not install any routes for outbound policies with an interface ID).
432
433- Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and
434 supported by the responder, no CHILD_SA is established during IKE_AUTH. This
435 allows using a separate DH exchange even for the first CHILD_SA, which is
436 otherwise created with keys derived from the IKE_SA's key material.
437
438- The NetworkManager backend and plugin support IPv6.
439
440- The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks
441 to Sean Parkinson of wolfSSL Inc. for the initial patch.
442
443- IKE SPIs may optionally be labeled via the charon.spi_mask|label options. This
444 feature was extracted from charon-tkm, however, now applies the mask/label in
445 network order.
446
08a73261
AS		 447- The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
448
6fcb3baa
AS		 449- The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not
450 correctly implemented when sending either a CRETRY or SRETRY batch. These
451 batches can only be sent in the "Decided" state and a CRETRY batch can
452 immediately carry all messages usually transported by a CDATA batch. It is
453 currently not possible to send a SRETRY batch since full-duplex mode for
454 PT-TLS transport is not supported.
455
23ff1055
TB		 456- Instead of marking virtual IPv6 addresses as deprecated, the kernel-netlink
457 plugin uses address labels to avoid their use for non-VPN traffic.
458
459- The agent plugin creates sockets to the ssh/gpg-agent dynamically and does not
460 keep them open, which otherwise can prevent the agent from getting terminated.
461
462- To avoid broadcast loops the forecast plugin now only reinjects packets that
463 are marked or received from the configured interface.
464
465- UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses
466 an UTF-16LE encoding to calculate the NT hash.
467
74ac0c9e
AS		 468- Adds the build-certs script to generate the keys and certificates used for
469 regression tests dynamically. They are built with the pki version installed
470 in the KVM root image so it's not necessary to have an up-to-date version with
471 all required plugins installed on the host system.
472
08a73261 473
d1acfeec
TB		 474strongswan-5.7.2
475----------------
476
477- Private key implementations may optionally provide a list of supported
478 signature schemes, which is used by the tpm plugin because for each key on a
479 TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined.
480
481- For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt
482 length (as defined by the length of the key and hash). However, if the TPM is
483 FIPS-168-4 compliant, the salt length equals the hash length. This is assumed
484 for FIPS-140-2 compliant TPMs, but if that's not the case, it might be
485 necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't
486 use the maximum salt length.
487
d1e58e11
TB		 488- swanctl now accesses directories for credentials relative to swanctl.conf, in
489 particular, when it's loaded from a custom location via --file argument. The
490 base directory that's used if --file is not given is configurable at runtime
491 via SWANCTL_DIR environment variable.
492
493- With RADIUS Accounting enabled, the eap-radius plugin adds the session ID to
494 Access-Request messages, simplifying associating database entries for IP
495 leases and accounting with sessions.
496
497- IPs assigned by RADIUS servers are included in Accounting-Stop even if clients
498 don't claim them, allowing releasing them early on connection errors.
499
500- Selectors installed on transport mode SAs by the kernel-netlink plugin are
501 updated on IP address changes (e.g. via MOBIKE).
502
d1acfeec
TB		 503- Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin.
504 For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature
505 authentication has to be disabled via charon.signature_authentication.
506
507- The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
508
d1e58e11
TB		 509- The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys
510 and signatures when built against OpenSSL 1.1.1.
511
0e80eb23 512- Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
d1acfeec
TB		 513
514- The mysql plugin now properly handles database connections with transactions
515 under heavy load.
516
d1e58e11
TB		 517- IP addresses in HA pools are now distributed evenly among all segments.
518
519- On newer FreeBSD kernels, the kernel-pfkey plugin reads the reqid directly
520 from SADB_ACQUIRE messages, i.e. not requiring previous policy installation by
521 the plugin, e.g. for compatibility with if_ipsec(4) VTIs.
522
d1acfeec 523
291c1acd
TB		 524strongswan-5.7.1
525----------------
526
527- Fixes a vulnerability in the gmp plugin triggered by crafted certificates with
528 RSA keys with very small moduli. When verifying signatures with such keys,
529 the code patched with the fix for CVE-2018-16151/2 caused an integer underflow
530 and subsequent heap buffer overflow that results in a crash of the daemon.
531 The vulnerability has been registered as CVE-2018-17540.
532
533
3a8a9c70
AS		 534strongswan-5.7.0
535----------------
536
86c18851
TB		 537- Fixes a potential authorization bypass vulnerability in the gmp plugin that
538 was caused by a too lenient verification of PKCS#1 v1.5 signatures. Several
539 flaws could be exploited by a Bleichenbacher-style attack to forge signatures
540 for low-exponent keys (i.e. with e=3). CVE-2018-16151 has been assigned to
541 the problem of accepting random bytes after the OID of the hash function in
542 such signatures, and CVE-2018-16152 has been assigned to the issue of not
b3ab7a48 543 verifying that the parameters in the ASN.1 algorithmIdentifier structure is
86c18851
TB		 544 empty. Other flaws that don't lead to a vulnerability directly (e.g. not
545 checking for at least 8 bytes of padding) have no separate CVE assigned.
546
d2a1834d
TB		 547- Dots are not allowed anymore in section names in swanctl.conf and
548 strongswan.conf. This mainly affects the configuration of file loggers. If the
549 path for such a log file contains dots it now has to be configured in the new
550 `path` setting within the arbitrarily renamed subsection in the `filelog`
551 section.
552
553- Sections in swanctl.conf and strongswan.conf may now reference other sections.
554 All settings and subsections from such a section are inherited. This allows
555 to simplify configs as redundant information has only to be specified once
556 and may then be included in other sections (refer to the example in the man
557 page for strongswan.conf).
558
559- The originally selected IKE config (based on the IPs and IKE version) can now
560 change if no matching algorithm proposal is found. This way the order
561 of the configs doesn't matter that much anymore and it's easily possible to
562 specify separate configs for clients that require weak algorithms (instead
563 of having to also add them in other configs that might be selected).
564
565- Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2)
566 has been added.
567
568- The new botan plugin is a wrapper around the Botan C++ crypto library. It
569 requires a fairly recent build from Botan's master branch (or the upcoming
570 2.8.0 release). Thanks to René Korthaus and his team from Rohde & Schwarz
571 Cybersecurity for the initial patch.
572
3a8a9c70
AS		 573- The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using
574 the syntax --san xmppaddr:<jid>.
575
2a26566e 576- Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA)
a019c95b
AS		 577 for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger on apt
578 history.log file resulting in a ClientRetry PB-TNC batch to initialize
579 a new measurement cycle.
2a26566e 580
711e0bdb
AS		 581- Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA
582 protocols on Google's OSS-Fuzz infrastructure.
583
041efa6e
AS		 584- Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of
585 the in-kernel /dev/tpmrm0 resource manager is automatically detected.
9a7a9623 586
d2a1834d
TB		 587- Marks the in- and/or outbound SA should apply to packets after processing may
588 be configured in swanctl.conf on Linux. For outbound SAs this requires at
589 least a 4.14 kernel. Setting a mask and configuring a mark/mask for inbound
590 SAs will be added with the upcoming 4.19 kernel.
591
592- New options in swanctl.conf allow configuring how/whether DF, ECN and DS
593 fields in the IP headers are copied during IPsec processing. Controlling this
594 is currently only possible on Linux.
595
596- To avoid conflicts, the dhcp plugin now only uses the DHCP server port if
597 explicitly configured.
598
3a8a9c70 599
7f14feff
TB		 600strongswan-5.6.3
601----------------
602
64f7fd92
TB		 603- Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is
604 used in FIPS mode and HMAC-MD5 is negotiated as PRF.
605 This vulnerability has been registered as CVE-2018-10811.
606
607- Fixed a vulnerability in the stroke plugin, which did not check the received
7f14feff
TB		 608 length before reading a message from the socket. Unless a group is configured,
609 root privileges are required to access that socket, so in the default
610 configuration this shouldn't be an issue.
611 This vulnerability has been registered as CVE-2018-5388.
612
613⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios
614 where expired certificates are removed from CRLs and the clock on the host
615 doing the revocation check is trailing behind that of the host issuing CRLs.
616
617- The issuer of fetched CRLs is now compared to the issuer of the checked
618 certificate.
619
0d0c8f7d
TB		 620- CRL validation results other than revocation (e.g. a skipped check because
621 the CRL couldn't be fetched) are now stored also for intermediate CA
622 certificates and not only for end-entity certificates, so a strict CRL policy
623 can be enforced in such cases.
7f14feff
TB		 624
625- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
626 now either not contain a keyUsage extension (like the ones generated by pki)
0d0c8f7d 627 or have at least one of the digitalSignature or nonRepudiation bits set.
7f14feff
TB		 628
629- New options for vici/swanctl allow forcing the local termination of an IKE_SA.
630 This might be useful in situations where it's known the other end is not
0d0c8f7d
TB		 631 reachable anymore, or that it already removed the IKE_SA, so retransmitting a
632 DELETE and waiting for a response would be pointless. Waiting only a certain
633 amount of time for a response before destroying the IKE_SA is also possible
634 by additionally specifying a timeout.
7f14feff
TB		 635
636- When removing routes, the kernel-netlink plugin now checks if it tracks other
637 routes for the same destination and replaces the installed route instead of
638 just removing it. Same during installation, where existing routes previously
639 weren't replaced. This should allow using traps with virtual IPs on Linux.
640
641- The dhcp plugin only sends the client identifier option if identity_lease is
0d0c8f7d
TB		 642 enabled. It can also send identities of up to 255 bytes length, instead of
643 the previous 64 bytes. If a server address is configured, DHCP requests are
644 now sent from port 67 instead of 68 to avoid ICMP port unreachables.
7f14feff
TB		 645
646- Roam events are now completely ignored for IKEv1 SAs.
647
648- ChaCha20/Poly1305 is now correctly proposed without key length. For
649 compatibility with older releases the chacha20poly1305compat keyword may be
650 included in proposals to also propose the algorithm with a key length.
651
652- Configuration of hardware offload of IPsec SAs is now more flexible and allows
0d0c8f7d 653 a new mode, which automatically uses it if the kernel and device support it.
7f14feff
TB		 654
655- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
656
657- The pki --verify tool may load CA certificates and CRLs from directories.
658
659- Fixed an issue with DNS servers passed to NetworkManager in charon-nm.
660
661
4f60b72a
AS		 662strongswan-5.6.2
663----------------
664
b640afdb
TB		 665- Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that
666 was caused by insufficient input validation. One of the configurable
667 parameters in algorithm identifier structures for RSASSA-PSS signatures is the
668 mask generation function (MGF). Only MGF1 is currently specified for this
669 purpose. However, this in turn takes itself a parameter that specifies the
670 underlying hash function. strongSwan's parser did not correctly handle the
671 case of this parameter being absent, causing an undefined data read.
672 This vulnerability has been registered as CVE-2018-6459.
673
c65bec51
TB		 674- The previously negotiated DH group is reused when rekeying an SA, instead of
675 using the first group in the configured proposals, which avoids an additional
676 exchange if the peer selected a different group via INVALID_KE_PAYLOAD when
677 the SA was created initially.
678 The selected DH group is also moved to the front of all sent proposals that
679 contain it and all proposals that don't are moved to the back in order to
680 convey the preference for this group to the peer.
681
682- Handling of MOBIKE task queuing has been improved. In particular, the response
683 to an address update is not ignored anymore if only an address list update or
684 DPD is queued.
685
686- The fallback drop policies installed to avoid traffic leaks when replacing
687 addresses in installed policies are now replaced by temporary drop policies,
688 which also prevent acquires because we currently delete and reinstall IPsec
689 SAs to update their addresses.
690
4f60b72a
AS		 691- Access X.509 certificates held in non-volatile storage of a TPM 2.0
692 referenced via the NV index.
693
5d3eb57c
AS		 694- Adding the --keyid parameter to pki --print allows to print private keys
695 or certificates stored in a smartcard or a TPM 2.0.
696
c65bec51
TB		 697- Fixed proposal selection if a peer incorrectly sends DH groups in the ESP
698 proposals during IKE_AUTH and also if a DH group is configured in the local
699 ESP proposal and charon.prefer_configured_proposals is disabled.
700
701- MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility
702 issues with EAP-MSCHAPv2 and PRFs that have a block size < 64 bytes (e.g.
703 AES-XCBC-PRF-128).
704
344e1b60
AS		 705- The tpm_extendpcr command line tool extends a digest into a TPM PCR.
706
c65bec51
TB		 707- Ported the NetworkManager backend from the deprecated libnm-glib to libnm.
708
709- The save-keys debugging/development plugin saves IKE and/or ESP keys to files
710 compatible with Wireshark.
711
4f60b72a 712
d43b84dc
AS		 713strongswan-5.6.1
714----------------
715
caee751d
TB		 716- In compliance with RFCs 8221 and 8247 several algorithms were removed from the
717 default ESP/AH and IKEv2 proposals, respectively (3DES, Blowfish and MD5 from
718 ESP/AH, MD5 and MODP-1024 from IKEv2). These algorithms may still be used in
719 custom proposals.
720
721- Added support for RSASSA-PSS signatures. For backwards compatibility they are
722 not used automatically by default, enable charon.rsa_pss to change that. To
723 explicitly use or require such signatures with IKEv2 signature authentication
724 (RFC 7427), regardless of whether that option is enabled, use ike:rsa/pss...
725 authentication constraints.
726
727- The pki tool can optionally sign certificates/CRLs with RSASSA-PSS via the
728 `--rsa-padding pss` option.
729
730- The sec-updater tool checks for security updates in dpkg-based repositories
d43b84dc 731 (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database
c80cec2d
AS		 732 accordingly. Additionally for each new package version a SWID tag for the
733 given OS and HW architecture is created and stored in the database.
734 Using the sec-updater.sh script template the lookup can be automated
735 (e.g. via an hourly cron job).
d43b84dc
AS		 736
737- The introduction of file versions in the IMV database scheme broke file
738 reference hash measurements. This has been fixed by creating generic product
739 versions having an empty package name.
740
caee751d
TB		 741- A new timeout option for the systime-fix plugin stops periodic system time
742 checks after a while and enforces a certificate verification, closing or
743 reauthenticating all SAs with invalid certificates.
744
745- The IKE event counters, previously only available via ipsec listcounters, may
746 now be queried/reset via vici and the new swanctl --counters command. They are
747 provided by the new optional counters plugin.
748
749- Class attributes received in RADIUS Access-Accept messages may optionally be
750 added to RADIUS accounting messages.
751
752- Inbound marks may optionally be installed on the SA again (was removed with
753 5.5.2) by enabling the mark_in_sa option in swanctl.conf.
754
d43b84dc 755
693705c7
AS		 756strongswan-5.6.0
757----------------
758
7cc4a92d
TB		 759- Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient
760 input validation when verifying RSA signatures, which requires decryption
761 with the operation m^e mod n, where m is the signature, and e and n are the
762 exponent and modulus of the public key. The value m is an integer between
763 0 and n-1, however, the gmp plugin did not verify this. So if m equals n the
764 calculation results in 0, in which case mpz_export() returns NULL. This
765 result wasn't handled properly causing a null-pointer dereference.
766 This vulnerability has been registered as CVE-2017-11185.
767
693705c7 768- New SWIMA IMC/IMV pair implements the "draft-ietf-sacm-nea-swima-patnc"
f0ae8c17 769 Internet Draft and has been demonstrated at the IETF 99 Prague Hackathon.
693705c7 770
f237bfcb 771- The IMV database template has been adapted to achieve full compliance
693705c7
AS		 772 with the ISO 19770-2:2015 SWID tag standard.
773
774- The sw-collector tool extracts software events from apt history logs
775 and stores them in an SQLite database to be used by the SWIMA IMC.
f0ae8c17
AS		 776 The tool can also generate SWID tags both for installed and removed
777 package versions.
693705c7
AS		 778
779- The pt-tls-client can attach and use TPM 2.0 protected private keys
780 via the --keyid parameter.
781
782- libtpmtss supports Intel's TSS2 Architecture Broker and Resource
783 Manager interface (tcti-tabrmd).
784
f237bfcb
TB		 785- The new eap-aka-3gpp plugin implements the 3GPP MILENAGE algorithms
786 in software. K (optionally concatenated with OPc) may be configured as
787 binary EAP secret.
788
789- CHILD_SA rekeying was fixed in charon-tkm and was slightly changed: The
790 switch to the new outbound IPsec SA now happens via SPI on the outbound
791 policy on Linux, and in case of lost rekey collisions no outbound SA/policy
792 is temporarily installed for the redundant CHILD_SA.
793
794- The new %unique-dir value for mark* settings allocates separate unique marks
795 for each CHILD_SA direction (in/out).
796
693705c7 797
d38d1fcd
AS		 798strongswan-5.5.3
799----------------
800
8622a742
TB		 801- Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient
802 input validation when verifying RSA signatures. More specifically,
803 mpz_powm_sec() has two requirements regarding the passed exponent and modulus
804 that the plugin did not enforce, if these are not met the calculation will
805 result in a floating point exception that crashes the whole process.
806 This vulnerability has been registered as CVE-2017-9022.
807
808- Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1
809 parser didn't handle ASN.1 CHOICE types properly, which could result in an
810 infinite loop when parsing X.509 extensions that use such types.
811 This vulnerability has been registered as CVE-2017-9023.
812
85ee4107
TB		 813- The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
814 traffic loss. The responder now only installs the new inbound SA and delays
815 installing the outbound SA until it receives the DELETE for the replaced
816 CHILD_SA. Similarly, the inbound SA of the replaced CHILD_SA is not removed
817 for a configurable amount of seconds (charon.delete_rekeyed_delay) after the
818 DELETE has been processed to reduce the chance of dropping delayed packets.
819
820- The code base has been ported to Apple's ARM64 iOS platform, whose calling
821 conventions for variadic and regular functions are different. This means
822 assigning non-variadic functions to variadic function pointers does not work.
823 To avoid this issue the enumerator_t interface has been changed and the
824 signatures of the callback functions for enumerator_create_filter(), and the
825 invoke_function() and find_first() methods on linked_list_t have been changed.
826 The return type of find_first() also changed from status_t to bool.
827
828- Added support for fuzzing the certificate parser provided by the default
829 plugins (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure. Several
830 issues found while fuzzing these plugins were fixed.
831
832- Two new options have been added to charon's retransmission settings:
833 retransmit_limit and retransmit_jitter. The former adds an upper limit to the
834 calculated retransmission timeout, the latter randomly reduces it.
835
836- A bug in swanctl's --load-creds command was fixed that caused unencrypted
837 private keys to get unloaded if the command was called multiple times. The
838 load-key VICI command now returns the key ID of the loaded key on success.
839
840- The credential manager now enumerates local credential sets before global
841 ones. This means certificates supplied by the peer will now be preferred over
842 certificates with the same identity that may be locally stored (e.g. in the
843 certificate cache).
844
845- Added support for hardware offload of IPsec SAs as introduced by Linux 4.11
846 for hardware that supports this.
847
848- When building the libraries monolithically and statically the plugin
849 constructors are now hard-coded in each library so the plugin code is not
850 removed by the linker because it thinks none of their symbols are ever
851 referenced.
852
d38d1fcd
AS		 853- The pki tool loads the curve25519 plugin by default.
854
855
4a979994
AS		 856strongswan-5.5.2
857----------------
858
011195f1
AS		 859- Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined
860 by RFC 8031.
861
65797c9f
AS		 862- Support of Ed25519 digital signature algorithm for IKEv2 as defined by
863 draft-ietf-ipsecme-eddsa. Ed25519-based public key pairs, X.509 certificates
864 and CRLs can be generated and printed by the pki tool.
865
af9341c2
AS		 866- The new "tpm" libtpmtss plugin allows to use persistent private RSA and ECDSA
867 keys bound to a TPM 2.0 for both IKE and TLS authentication. Using the
868 TPM 2.0 object handle as keyid parameter, the pki --pub tool can extract
6885375e
AS		 869 the public key from the TPM thereby replacing the aikpub2 tool. In a similar
870 fashion pki --req can generate a PKCS#10 certificate request signed with
871 the TPM private key.
af9341c2 872
7ae95468
MW		 873- The pki tool gained support for generating certificates with the RFC 3779
874 addrblock extension. The charon addrblock plugin now dynamically narrows
875 traffic selectors based on the certificate addrblocks instead of rejecting
876 non-matching selectors completely. This allows generic connections, where
877 the allowed selectors are defined by the used certificates only.
878
e16d1005 879- In-place update of cached base and delta CRLs does not leave dozens
4a979994
AS		 880 of stale copies in cache memory.
881
e16d1005
TB		 882- Several new features for the VICI interface and the swanctl utility: Querying
883 specific pools, enumerating and unloading keys and shared secrets, loading
884 keys and certificates from PKCS#11 tokens, the ability to initiate, install
885 and uninstall connections and policies by their exact name (if multiple child
886 sections in different connections share the same name), a command to initiate
887 the rekeying of IKE and IPsec SAs, support for settings previously only
888 supported by the old config files (plain pubkeys, dscp, certificate policies,
889 IPv6 Transport Proxy Mode, NT Hash secrets, mediation extension).
890
891 Important: Due to issues with VICI bindings that map sub-sections to
892 dictionaries the CHILD_SA sections returned via list-sas now have a unique
893 name, the original name of a CHILD_SA is returned in the "name" key of its
894 section.
895
4a979994 896
8aaa6de3
AS		 897strongswan-5.5.1
898----------------
899
900- The newhope plugin implements the post-quantum NewHope key exchange algorithm
901 proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
902 Peter Schwabe.
903
e31ed9ab
AS		 904- The libstrongswan crypto factory now offers the registration of Extended
905 Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
906 implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin
907 and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
908 SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.
909
e6a4bd83
AS		 910- The pki tool, with help of the pkcs1 or openssl plugins, can parse private
911 keys in any of the supported formats without having to know the exact type.
912 So instead of having to specify rsa or ecdsa explicitly the keyword priv may
913 be used to indicate a private key of any type. Similarly, swanctl can load
914 any type of private key from the swanctl/private directory.
915
6b3e408b
AS		 916- The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
917 sha3 and gmp plugins.
918
e31ed9ab 919- The VICI flush-certs command flushes certificates from the volatile
8aaa6de3
AS		 920 certificate cache. Optionally the type of the certificates to be
921 flushed (e.g. type = x509_crl) can be specified.
922
a617223e
AS		 923- Setting cache_crls = yes in strongswan.conf the vici plugin saves regular,
924 base and delta CRLs to disk.
925
e6a4bd83
AS		 926- IKE fragmentation is now enabled by default with the default fragment size
927 set to 1280 bytes for both IP address families.
928
8aaa6de3
AS		 929- libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
930 tss2_tcti_finalize().
931
932
6a24637d
AS		 933strongswan-5.5.0
934----------------
935
936- The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0
937 Trusted Platform Modules. This allows the Attestation IMC/IMV pair to
938 do TPM 2.0 based attestation.
939
b977ef8e
TB		 940- The behavior during IKEv2 exchange collisions has been improved/fixed in
941 several corner cases and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND
942 notifies, as defined by RFC 7296, has been added.
8fafbffd 943
b977ef8e
TB		 944- IPsec policy priorities can be set manually (e.g. for high-priority drop
945 policies) and outbound policies may be restricted to a network interface.
946
947- The scheme for the automatically calculated default priorities has been
948 changed and now also considers port masks, which were added with 5.4.0.
949
950- FWD policies are now installed in both directions in regards to the traffic
951 selectors. Because such "outbound" FWD policies could conflict with "inbound"
952 FWD policies of other SAs they are installed with a lower priority and don't
953 have a reqid set, which allows kernel plugins to distinguish between the two
954 and prefer those with a reqid.
955
956- For outbound IPsec SAs no replay window is configured anymore.
957
958- Enhanced the functionality of the swanctl --list-conns command by listing
959 IKE_SA and CHILD_SA reauthentication and rekeying settings, and EAP/XAuth
960 identities and EAP types.
961
962- DNS servers installed by the resolve plugin are now refcounted, which should
963 fix its use with make-before-break reauthentication. Any output written to
964 stderr/stdout by resolvconf is now logged.
965
966- The methods in the kernel interfaces have been changed to take structs instead
967 of long lists of arguments. Similarly the constructors for peer_cfg_t and
968 child_cfg_t now take structs.
8fafbffd 969
6a24637d 970
b5eed58a
AS		 971strongswan-5.4.0
972----------------
973
6fc68343
TB		 974- Support for IKEv2 redirection (RFC 5685) has been added. Plugins may
975 implement the redirect_provider_t interface to decide if and when to redirect
976 connecting clients. It is also possible to redirect established IKE_SAs based
977 on different selectors via VICI/swanctl. Unless disabled in strongswan.conf
978 the charon daemon will follow redirect requests received from servers.
979
c171afea
TB		 980- The ike: prefix enables the explicit configuration of signature scheme
981 constraints against IKEv2 authentication in rightauth, which allows the use
982 of different signature schemes for trustchain verification and authentication.
983
b4337c5b
TB		 984- The initiator of an IKEv2 make-before-break reauthentication now suspends
985 online certificate revocation checks (OCSP, CRLs) until the new IKE_SA and all
986 CHILD_SAs are established. This is required if the checks are done over the
987 CHILD_SA established with the new IKE_SA. This is not possible until the
988 initiator installs this SA and that only happens after the authentication is
989 completed successfully. So we suspend the checks during the reauthentication
990 and do them afterwards, if they fail the IKE_SA is closed. This change has no
991 effect on the behavior during the authentication of the initial IKE_SA.
992
b5eed58a
AS		 993- For the vici plugin a Vici:Session Perl CPAN module has been added to allow
994 Perl applications to control and/or monitor the IKE daemon using the VICI
995 interface, similar to the existing Python egg or Ruby gem.
996
5c25780c
AS		 997- Traffic selectors with port ranges can now be configured in the Linux kernel:
998 e.g. remote_ts = 10.1.0.0/16[tcp/20-23] local_ts = dynamic[tcp/32768-65535].
999 The port range must map to a port mask, though since the kernel does not
1000 support arbitrary ranges.
1001
bebccf98
AS		 1002- The vici plugin allows the configuration of IPv4 and IPv6 address ranges
1003 in local and remote traffic selectors. Since both the Linux kernel and
1004 iptables cannot handle arbitrary ranges, address ranges are mapped to the next
1005 larger CIDR subnet by the kernel-netlink and updown plugins, respectively.
1006
1007- Implemented IKEv1 IPv4/IPv6 address subnet and range identities that can be
1008 used as owners of shared secrets.
1009
b5eed58a 1010
33895f4b
TB		 1011strongswan-5.3.5
1012----------------
1013
1014- Properly handle potential EINTR errors in sigwaitinfo(2) calls that replaced
1015 sigwait(3) calls with 5.3.4.
1016
1017- RADIUS retransmission timeouts are now configurable, courtesy of Thom Troy.
1018
1019
6590298d
AS		 1020strongswan-5.3.4
1021----------------
1022
453e204a
TB		 1023- Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
1024 was caused by insufficient verification of the internal state when handling
1025 MSCHAPv2 Success messages received by the client.
1026 This vulnerability has been registered as CVE-2015-8023.
1027
6590298d
AS		 1028- The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
1029 Within the strongSwan framework SHA3 is currently used for BLISS signatures
1030 only because the OIDs for other signature algorithms haven't been defined
1031 yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
1032
1033
63d37038
AS		 1034strongswan-5.3.3
1035----------------
1036
18e0d66b
TB		 1037- Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and
1038 RFC 7634 using the chacha20poly1305 ike/esp proposal keyword. The new chapoly
1039 plugin implements the cipher, if possible SSE-accelerated on x86/x64
1040 architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP
1041 backend. On Linux 4.2 or newer the kernel-netlink plugin can configure the
1042 cipher for ESP SAs.
39660798 1043
63d37038 1044- The vici interface now supports the configuration of auxiliary certification
18e0d66b
TB		 1045 authority information as CRL and OCSP URIs.
1046
1047- In the bliss plugin the c_indices derivation using a SHA-512 based random
1048 oracle has been fixed, generalized and standardized by employing the MGF1 mask
b3ab7a48 1049 generation function with SHA-512. As a consequence BLISS signatures using the
18e0d66b
TB		 1050 improved oracle are not compatible with the earlier implementation.
1051
1052- Support for auto=route with right=%any for transport mode connections has
1053 been added (the ikev2/trap-any scenario provides examples).
1054
1055- The starter daemon does not flush IPsec policies and SAs anymore when it is
1056 stopped. Already existing duplicate policies are now overwritten by the IKE
1057 daemon when it installs its policies.
1058
1059- Init limits (like charon.init_limit_half_open) can now optionally be enforced
1060 when initiating SAs via VICI. For this, IKE_SAs initiated by the daemon are
1061 now also counted as half-open SAs, which, as a side-effect, fixes the status
1062 output while connecting (e.g. in ipsec status).
1063
1064- Symmetric configuration of EAP methods in left|rightauth is now possible when
1065 mutual EAP-only authentication is used (previously, the client had to
1066 configure rightauth=eap or rightauth=any, which prevented it from using this
1067 same config as responder).
1068
1069- The initiator flag in the IKEv2 header is compared again (wasn't the case
1070 since 5.0.0) and packets that have the flag set incorrectly are again ignored.
1071
a215008c 1072- Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy
453e204a 1073 Device Health Assessment Trusted Network Connect Binding" (HCD-TNC)
a215008c
AS		 1074 document drafted by the IEEE Printer Working Group (PWG).
1075
1076- Fixed IF-M segmentation which failed in the presence of multiple small
1077 attributes in front of a huge attribute to be segmented.
1078
39660798 1079
2b19e517
TB		 1080strongswan-5.3.2
1081----------------
1082
1083- Fixed a vulnerability that allowed rogue servers with a valid certificate
1084 accepted by the client to trick it into disclosing its username and even
1085 password (if the client accepts EAP-GTC). This was caused because constraints
1086 against the responder's authentication were enforced too late.
1087 This vulnerability has been registered as CVE-2015-4171.
1088
1089
eb423ebb
AS		 1090strongswan-5.3.1
1091----------------
1092
099260d8
TB		 1093- Fixed a denial-of-service and potential remote code execution vulnerability
1094 triggered by IKEv1/IKEv2 messages that contain payloads for the respective
1095 other IKE version. Such payload are treated specially since 5.2.2 but because
1096 they were still identified by their original payload type they were used as
1097 such in some places causing invalid function pointer dereferences.
1098 The vulnerability has been registered as CVE-2015-3991.
1099
e8ba1d47
MW		 1100- The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto
1101 primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ
1102 instructions and works on both x86 and x64 architectures. It provides
1103 superior crypto performance in userland without any external libraries.
1104
1105
c6595222
AS		 1106strongswan-5.3.0
1107----------------
1108
4a00f912
MW		 1109- Added support for IKEv2 make-before-break reauthentication. By using a global
1110 CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
1111 This allows the use of make-before-break instead of the previously supported
1112 break-before-make reauthentication, avoiding connectivity gaps during that
1113 procedure. As the new mechanism may fail with peers not supporting it (such
1114 as any previous strongSwan release) it must be explicitly enabled using
1115 the charon.make_before_break strongswan.conf option.
1116
3f1ef3a6
TB		 1117- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added.
1118 This allows the use of stronger hash algorithms for public key authentication.
1119 By default, signature schemes are chosen based on the strength of the
1120 signature key, but specific hash algorithms may be configured in leftauth.
1121
1122- Key types and hash algorithms specified in rightauth are now also checked
1123 against IKEv2 signature schemes. If such constraints are used for certificate
1124 chain validation in existing configurations, in particular with peers that
1125 don't support RFC 7427, it may be necessary to disable this feature with the
1126 charon.signature_authentication_constraints setting, because the signature
1127 scheme used in classic IKEv2 public key authentication may not be strong
1128 enough.
1129
1e1e88e6
MW		 1130- The new connmark plugin allows a host to bind conntrack flows to a specific
1131 CHILD_SA by applying and restoring the SA mark to conntrack entries. This
1132 allows a peer to handle multiple transport mode connections coming over the
1133 same NAT device for client-initiated flows. A common use case is to protect
1134 L2TP/IPsec, as supported by some systems.
1135
dc88d179
MW		 1136- The forecast plugin can forward broadcast and multicast messages between
1137 connected clients and a LAN. For CHILD_SA using unique marks, it sets up
1138 the required Netfilter rules and uses a multicast/broadcast listener that
1139 forwards such messages to all connected clients. This plugin is designed for
1140 Windows 7 IKEv2 clients, which announces its services over the tunnel if the
1141 negotiated IPsec policy allows it.
1142
2185c29b
MW		 1143- For the vici plugin a Python Egg has been added to allow Python applications
1144 to control or monitor the IKE daemon using the VICI interface, similar to the
1145 existing ruby gem. The Python library has been contributed by Björn Schuberg.
1146
f05a578b
MW		 1147- EAP server methods now can fulfill public key constraints, such as rightcert
1148 or rightca. Additionally, public key and signature constraints can be
1149 specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and
1150 EAP-TTLS methods provide verification details to constraints checking.
1151
27bd0fed
AS		 1152- Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B
1153 variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
1154 algorithms with SHA512 being the default.
1155
e0359350
AS		 1156- The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
1157 as seen by the TNC server available to all IMVs. This information can be
1158 forwarded to policy enforcement points (e.g. firewalls or routers).
1159
7b4a96b2
AS		 1160- The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
1161 in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
1162 PT-TLS transport medium.
1163
4a00f912 1164
045501d5
MW		 1165strongswan-5.2.2
1166----------------
1167
919449a3
TB		 1168- Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
1169 payload that contains the Diffie-Hellman group 1025. This identifier was
1170 used internally for DH groups with custom generator and prime. Because
1171 these arguments are missing when creating DH objects based on the KE payload
1172 an invalid pointer dereference occurred. This allowed an attacker to crash
1173 the IKE daemon with a single IKE_SA_INIT message containing such a KE
1174 payload. The vulnerability has been registered as CVE-2014-9221.
1175
045501d5
MW		 1176- The left/rightid options in ipsec.conf, or any other identity in strongSwan,
1177 now accept prefixes to enforce an explicit type, such as email: or fqdn:.
1178 Note that no conversion is done for the remaining string, refer to
1179 ipsec.conf(5) for details.
1180
30a90ccf 1181- The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
32d19652
AS		 1182 an IKEv2 public key authentication method. The pki tool offers full support
1183 for the generation of BLISS key pairs and certificates.
1184
30a90ccf
TB		 1185- Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
1186 cause interoperability issues when connecting to older versions of charon.
1187
045501d5 1188
dcdcae01
MW		 1189strongswan-5.2.1
1190----------------
1191
1192- The new charon-systemd IKE daemon implements an IKE daemon tailored for use
1193 with systemd. It avoids the dependency on ipsec starter and uses swanctl
1194 as configuration backend, building a simple and lightweight solution. It
1195 supports native systemd journal logging.
1196
55758bec
TB		 1197- Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1
1198 fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
1199
e9a93cb7
AS		 1200- Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
1201 All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
1202 and IETF/Installed Packages attributes can be processed incrementally on a
1203 per segment basis.
1204
9180c921
MW		 1205- The new ext-auth plugin calls an external script to implement custom IKE_SA
1206 authorization logic, courtesy of Vyronas Tsingaras.
1207
7431ad0d
MW		 1208- For the vici plugin a ruby gem has been added to allow ruby applications
1209 to control or monitor the IKE daemon. The vici documentation has been updated
1210 to include a description of the available operations and some simple examples
1211 using both the libvici C interface and the ruby gem.
1212
dcdcae01 1213
37cb91d7
AS		 1214strongswan-5.2.0
1215----------------
1216
4c5e52f5
MW		 1217- strongSwan has been ported to the Windows platform. Using a MinGW toolchain,
1218 many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2
1219 and newer releases. charon-svc implements a Windows IKE service based on
1220 libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec
1221 backend on the Windows platform. socket-win provides a native IKE socket
1222 implementation, while winhttp fetches CRL and OCSP information using the
1223 WinHTTP API.
1224
4787523c
MW		 1225- The new vici plugin provides a Versatile IKE Configuration Interface for
1226 charon. Using the stable IPC interface, external applications can configure,
1227 control and monitor the IKE daemon. Instead of scripting the ipsec tool
1228 and generating ipsec.conf, third party applications can use the new interface
1229 for more control and better reliability.
1230
b30c09ea
MW		 1231- Built upon the libvici client library, swanctl implements the first user of
1232 the VICI interface. Together with a swanctl.conf configuration file,
1233 connections can be defined, loaded and managed. swanctl provides a portable,
1234 complete IKE configuration and control interface for the command line.
73303700 1235 The first six swanctl example scenarios have been added.
b30c09ea 1236
6048d773
AS		 1237- The SWID IMV implements a JSON-based REST API which allows the exchange
1238 of SWID tags and Software IDs with the strongTNC policy manager.
1239
37cb91d7 1240- The SWID IMC can extract all installed packages from the dpkg (Debian,
3d2b36b8
TB		 1241 Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or
1242 pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using the
1243 swidGenerator (https://github.com/strongswan/swidGenerator) which generates
1244 SWID tags according to the new ISO/IEC 19770-2:2014 standard.
37cb91d7
AS		 1245
1246- All IMVs now share the access requestor ID, device ID and product info
1247 of an access requestor via a common imv_session object.
1248
9b9d5223
AS		 1249- The Attestation IMC/IMV pair supports the IMA-NG measurement format
1250 introduced with the Linux 3.13 kernel.
1251
41a4d5a4
AS		 1252- The aikgen tool generates an Attestation Identity Key bound to a TPM.
1253
03b5def0 1254- Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
6048d773 1255 Connect.
03b5def0 1256
52d77f32
MW		 1257- The ipsec.conf replay_window option defines connection specific IPsec replay
1258 windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from
1259 6Wind.
1260
37cb91d7 1261
8101e6aa
MW		 1262strongswan-5.1.3
1263----------------
1264
e59ce07b
TB		 1265- Fixed an authentication bypass vulnerability triggered by rekeying an
1266 unestablished IKEv2 SA while it gets actively initiated. This allowed an
1267 attacker to trick a peer's IKE_SA state to established, without the need to
1268 provide any valid authentication credentials. The vulnerability has been
1269 registered as CVE-2014-2338.
1270
8101e6aa
MW		 1271- The acert plugin evaluates X.509 Attribute Certificates. Group membership
1272 information encoded as strings can be used to fulfill authorization checks
1273 defined with the rightgroups option. Attribute Certificates can be loaded
1274 locally or get exchanged in IKEv2 certificate payloads.
1275
1276- The pki command gained support to generate X.509 Attribute Certificates
1277 using the --acert subcommand, while the --print command supports the ac type.
1278 The openac utility has been removed in favor of the new pki functionality.
1279
7dc7fdea
MW		 1280- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
1281 has been extended by AEAD mode support, currently limited to AES-GCM.
1282
8101e6aa 1283
acc25f29
AS		 1284strongswan-5.1.2
1285----------------
1286
c2d5add6
TB		 1287- A new default configuration file layout is introduced. The new default
1288 strongswan.conf file mainly includes config snippets from the strongswan.d
1289 and strongswan.d/charon directories (the latter containing snippets for all
1290 plugins). The snippets, with commented defaults, are automatically
1291 generated and installed, if they don't exist yet. They are also installed
1292 in $prefix/share/strongswan/templates so existing files can be compared to
1293 the current defaults.
1294
1295- As an alternative to the non-extensible charon.load setting, the plugins
1296 to load in charon (and optionally other applications) can now be determined
1297 via the charon.plugins.<name>.load setting for each plugin (enabled in the
1298 new default strongswan.conf file via the charon.load_modular option).
1299 The load setting optionally takes a numeric priority value that allows
1300 reordering the plugins (otherwise the default plugin order is preserved).
1301
1302- All strongswan.conf settings that were formerly defined in library specific
1303 "global" sections are now application specific (e.g. settings for plugins in
1304 libstrongswan.plugins can now be set only for charon in charon.plugins).
1305 The old options are still supported, which now allows to define defaults for
1306 all applications in the libstrongswan section.
1307
acc25f29
AS		 1308- The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
1309 computer IKE key exchange mechanism. The implementation is based on the
1310 ntru-crypto library from the NTRUOpenSourceProject. The supported security
1311 strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH
1312 group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be
1313 sent (charon.send_vendor_id = yes) in order to use NTRU.
1314
800b361e
AS		 1315- Defined a TPMRA remote attestation workitem and added support for it to the
1316 Attestation IMV.
1317
c2d5add6
TB		 1318- Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as
1319 well as multiple subnets in left|rightsubnet have been fixed.
1320
572582f5
MW		 1321- When enabling its "session" strongswan.conf option, the xauth-pam plugin opens
1322 and closes a PAM session for each established IKE_SA. Patch courtesy of
1323 Andrea Bonomi.
acc25f29 1324
0cec570a
MW		 1325- The strongSwan unit testing framework has been rewritten without the "check"
1326 dependency for improved flexibility and portability. It now properly supports
1327 multi-threaded and memory leak testing and brings a bunch of new test cases.
1328
1329
2b32884d
AS		 1330strongswan-5.1.1
1331----------------
1332
7b8fbd74
AS		 1333- Fixed a denial-of-service vulnerability and potential authorization bypass
1334 triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an insufficient
1335 length check when comparing such identities. The vulnerability has been
1336 registered as CVE-2013-6075.
1337
1338- Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
1339 fragmentation payload. The cause is a NULL pointer dereference. The
1340 vulnerability has been registered as CVE-2013-6076.
1341
2b32884d 1342- The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session
1c1ba803
TB		 1343 with a strongSwan policy enforcement point which uses the tnc-pdp charon
1344 plugin.
2b32884d 1345
fa2f6aa1
AS		 1346- The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either
1347 full SWID Tag or concise SWID Tag ID inventories.
1348
38fb8e4e
MW		 1349- The XAuth backend in eap-radius now supports multiple XAuth exchanges for
1350 different credential types and display messages. All user input gets
1351 concatenated and verified with a single User-Password RADIUS attribute on
1352 the AAA. With an AAA supporting it, one for example can implement
1353 Password+Token authentication with proper dialogs on iOS and OS X clients.
1354
1355- charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf
1356 modeconfig=push option enables it for both client and server, the same way
1357 as pluto used it.
1358
390d2b50
MW		 1359- Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 connections,
1360 charon can negotiate and install Security Associations integrity-protected by
1361 the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only,
1362 but not the deprecated RFC2401 style ESP+AH bundles.
1363
1c1ba803
TB		 1364- The generation of initialization vectors for IKE and ESP (when using libipsec)
1365 is now modularized and IVs for e.g. AES-GCM are now correctly allocated
1366 sequentially, while other algorithms like AES-CBC still use random IVs.
1367
38fb8e4e
MW		 1368- The left and right options in ipsec.conf can take multiple address ranges
1369 and subnets. This allows connection matching against a larger set of
1370 addresses, for example to use a different connection for clients connecting
1371 from a internal network.
1372
34dff30c
AS		 1373- For all those who have a queasy feeling about the NIST elliptic curve set,
1374 the Brainpool curves introduced for use with IKE by RFC 6932 might be a
1375 more trustworthy alternative.
1376
390d2b50
MW		 1377- The kernel-libipsec userland IPsec backend now supports usage statistics,
1378 volume based rekeying and accepts ESPv3 style TFC padded packets.
1379
1c1ba803
TB		 1380- With two new strongswan.conf options fwmarks can be used to implement
1381 host-to-host tunnels with kernel-libipsec.
1382
38fb8e4e
MW		 1383- load-tester supports transport mode connections and more complex traffic
1384 selectors, including such using unique ports for each tunnel.
2b32884d 1385
1c1ba803
TB		 1386- The new dnscert plugin provides support for authentication via CERT RRs that
1387 are protected via DNSSEC. The plugin was created by Ruslan N. Marchenko.
1388
1389- The eap-radius plugin supports forwarding of several Cisco Unity specific
1390 RADIUS attributes in corresponding configuration payloads.
1391
1392- Database transactions are now abstracted and implemented by the two backends.
1393 If you use MySQL make sure all tables use the InnoDB engine.
1394
390d2b50
MW		 1395- libstrongswan now can provide an experimental custom implementation of the
1396 printf family functions based on klibc if neither Vstr nor glibc style printf
1397 hooks are available. This can avoid the Vstr dependency on some systems at
1398 the cost of slower and less complete printf functions.
1399
fa2f6aa1 1400
40b0a15c
MW		 1401strongswan-5.1.0
1402----------------
1403
3a938a6f
TB		 1404- Fixed a denial-of-service vulnerability triggered by specific XAuth usernames
1405 and EAP identities (since 5.0.3), and PEM files (since 4.1.11). The crash
1406 was caused by insufficient error handling in the is_asn1() function.
1407 The vulnerability has been registered as CVE-2013-5018.
1408
40b0a15c
MW		 1409- The new charon-cmd command line IKE client can establish road warrior
1410 connections using IKEv1 or IKEv2 with different authentication profiles.
1411 It does not depend on any configuration files and can be configured using a
1412 few simple command line options.
1413
1414- The kernel-pfroute networking backend has been greatly improved. It now
78e6f69e 1415 can install virtual IPs on TUN devices on OS X and FreeBSD, allowing these
40b0a15c
MW		 1416 systems to act as a client in common road warrior scenarios.
1417
78e6f69e
TB		 1418- The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec
1419 processing in userland on Linux, FreeBSD and Mac OS X.
1420
68957d18
MW		 1421- The eap-radius plugin can now serve as an XAuth backend called xauth-radius,
1422 directly verifying XAuth credentials using RADIUS User-Name/User-Password
1423 attributes. This is more efficient than the existing xauth-eap+eap-radius
1424 combination, and allows RADIUS servers without EAP support to act as AAA
1425 backend for IKEv1.
1426
78e6f69e 1427- The new osx-attr plugin installs configuration attributes (currently DNS
2334ae56
MW		 1428 servers) via SystemConfiguration on Mac OS X. The keychain plugin provides
1429 certificates from the OS X keychain service.
78e6f69e
TB		 1430
1431- The sshkey plugin parses SSH public keys, which, together with the --agent
1432 option for charon-cmd, allows the use of ssh-agent for authentication.
1433 To configure SSH keys in ipsec.conf the left|rightrsasigkey options are
1434 replaced with left|rightsigkey, which now take public keys in one of three
1435 formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and
1436 PKCS#1 (the default, no prefix).
1437
1438- Extraction of certificates and private keys from PKCS#12 files is now provided
1439 by the new pkcs12 plugin or the openssl plugin. charon-cmd (--p12) as well
1440 as charon (via P12 token in ipsec.secrets) can make use of this.
1441
40b0a15c
MW		 1442- IKEv2 can now negotiate transport mode and IPComp in NAT situations.
1443
3a938a6f 1444- IKEv2 exchange initiators now properly close an established IKE or CHILD_SA
40b0a15c
MW		 1445 on error conditions using an additional exchange, keeping state in sync
1446 between peers.
1447
226f34e0 1448- Using a SQL database interface a Trusted Network Connect (TNC) Policy Manager
78e6f69e
TB		 1449 can generate specific measurement workitems for an arbitrary number of
1450 Integrity Measurement Verifiers (IMVs) based on the history of the VPN user
1451 and/or device.
1452
1453- Several core classes in libstrongswan are now tested with unit tests. These
1454 can be enabled with --enable-unit-tests and run with 'make check'. Coverage
1455 reports can be generated with --enable-coverage and 'make coverage' (this
1456 disables any optimization, so it should not be enabled when building
1457 production releases).
1458
56b753ca
MW		 1459- The leak-detective developer tool has been greatly improved. It works much
1460 faster/stabler with multiple threads, does not use deprecated malloc hooks
1461 anymore and has been ported to OS X.
1462
78e6f69e
TB		 1463- chunk_hash() is now based on SipHash-2-4 with a random key. This provides
1464 better distribution and prevents hash flooding attacks when used with
1465 hashtables.
1466
1467- All default plugins implement the get_features() method to define features
1468 and their dependencies. The plugin loader has been improved, so that plugins
1469 in a custom load statement can be ordered freely or to express preferences
1470 without being affected by dependencies between plugin features.
1471
c3b8335c
MW		 1472- A centralized thread can take care for watching multiple file descriptors
1473 concurrently. This removes the need for a dedicated listener threads in
1474 various plugins. The number of "reserved" threads for such tasks has been
1475 reduced to about five, depending on the plugin configuration.
1476
1477- Plugins that can be controlled by a UNIX socket IPC mechanism gained network
1478 transparency. Third party applications querying these plugins now can use
1479 TCP connections from a different host.
1480
78e6f69e 1481- libipsec now supports AES-GCM.
226f34e0 1482
40b0a15c 1483
2e12fc4b
AS		 1484strongswan-5.0.4
1485----------------
1486
1487- Fixed a security vulnerability in the openssl plugin which was reported by
1488 Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944.
1489 Before the fix, if the openssl plugin's ECDSA signature verification was used,
1490 due to a misinterpretation of the error code returned by the OpenSSL
1491 ECDSA_verify() function, an empty or zeroed signature was accepted as a
1492 legitimate one.
1493
1494- The handling of a couple of other non-security relevant openssl return codes
1495 was fixed as well.
1496
1497- The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its
1498 TCG TNC IF-MAP 2.1 interface.
1499
1500- The charon.initiator_only option causes charon to ignore IKE initiation
1501 requests.
1502
bec5bf02
AS		 1503- The openssl plugin can now use the openssl-fips library.
1504
2e12fc4b 1505
d69eb037
TB		 1506strongswan-5.0.3
1507----------------
1508
1509- The new ipseckey plugin enables authentication based on trustworthy public
1510 keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
1511 To do so it uses a DNSSEC enabled resolver, like the one provided by the new
1512 unbound plugin, which is based on libldns and libunbound. Both plugins were
1513 created by Reto Guadagnini.
1514
1fc609fe
AS		 1515- Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
1516 available to an IMV. The OS IMV stores the AR identity together with the
1517 device ID in the attest database.
1518
1519- The openssl plugin now uses the AES-NI accelerated version of AES-GCM
1520 if the hardware supports it.
7a93844f 1521
96776d6f
MW		 1522- The eap-radius plugin can now assign virtual IPs to IKE clients using the
1523 Framed-IP-Address attribute by using the "%radius" named pool in the
1524 rightsourceip ipsec.conf option. Cisco Banner attributes are forwarded to
1525 Unity-capable IKEv1 clients during mode config. charon now sends Interim
1526 Accounting updates if requested by the RADIUS server, reports
1527 sent/received packets in Accounting messages, and adds a Terminate-Cause
1528 to Accounting-Stops.
1529
1530- The recently introduced "ipsec listcounters" command can report connection
1531 specific counters by passing a connection name, and global or connection
1532 counters can be reset by the "ipsec resetcounters" command.
1533
1534- The strongSwan libpttls library provides an experimental implementation of
1535 PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
1536
1537- The charon systime-fix plugin can disable certificate lifetime checks on
1538 embedded systems if the system time is obviously out of sync after bootup.
1539 Certificates lifetimes get checked once the system time gets sane, closing
1540 or reauthenticating connections using expired certificates.
1541
1542- The "ikedscp" ipsec.conf option can set DiffServ code points on outgoing
1543 IKE packets.
7a93844f 1544
e34666a4
TB		 1545- The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
1546 clients that cannot be configured without XAuth authentication. The plugin
1547 simply concludes the XAuth exchange successfully without actually performing
1548 any authentication. Therefore, to use this backend it has to be selected
1549 explicitly with rightauth2=xauth-noauth.
1550
db50a35a
RB		 1551- The new charon-tkm IKEv2 daemon delegates security critical operations to a
1552 separate process. This has the benefit that the network facing daemon has no
1553 knowledge of keying material used to protect child SAs. Thus subverting
1554 charon-tkm does not result in the compromise of cryptographic keys.
1555 The extracted functionality has been implemented from scratch in a minimal TCB
1556 (trusted computing base) in the Ada programming language. Further information
e4a3ef2e 1557 can be found at https://www.codelabs.ch/tkm/.
db50a35a 1558
c2a5e7bc
AS		 1559strongswan-5.0.2
1560----------------
1561
1562- Implemented all IETF Standard PA-TNC attributes and an OS IMC/IMV
1563 pair using them to transfer operating system information.
1564
a19d5913
MW		 1565- The new "ipsec listcounters" command prints a list of global counter values
1566 about received and sent IKE messages and rekeyings.
1567
343e9989
MW		 1568- A new lookip plugin can perform fast lookup of tunnel information using a
1569 clients virtual IP and can send notifications about established or deleted
1570 tunnels. The "ipsec lookip" command can be used to query such information
1571 or receive notifications.
1572
ecdd5aed
MW		 1573- The new error-notify plugin catches some common error conditions and allows
1574 an external application to receive notifications for them over a UNIX socket.
1575
6910e5c7
MW		 1576- IKE proposals can now use a PRF algorithm different to that defined for
1577 integrity protection. If an algorithm with a "prf" prefix is defined
1578 explicitly (such as prfsha1 or prfsha256), no implicit PRF algorithm based on
1579 the integrity algorithm is added to the proposal.
c2a5e7bc 1580
8fc7bbc6
MW		 1581- The pkcs11 plugin can now load leftcert certificates from a smartcard for a
1582 specific ipsec.conf conn section and cacert CA certificates for a specific ca
1583 section.
1584
78b2a2b1
MW		 1585- The load-tester plugin gained additional options for certificate generation
1586 and can load keys and multiple CA certificates from external files. It can
1587 install a dedicated outer IP address for each tunnel and tunnel initiation
1588 batches can be triggered and monitored externally using the
1589 "ipsec load-tester" tool.
1590
cc0cc3b5
MW		 1591- PKCS#7 container parsing has been modularized, and the openssl plugin
1592 gained an alternative implementation to decrypt and verify such files.
1593 In contrast to our own DER parser, OpenSSL can handle BER files, which is
1594 required for interoperability of our scepclient with EJBCA.
1595
f31b4180
TB		 1596- Support for the proprietary IKEv1 fragmentation extension has been added.
1597 Fragments are always handled on receipt but only sent if supported by the peer
1598 and if enabled with the new fragmentation ipsec.conf option.
1599
0e0870ae
MW		 1600- IKEv1 in charon can now parse certificates received in PKCS#7 containers and
1601 supports NAT traversal as used by Windows clients. Patches courtesy of
1602 Volker Rümelin.
1603
2f0441a3
MW		 1604- The new rdrand plugin provides a high quality / high performance random
1605 source using the Intel rdrand instruction found on Ivy Bridge processors.
1606
73791223
TB		 1607- The integration test environment was updated and now uses KVM and reproducible
1608 guest images based on Debian.
1609
1fc609fe 1610
ecfd714c
AS		 1611strongswan-5.0.1
1612----------------
1613
6f93927b
AS		 1614- Introduced the sending of the standard IETF Assessment Result
1615 PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
1616
ecfd714c
AS		 1617- Extended PTS Attestation IMC/IMV pair to provide full evidence of
1618 the Linux IMA measurement process. All pertinent file information
6f93927b 1619 of a Linux OS can be collected and stored in an SQL database.
ecfd714c
AS		 1620
1621- The PA-TNC and PB-TNC protocols can now process huge data payloads
1622 >64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
1623 and these messages over several PB-TNC batches. As long as no
b3ab7a48 1624 consolidated recommendation from all IMVs can be obtained, the TNC
ecfd714c
AS		 1625 server requests more client data by sending an empty SDATA batch.
1626
804d702b
MW		 1627- The rightgroups2 ipsec.conf option can require group membership during
1628 a second authentication round, for example during XAuth authentication
1629 against a RADIUS server.
1630
3423b3a8
MW		 1631- The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
1632 clients against any PAM service. The IKEv2 eap-gtc plugin does not use
1633 PAM directly anymore, but can use any XAuth backend to verify credentials,
1634 including xauth-pam.
1635
cc48f360
MW		 1636- The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
1637 Extension. As client, charon narrows traffic selectors to the received
1638 Split-Include attributes and automatically installs IPsec bypass policies
1639 for received Local-LAN attributes. As server, charon sends Split-Include
1640 attributes for leftsubnet definitions containing multiple subnets to Unity-
1641 aware clients.
1642
cbe244a5
TB		 1643- An EAP-Nak payload is returned by clients if the gateway requests an EAP
1644 method that the client does not support. Clients can also request a specific
1645 EAP method by configuring that method with leftauth.
1646
1647- The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
1648 these to select a different EAP method supported/requested by the client.
1649 The plugin initially requests the first registered method or the first method
1650 configured with charon.plugins.eap-dynamic.preferred.
1651
e76f3d0d
MW		 1652- The new left/rightdns options specify connection specific DNS servers to
1653 request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
1654 can be any (comma separated) combination of %config4 and %config6 to request
1655 multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server
1656 IP addresses to return.
1657
69e056a2
MW		 1658- The left/rightsourceip options now accept multiple addresses or pools.
1659 leftsourceip can be any (comma separated) combination of %config4, %config6
1660 or fixed IP addresses to request. rightsourceip accepts multiple explicitly
1661 specified or referenced named pools.
1662
1663- Multiple connections can now share a single address pool when they use the
1664 same definition in one of the rightsourceip pools.
1665
4a025539
TB		 1666- The options charon.interfaces_ignore and charon.interfaces_use allow one to
1667 configure the network interfaces used by the daemon.
1668
1669- The kernel-netlink plugin supports the charon.install_virtual_ip_on option,
1670 which specifies the interface on which virtual IP addresses will be installed.
1671 If it is not specified the current behavior of using the outbound interface
1672 is preserved.
1673
1674- The kernel-netlink plugin tries to keep the current source address when
1675 looking for valid routes to reach other hosts.
1676
804d702b
MW		 1677- The autotools build has been migrated to use a config.h header. strongSwan
1678 development headers will get installed during "make install" if
1679 --with-dev-headers has been passed to ./configure.
1680
1681- All crypto primitives gained return values for most operations, allowing
1682 crypto backends to fail, for example when using hardware accelerators.
ecfd714c 1683
1fc609fe 1684
d55c2404
TB		 1685strongswan-5.0.0
1686----------------
1687
794cdbc5
MW		 1688- The charon IKE daemon gained experimental support for the IKEv1 protocol.
1689 Pluto has been removed from the 5.x series, and unless strongSwan is
1690 configured with --disable-ikev1 or --disable-ikev2, charon handles both
1691 keying protocols. The feature-set of IKEv1 in charon is almost on par with
1692 pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
1693 RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
df18934d 1694 mode.
794cdbc5 1695
d55c2404
TB		 1696- Charon's bus_t has been refactored so that loggers and other listeners are
1697 now handled separately. The single lock was previously cause for deadlocks
1698 if extensive listeners, such as the one provided by the updown plugin, wanted
1699 to acquire locks that were held by other threads which in turn tried to log
1700 messages, and thus were waiting to acquire the same lock currently held by
1701 the thread calling the listener.
1702 The implemented changes also allow the use of a read/write-lock for the
1703 loggers which increases performance if multiple loggers are registered.
1704 Besides several interface changes this last bit also changes the semantics
1705 for loggers as these may now be called by multiple threads at the same time.
1706
ed7186cb
TB		 1707- Source routes are reinstalled if interfaces are reactivated or IP addresses
1708 reappear.
1709
f97c269e
TB		 1710- The thread pool (processor_t) now has more control over the lifecycle of
1711 a job (see job.h for details). In particular, it now controls the destruction
1712 of jobs after execution and the cancellation of jobs during shutdown. Due to
1713 these changes the requeueing feature, previously available to callback_job_t
1714 only, is now available to all jobs (in addition to a new rescheduling
1715 feature).
1716
5a6e5e0d
MW		 1717- In addition to trustchain key strength definitions for different public key
1718 systems, the rightauth option now takes a list of signature hash algorithms
1719 considered save for trustchain validation. For example, the setting
1720 rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512 requires a trustchain
1721 that uses at least RSA-2048 or ECDSA-256 keys and certificate signatures
1722 using SHA-256 or better.
1723
d55c2404 1724
93d9a02e
TB		 1725strongswan-4.6.4
1726----------------
1727
1728- Fixed a security vulnerability in the gmp plugin. If this plugin was used
1729 for RSA signature verification an empty or zeroed signature was handled as
1730 a legitimate one.
1731
1732- Fixed several issues with reauthentication and address updates.
1733
1734
c224f765
AS		 1735strongswan-4.6.3
1736----------------
1737
1738- The tnc-pdp plugin implements a RADIUS server interface allowing
1739 a strongSwan TNC server to act as a Policy Decision Point.
1740
4bc7577d
MW		 1741- The eap-radius authentication backend enforces Session-Timeout attributes
1742 using RFC4478 repeated authentication and acts upon RADIUS Dynamic
1743 Authorization extensions, RFC 5176. Currently supported are disconnect
1744 requests and CoA messages containing a Session-Timeout.
1745
1746- The eap-radius plugin can forward arbitrary RADIUS attributes from and to
1747 clients using custom IKEv2 notify payloads. The new radattr plugin reads
1748 attributes to include from files and prints received attributes to the
1749 console.
c224f765
AS		 1750
1751- Added support for untruncated MD5 and SHA1 HMACs in ESP as used in
1752 RFC 4595.
1753
d7590217
TB		 1754- The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms
1755 as defined in RFC 4494 and RFC 4615, respectively.
1756
4e2e77d5 1757- The resolve plugin automatically installs nameservers via resolvconf(8),
a281494a 1758 if it is installed, instead of modifying /etc/resolv.conf directly.
c224f765 1759
5f1931ad
AS		 1760- The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110
1761 DNSKEY and PKCS#1 file format.
1762
1763
60e99b37
AS		 1764strongswan-4.6.2
1765----------------
1766
1767- Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3
1768 which supports IF-TNCCS 2.0 long message types, the exclusive flags
1769 and multiple IMC/IMV IDs. Both the TNC Client and Server as well as
1770 the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated.
1771
1772- Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M"
1773 standard (TLV-based messages only). TPM-based remote attestation of
de4a0c83
AS		 1774 Linux IMA (Integrity Measurement Architecture) possible. Measurement
1775 reference values are automatically stored in an SQLite database.
60e99b37 1776
a345aa26
MW		 1777- The EAP-RADIUS authentication backend supports RADIUS accounting. It sends
1778 start/stop messages containing Username, Framed-IP and Input/Output-Octets
1779 attributes and has been tested against FreeRADIUS and Microsoft NPS.
60e99b37 1780
de4a0c83
AS		 1781- Added support for PKCS#8 encoded private keys via the libstrongswan
1782 pkcs8 plugin. This is the default format used by some OpenSSL tools since
1783 version 1.0.0 (e.g. openssl req with -keyout).
dcefa267 1784
a8958012
MW		 1785- Added session resumption support to the strongSwan TLS stack.
1786
de4a0c83 1787
acb92cb4
AS		 1788strongswan-4.6.1
1789----------------
1790
1791- Because of changing checksums before and after installation which caused
1792 the integrity tests to fail we avoided directly linking libsimaka, libtls and
1793 libtnccs to those libcharon plugins which make use of these dynamic libraries.
18f85b66
AS		 1794 Instead we linked the libraries to the charon daemon. Unfortunately Ubuntu
1795 11.10 activated the --as-needed ld option which discards explicit links
1796 to dynamic libraries that are not actually used by the charon daemon itself,
1797 thus causing failures during the loading of the plugins which depend on these
1798 libraries for resolving external symbols.
acb92cb4 1799
53f8ac3d
TB		 1800- Therefore our approach of computing integrity checksums for plugins had to be
1801 changed radically by moving the hash generation from the compilation to the
1802 post-installation phase.
5ed3e3a7 1803
acb92cb4 1804
92a1b234 1805strongswan-4.6.0
5a2e2e0b
AS		 1806----------------
1807
37276728
MW		 1808- The new libstrongswan certexpire plugin collects expiration information of
1809 all used certificates and exports them to CSV files. It either directly
1810 exports them or uses cron style scheduling for batch exports.
1811
1812- starter passes unresolved hostnames to charon, allowing it to do name
1813 resolution not before the connection attempt. This is especially useful with
1814 connections between hosts using dynamic IP addresses. Thanks to Mirko Parthey
1815 for the initial patch.
1816
5fd8e530
TB		 1817- The android plugin can now be used without the Android frontend patch and
1818 provides DNS server registration and logging to logcat.
1819
1820- Pluto and starter (plus stroke and whack) have been ported to Android.
1821
602ee58e
TB		 1822- Support for ECDSA private and public key operations has been added to the
1823 pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 and can
1824 use tokens as random number generators (RNG). By default only private key
1825 operations are enabled, more advanced features have to be enabled by their
1826 option in strongswan.conf. This also applies to public key operations (even
1827 for keys not stored on the token) which were enabled by default before.
1828
37276728
MW		 1829- The libstrongswan plugin system now supports detailed plugin dependencies.
1830 Many plugins have been extended to export its capabilities and requirements.
1831 This allows the plugin loader to resolve plugin loading order automatically,
1832 and in future releases, to dynamically load the required features on demand.
1833 Existing third party plugins are source (but not binary) compatible if they
1834 properly initialize the new get_features() plugin function to NULL.
1835
fd81ac05
AS		 1836- The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can deliver
1837 metadata about IKE_SAs via a SOAP interface to a MAP server. The tnc-ifmap
1838 plugin requires the Apache Axis2/C library.
1839
37276728 1840
5d179d19
AS		 1841strongswan-4.5.3
1842----------------
1843
a7edbd21 1844- Our private libraries (e.g. libstrongswan) are not installed directly in
b18a697a
AS		 1845 prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by
1846 default). The plugins directory is also moved from libexec/ipsec/ to that
a7edbd21
TB		 1847 directory.
1848
b18a697a
AS		 1849- The dynamic IMC/IMV libraries were moved from the plugins directory to
1850 a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
1851
107ea60f
TB		 1852- Job priorities were introduced to prevent thread starvation caused by too
1853 many threads handling blocking operations (such as CRL fetching). Refer to
1854 strongswan.conf(5) for details.
1855
1856- Two new strongswan.conf options allow to fine-tune performance on IKEv2
1857 gateways by dropping IKE_SA_INIT requests on high load.
1858
f8799170 1859- IKEv2 charon daemon supports start PASS and DROP shunt policies
b18a697a 1860 preventing traffic to go through IPsec connections. Installation of the
107ea60f
TB		 1861 shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel
1862 interfaces.
f8799170 1863
93095183
TB		 1864- The history of policies installed in the kernel is now tracked so that e.g.
1865 trap policies are correctly updated when reauthenticated SAs are terminated.
1866
b18a697a
AS		 1867- IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
1868 Using "netstat -l" the IMC scans open listening ports on the TNC client
1869 and sends a port list to the IMV which based on a port policy decides if
1870 the client is admitted to the network.
1871 (--enable-imc-scanner/--enable-imv-scanner).
1872
1873- IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
5d179d19
AS		 1874 (--enable-imc-test/--enable-imv-test).
1875
4876f896
MW		 1876- The IKEv2 close action does not use the same value as the ipsec.conf dpdaction
1877 setting, but the value defined by its own closeaction keyword. The action
1878 is triggered if the remote peer closes a CHILD_SA unexpectedly.
5d179d19 1879
5a2e2e0b 1880
6f2378c1
AS		 1881strongswan-4.5.2
1882----------------
1883
320e98c2
MW		 1884- The whitelist plugin for the IKEv2 daemon maintains an in-memory identity
1885 whitelist. Any connection attempt of peers not whitelisted will get rejected.
1886 The 'ipsec whitelist' utility provides a simple command line frontend for
1887 whitelist administration.
1888
92ebb7c5 1889- The duplicheck plugin provides a specialized form of duplicate checking,
5832d505 1890 doing a liveness check on the old SA and optionally notify a third party
92ebb7c5
MW		 1891 application about detected duplicates.
1892
1893- The coupling plugin permanently couples two or more devices by limiting
1894 authentication to previously used certificates.
1895
6f2378c1
AS		 1896- In the case that the peer config and child config don't have the same name
1897 (usually in SQL database defined connections), ipsec up|route <peer config>
1898 starts|routes all associated child configs and ipsec up|route <child config>
1899 only starts|routes the specific child config.
1900
6ca05fe2
AS		 1901- fixed the encoding and parsing of X.509 certificate policy statements (CPS).
1902
1ee7440b
AS		 1903- Duncan Salerno contributed the eap-sim-pcsc plugin implementing a
1904 pcsc-lite based SIM card backend.
1905
1906- The eap-peap plugin implements the EAP PEAP protocol. Interoperates
2778b664 1907 successfully with a FreeRADIUS server and Windows 7 Agile VPN clients.
1ee7440b 1908
cf6ca6d7
MW		 1909- The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs
1910 all plugins to reload. Currently only the eap-radius and the attr plugins
1911 support configuration reloading.
1912
d3d21c29
MW		 1913- Added userland support to the IKEv2 daemon for Extended Sequence Numbers
1914 support coming with Linux 2.6.39. To enable ESN on a connection, add
1915 the 'esn' keyword to the proposal. The default proposal uses 32-bit sequence
1916 numbers only ('noesn'), and the same value is used if no ESN mode is
1917 specified. To negotiate ESN support with the peer, include both, e.g.
1918 esp=aes128-sha1-esn-noesn.
1919
1920- In addition to ESN, Linux 2.6.39 gained support for replay windows larger
1921 than 32 packets. The new global strongswan.conf option 'charon.replay_window'
1922 configures the size of the replay window, in packets.
1923
6f2378c1 1924
41ba5ce7
AS		 1925strongswan-4.5.1
1926----------------
1927
1b7e081b
AS		 1928- Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (BP)
1929 compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol
5cdaafef 1930 requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend
1b7e081b
AS		 1931 on the libtnc library. Any available IMV/IMC pairs conforming to the
1932 Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification
e44817df 1933 can be loaded via /etc/tnc_config.
1b7e081b 1934
5cdaafef
AS		 1935- Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv
1936 in place of the external libtnc library.
1937
1938- The tnccs_dynamic plugin loaded on a TNC server in addition to the
1939 tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS
1940 protocol version used by a TNC client and invokes an instance of
1941 the corresponding protocol stack.
1942
41ba5ce7
AS		 1943- IKE and ESP proposals can now be stored in an SQL database using a
1944 new proposals table. The start_action field in the child_configs
1945 tables allows the automatic starting or routing of connections stored
1946 in an SQL database.
1947
1b7e081b
AS		 1948- The new certificate_authorities and certificate_distribution_points
1949 tables make it possible to store CRL and OCSP Certificate Distribution
1950 points in an SQL database.
1951
ae09bc62
TB		 1952- The new 'include' statement allows to recursively include other files in
1953 strongswan.conf. Existing sections and values are thereby extended and
1954 replaced, respectively.
1955
1956- Due to the changes in the parser for strongswan.conf, the configuration
1957 syntax for the attr plugin has changed. Previously, it was possible to
1958 specify multiple values of a specific attribute type by adding multiple
1959 key/value pairs with the same key (e.g. dns) to the plugins.attr section.
1960 Because values with the same key now replace previously defined values
1961 this is not possible anymore. As an alternative, multiple values can be
1962 specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5).
1963
840e7044
AS		 1964- ipsec listalgs now appends (set in square brackets) to each crypto
1965 algorithm listed the plugin that registered the function.
1966
e44817df
MW		 1967- Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used
1968 by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given
1969 boundary, the special value '%mtu' pads all packets to the path MTU.
1970
78a547c9
MW		 1971- The new af-alg plugin can use various crypto primitives of the Linux Crypto
1972 API using the AF_ALG interface introduced with 2.6.38. This removes the need
1973 for additional userland implementations of symmetric cipher, hash, hmac and
1974 xcbc algorithms.
44582075 1975
41ed0294 1976- The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and
983a5e88
MW		 1977 responder. The notify is sent when initiating configurations with a unique
1978 policy, set in ipsec.conf via the global 'uniqueids' option.
41ed0294 1979
f0783464
MW		 1980- The conftest conformance testing framework enables the IKEv2 stack to perform
1981 many tests using a distinct tool and configuration frontend. Various hooks
1982 can alter reserved bits, flags, add custom notifies and proposals, reorder
1983 or drop messages and much more. It is enabled using the --enable-conftest
1984 ./configure switch.
1985
77eee25f 1986- The new libstrongswan constraints plugin provides advanced X.509 constraint
cf95d292 1987 checking. In addition to X.509 pathLen constraints, the plugin checks for
77eee25f
MW		 1988 nameConstraints and certificatePolicies, including policyMappings and
1989 policyConstraints. The x509 certificate plugin and the pki tool have been
96c4addc
MW		 1990 enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf
1991 connection keywords take OIDs a peer certificate must have.
1992
1993- The left/rightauth ipsec.conf keywords accept values with a minimum strength
1994 for trustchain public keys in bits, such as rsa-2048 or ecdsa-256.
77eee25f 1995
fb1e7df1
MW		 1996- The revocation and x509 libstrongswan plugins and the pki tool gained basic
1997 support for delta CRLs.
1998
5cdaafef 1999
44582075
MW		 2000strongswan-4.5.0
2001----------------
2002
b14923ec
AS		 2003- IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
2004 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
ac544be2 2005 IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
b14923ec 2006 come for IKEv1 to go into retirement and to cede its place to the much more
ac544be2 2007 robust, powerful and versatile IKEv2 protocol!
b14923ec 2008
44582075
MW		 2009- Added new ctr, ccm and gcm plugins providing Counter, Counter with CBC-MAC
2010 and Galois/Counter Modes based on existing CBC implementations. These
2011 new plugins bring support for AES and Camellia Counter and CCM algorithms
2012 and the AES GCM algorithms for use in IKEv2.
2013
84c9bc42
MW		 2014- The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and
2015 the pki utility using one or more PKCS#11 libraries. It currently supports
61df42cc 2016 RSA private and public key operations and loads X.509 certificates from
84c9bc42
MW		 2017 tokens.
2018
a782b52f
MW		 2019- Implemented a general purpose TLS stack based on crypto and credential
2020 primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2,
2021 ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based
2022 client authentication.
2023
2024- Based on libtls, the eap-tls plugin brings certificate based EAP
2025 authentication for client and server. It is compatible to Windows 7 IKEv2
61df42cc 2026 Smartcard authentication and the OpenSSL based FreeRADIUS EAP-TLS backend.
a782b52f 2027
8a1353fc
AS		 2028- Implemented the TNCCS 1.1 Trusted Network Connect protocol using the
2029 libtnc library on the strongSwan client and server side via the tnccs_11
2030 plugin and optionally connecting to a TNC@FHH-enhanced FreeRADIUS AAA server.
2031 Depending on the resulting TNC Recommendation, strongSwan clients are granted
2032 access to a network behind a strongSwan gateway (allow), are put into a
ac544be2 2033 remediation zone (isolate) or are blocked (none), respectively. Any number
8a1353fc
AS		 2034 of Integrity Measurement Collector/Verifier pairs can be attached
2035 via the tnc-imc and tnc-imv charon plugins.
2036
b3cabd1f
TB		 2037- The IKEv1 daemon pluto now uses the same kernel interfaces as the IKEv2
2038 daemon charon. As a result of this, pluto now supports xfrm marks which
2039 were introduced in charon with 4.4.1.
2040
2041- Applets for Maemo 5 (Nokia) allow to easily configure and control IKEv2
2042 based VPN connections with EAP authentication on supported devices.
2043
18a4f865
MW		 2044- The RADIUS plugin eap-radius now supports multiple RADIUS servers for
2045 redundant setups. Servers are selected by a defined priority, server load and
2046 availability.
2047
2048- The simple led plugin controls hardware LEDs through the Linux LED subsystem.
2049 It currently shows activity of the IKE daemon and is a good example how to
2050 implement a simple event listener.
2051
b3cabd1f
TB		 2052- Improved MOBIKE behavior in several corner cases, for instance, if the
2053 initial responder moves to a different address.
2054
2055- Fixed left-/rightnexthop option, which was broken since 4.4.0.
2056
3f84e2d6
AS		 2057- Fixed a bug not releasing a virtual IP address to a pool if the XAUTH
2058 identity was different from the IKE identity.
2059
f6032361
AS		 2060- Fixed the alignment of ModeConfig messages on 4-byte boundaries in the
2061 case where the attributes are not a multiple of 4 bytes (e.g. Cisco's
2062 UNITY_BANNER).
2063
2064- Fixed the interoperability of the socket_raw and socket_default
2065 charon plugins.
2066
3f84e2d6
AS		 2067- Added man page for strongswan.conf
2068
a782b52f 2069
03b5e4d8
AS		 2070strongswan-4.4.1
2071----------------
2072
ec40c02a 2073- Support of xfrm marks in IPsec SAs and IPsec policies introduced
b22bb9f2
AS		 2074 with the Linux 2.6.34 kernel. For details see the example scenarios
2075 ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
ec40c02a 2076
b22bb9f2 2077- The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used
b59340a2
AS		 2078 in a user-specific updown script to set marks on inbound ESP or
2079 ESP_IN_UDP packets.
e87b78c6 2080
3561cc4b
AS		 2081- The openssl plugin now supports X.509 certificate and CRL functions.
2082
e9448cfc 2083- OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled
2db6d5b8 2084 by default. Please update manual load directives in strongswan.conf.
e9448cfc
MW		 2085
2086- RFC3779 ipAddrBlock constraint checking has been moved to the addrblock
2087 plugin, disabled by default. Enable it and update manual load directives
2088 in strongswan.conf, if required.
2089
7f3a9468
MW		 2090- The pki utility supports CRL generation using the --signcrl command.
2091
2092- The ipsec pki --self, --issue and --req commands now support output in
2093 PEM format using the --outform pem option.
2094
03b5e4d8
AS		 2095- The major refactoring of the IKEv1 Mode Config functionality now allows
2096 the transport and handling of any Mode Config attribute.
2097
e87b78c6 2098- The RADIUS proxy plugin eap-radius now supports multiple servers. Configured
b59340a2
AS		 2099 servers are chosen randomly, with the option to prefer a specific server.
2100 Non-responding servers are degraded by the selection process.
e87b78c6 2101
c5c6f9b6
AS		 2102- The ipsec pool tool manages arbitrary configuration attributes stored
2103 in an SQL database. ipsec pool --help gives the details.
2104
fe2434cf
MW		 2105- The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA,
2106 reading triplets/quintuplets from an SQL database.
2107
c8bd06c7
MW		 2108- The High Availability plugin now supports a HA enabled in-memory address
2109 pool and Node reintegration without IKE_SA rekeying. The latter allows
2110 clients without IKE_SA rekeying support to keep connected during
2111 reintegration. Additionally, many other issues have been fixed in the ha
2112 plugin.
1c1f132a 2113
c5c921bf
MW		 2114- Fixed a potential remote code execution vulnerability resulting from
2115 the misuse of snprintf(). The vulnerability is exploitable by
2116 unauthenticated users.
2117
03b5e4d8 2118
00c60592
MW		 2119strongswan-4.4.0
2120----------------
2121
d101a61f
MW		 2122- The IKEv2 High Availability plugin has been integrated. It provides
2123 load sharing and failover capabilities in a cluster of currently two nodes,
df18934d 2124 based on an extend ClusterIP kernel module.
9235edc2 2125 The development of the High Availability functionality was sponsored by
d101a61f
MW		 2126 secunet Security Networks AG.
2127
dd8cb2b0
AS		 2128- Added IKEv1 and IKEv2 configuration support for the AES-GMAC
2129 authentication-only ESP cipher. Our aes_gmac kernel patch or a Linux
2130 2.6.34 kernel is required to make AES-GMAC available via the XFRM
2131 kernel interface.
2132
4590260b
MW		 2133- Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp, gcrypt
2134 and openssl plugins, usable by both pluto and charon. The new proposal
2135 keywords are modp1024s160, modp2048s224 and modp2048s256. Thanks to Joy Latten
2136 from IBM for his contribution.
2137
9235edc2
AS		 2138- The IKEv1 pluto daemon supports RAM-based virtual IP pools using
2139 the rightsourceip directive with a subnet from which addresses
2140 are allocated.
2141
d6457833
AS		 2142- The ipsec pki --gen and --pub commands now allow the output of
2143 private and public keys in PEM format using the --outform pem
2144 command line option.
2145
2d097a0b
MW		 2146- The new DHCP plugin queries virtual IP addresses for clients from a DHCP
2147 server using broadcasts, or a defined server using the
2148 charon.plugins.dhcp.server strongswan.conf option. DNS/WINS server information
2149 is additionally served to clients if the DHCP server provides such
2150 information. The plugin is used in ipsec.conf configurations having
2151 rightsourceip set to %dhcp.
2152
6d6994c6
MW		 2153- A new plugin called farp fakes ARP responses for virtual IP addresses
2154 handed out to clients from the IKEv2 daemon charon. The plugin lets a
89bf11d2 2155 road-warrior act as a client on the local LAN if it uses a virtual IP
6d6994c6
MW		 2156 from the responders subnet, e.g. acquired using the DHCP plugin.
2157
00c60592
MW		 2158- The existing IKEv2 socket implementations have been migrated to the
2159 socket-default and the socket-raw plugins. The new socket-dynamic plugin
2160 binds sockets dynamically to ports configured via the left-/rightikeport
2161 ipsec.conf connection parameters.
2162
3e6b50ed
MW		 2163- The android charon plugin stores received DNS server information as "net.dns"
2164 system properties, as used by the Android platform.
00c60592 2165
d6457833 2166
4c68a85a
AS		 2167strongswan-4.3.6
2168----------------
2169
cdad91de 2170- The IKEv2 daemon supports RFC 3779 IP address block constraints
e98a4d80
AS		 2171 carried as a critical X.509v3 extension in the peer certificate.
2172
a7155606
AS		 2173- The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
2174 server entries that are sent via the IKEv1 Mode Config or IKEv2
2175 Configuration Payload to remote clients.
2176
f721e0fb
AS		 2177- The Camellia cipher can be used as an IKEv1 encryption algorithm.
2178
4c68a85a
AS		 2179- The IKEv1 and IKEV2 daemons now check certificate path length constraints.
2180
909c0c3d
MW		 2181- The new ipsec.conf conn option "inactivity" closes a CHILD_SA if no traffic
2182 was sent or received within the given interval. To close the complete IKE_SA
2183 if its only CHILD_SA was inactive, set the global strongswan.conf option
aa9eeb5d
MW		 2184 "charon.inactivity_close_ike" to yes.
2185
44e41c4c
AS		 2186- More detailed IKEv2 EAP payload information in debug output
2187
2b2c69e9 2188- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
44e41c4c 2189
52fd0ef9
MW		 2190- Added required userland changes for proper SHA256 and SHA384/512 in ESP that
2191 will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now
2192 configures the kernel with 128 bit truncation, not the non-standard 96
2193 bit truncation used by previous releases. To use the old 96 bit truncation
2194 scheme, the new "sha256_96" proposal keyword has been introduced.
4c68a85a 2195
2b2c69e9
MW		 2196- Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This
2197 change makes IPcomp tunnel mode connections incompatible with previous
2198 releases; disable compression on such tunnels.
2199
6ec949e0
MW		 2200- Fixed BEET mode connections on recent kernels by installing SAs with
2201 appropriate traffic selectors, based on a patch by Michael Rossberg.
2202
cdad91de
MW		 2203- Using extensions (such as BEET mode) and crypto algorithms (such as twofish,
2204 serpent, sha256_96) allocated in the private use space now require that we
2205 know its meaning, i.e. we are talking to strongSwan. Use the new
2206 "charon.send_vendor_id" option in strongswan.conf to let the remote peer know
2207 this is the case.
2208
aca9f9ab
MW		 2209- Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the
2210 responder omits public key authentication in favor of a mutual authentication
2211 method. To enable EAP-only authentication, set rightauth=eap on the responder
2212 to rely only on the MSK constructed AUTH payload. This not-yet standardized
2213 extension requires the strongSwan vendor ID introduced above.
2214
0a975307
AS		 2215- The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus
2216 allowing interoperability.
2217
2218
b6b90b68
MW		 2219strongswan-4.3.5
2220----------------
2221
628f023d
AS		 2222- The IKEv1 pluto daemon can now use SQL-based address pools to deal out
2223 virtual IP addresses as a Mode Config server. The pool capability has been
2224 migrated from charon's sql plugin to a new attr-sql plugin which is loaded
b42bfc79 2225 by libstrongswan and which can be used by both daemons either with a SQLite
628f023d
AS		 2226 or MySQL database and the corresponding plugin.
2227
b42bfc79
MW		 2228- Plugin names have been streamlined: EAP plugins now have a dash after eap
2229 (e.g. eap-sim), as it is used with the --enable-eap-sim ./configure option.
2230 Plugin configuration sections in strongswan.conf now use the same name as the
2231 plugin itself (i.e. with a dash). Make sure to update "load" directives and
2232 the affected plugin sections in existing strongswan.conf files.
2233
d245f5cf
AS		 2234- The private/public key parsing and encoding has been split up into
2235 separate pkcs1, pgp, pem and dnskey plugins. The public key implementation
2236 plugins gmp, gcrypt and openssl can all make use of them.
b6b90b68 2237
55b045ab
MW		 2238- The EAP-AKA plugin can use different backends for USIM/quintuplet
2239 calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 software
2240 implementation has been migrated to a separate plugin.
2241
d245f5cf 2242- The IKEv2 daemon charon gained basic PGP support. It can use locally installed
b6b90b68
MW		 2243 peer certificates and can issue signatures based on RSA private keys.
2244
2245- The new 'ipsec pki' tool provides a set of commands to maintain a public
2246 key infrastructure. It currently supports operations to create RSA and ECDSA
2247 private/public keys, calculate fingerprints and issue or verify certificates.
2248
2249- Charon uses a monotonic time source for statistics and job queueing, behaving
2250 correctly if the system time changes (e.g. when using NTP).
2251
2252- In addition to time based rekeying, charon supports IPsec SA lifetimes based
1003cf23 2253 on processed volume or number of packets. They new ipsec.conf parameters
b6b90b68
MW		 2254 'lifetime' (an alias to 'keylife'), 'lifebytes' and 'lifepackets' handle
2255 SA timeouts, while the parameters 'margintime' (an alias to rekeymargin),
2256 'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.
2257 The existing parameter 'rekeyfuzz' affects all margins.
2258
85af7a89
MW		 2259- If no CA/Gateway certificate is specified in the NetworkManager plugin,
2260 charon uses a set of trusted root certificates preinstalled by distributions.
2261 The directory containing CA certificates can be specified using the
2262 --with-nm-ca-dir=path configure option.
2263
b80fa9ca 2264- Fixed the encoding of the Email relative distinguished name in left|rightid
509f70c1 2265 statements.
b80fa9ca 2266
509f70c1
AS		 2267- Fixed the broken parsing of PKCS#7 wrapped certificates by the pluto daemon.
2268
2269- Fixed smartcard-based authentication in the pluto daemon which was broken by
2270 the ECDSA support introduced with the 4.3.2 release.
2271
cea4bd8f
AS		 2272- A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and vice versa
2273 tunnels established with the IKEv1 pluto daemon.
2274
509f70c1
AS		 2275- The pluto daemon now uses the libstrongswan x509 plugin for certificates and
2276 CRls and the struct id type was replaced by identification_t used by charon
2277 and the libstrongswan library.
18060241 2278
85af7a89 2279
430dd08a
AS		 2280strongswan-4.3.4
2281----------------
2282
2283- IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can
df18934d 2284 be found in the documentation.
430dd08a
AS		 2285
2286- ipsec statusall shows the number of bytes transmitted and received over
2287 ESP connections configured by the IKEv2 charon daemon.
2288
2289- The IKEv2 charon daemon supports include files in ipsec.secrets.
2290
2291
1c7f456a
AS		 2292strongswan-4.3.3
2293----------------
2294
aa74d705
AS		 2295- The configuration option --enable-integrity-test plus the strongswan.conf
2296 option libstrongswan.integrity_test = yes activate integrity tests
2297 of the IKE daemons charon and pluto, libstrongswan and all loaded
2298 plugins. Thus dynamic library misconfigurations and non-malicious file
2299 manipulations can be reliably detected.
2300
1c7f456a
AS		 2301- The new default setting libstrongswan.ecp_x_coordinate_only=yes allows
2302 IKEv1 interoperability with MS Windows using the ECP DH groups 19 and 20.
2303
2304- The IKEv1 pluto daemon now supports the AES-CCM and AES-GCM ESP
2305 authenticated encryption algorithms.
2306
aa74d705
AS		 2307- The IKEv1 pluto daemon now supports V4 OpenPGP keys.
2308
2309- The RDN parser vulnerability discovered by Orange Labs research team
2310 was not completely fixed in version 4.3.2. Some more modifications
2311 had to be applied to the asn1_length() function to make it robust.
2312
1c7f456a 2313
80c0710c
MW		 2314strongswan-4.3.2
2315----------------
2316
2317- The new gcrypt plugin provides symmetric cipher, hasher, RNG, Diffie-Hellman
2318 and RSA crypto primitives using the LGPL licensed GNU gcrypt library.
2319
2320- libstrongswan features an integrated crypto selftest framework for registered
2321 algorithms. The test-vector plugin provides a first set of test vectors and
2322 allows pluto and charon to rely on tested crypto algorithms.
2323
b32af120
AS		 2324- pluto can now use all libstrongswan plugins with the exception of x509 and xcbc.
2325 Thanks to the openssl plugin, the ECP Diffie-Hellman groups 19, 20, 21, 25, and
2326 26 as well as ECDSA-256, ECDSA-384, and ECDSA-521 authentication can be used
2327 with IKEv1.
126f2130
AS		 2328
2329- Applying their fuzzing tool, the Orange Labs vulnerability research team found
2330 another two DoS vulnerabilities, one in the rather old ASN.1 parser of Relative
2331 Distinguished Names (RDNs) and a second one in the conversion of ASN.1 UTCTIME
2332 and GENERALIZEDTIME strings to a time_t value.
b6b90b68 2333
b32af120 2334
3bf7c249
MW		 2335strongswan-4.3.1
2336----------------
2337
2338- The nm plugin now passes DNS/NBNS server information to NetworkManager,
09dbca9f 2339 allowing a gateway administrator to set DNS/NBNS configuration on clients
3bf7c249
MW		 2340 dynamically.
2341
09dbca9f
MW		 2342- The nm plugin also accepts CA certificates for gateway authentication. If
2343 a CA certificate is configured, strongSwan uses the entered gateway address
b3ab7a48 2344 as its identity, requiring the gateways certificate to contain the same as
09dbca9f
MW		 2345 subjectAltName. This allows a gateway administrator to deploy the same
2346 certificates to Windows 7 and NetworkManager clients.
047b2e42 2347
050cc582
AS		 2348- The command ipsec purgeike deletes IKEv2 SAs that don't have a CHILD SA.
2349 The command ipsec down <conn>{n} deletes CHILD SA instance n of connection
2350 <conn> whereas ipsec down <conn>{*} deletes all CHILD SA instances.
2351 The command ipsec down <conn>[n] deletes IKE SA instance n of connection
2352 <conn> plus dependent CHILD SAs whereas ipsec down <conn>[*] deletes all
2353 IKE SA instances of connection <conn>.
2354
09dbca9f 2355- Fixed a regression introduced in 4.3.0 where EAP authentication calculated
047b2e42
MW		 2356 the AUTH payload incorrectly. Further, the EAP-MSCHAPv2 MSK key derivation
2357 has been updated to be compatible with the Windows 7 Release Candidate.
2358
2359- Refactored installation of triggering policies. Routed policies are handled
2360 outside of IKE_SAs to keep them installed in any case. A tunnel gets
2361 established only once, even if initiation is delayed due network outages.
2362
050cc582
AS		 2363- Improved the handling of multiple acquire signals triggered by the kernel.
2364
2365- Fixed two DoS vulnerabilities in the charon daemon that were discovered by
2366 fuzzing techniques: 1) Sending a malformed IKE_SA_INIT request leaved an
2367 incomplete state which caused a null pointer dereference if a subsequent
2368 CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
17c99722 2369 a missing TSi or TSr payload caused a null pointer dereference because the
b6b90b68 2370 checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
f3bb1bd0 2371 developed by the Orange Labs vulnerability research team. The tool was
050cc582
AS		 2372 initially written by Gabriel Campana and is now maintained by Laurent Butti.
2373
047b2e42
MW		 2374- Added support for AES counter mode in ESP in IKEv2 using the proposal
2375 keywords aes128ctr, aes192ctr and aes256ctr.
2376
d44fd821 2377- Further progress in refactoring pluto: Use of the curl and ldap plugins
050cc582
AS		 2378 for fetching crls and OCSP. Use of the random plugin to get keying material
2379 from /dev/random or /dev/urandom. Use of the openssl plugin as an alternative
d44fd821 2380 to the aes, des, sha1, sha2, and md5 plugins. The blowfish, twofish, and
050cc582 2381 serpent encryption plugins are now optional and are not enabled by default.
d44fd821
AS		 2382
2383
247e665a
AS		 2384strongswan-4.3.0
2385----------------
2386
81fc8e5f
MW		 2387- Support for the IKEv2 Multiple Authentication Exchanges extension (RFC4739).
2388 Initiators and responders can use several authentication rounds (e.g. RSA
2389 followed by EAP) to authenticate. The new ipsec.conf leftauth/rightauth and
2390 leftauth2/rightauth2 parameters define own authentication rounds or setup
b3ab7a48 2391 constraints for the remote peer. See the ipsec.conf man page for more details.
81fc8e5f
MW		 2392
2393- If glibc printf hooks (register_printf_function) are not available,
2394 strongSwan can use the vstr string library to run on non-glibc systems.
2395
558c89e7
AS		 2396- The IKEv2 charon daemon can now configure the ESP CAMELLIA-CBC cipher
2397 (esp=camellia128|192|256).
247e665a 2398
558c89e7
AS		 2399- Refactored the pluto and scepclient code to use basic functions (memory
2400 allocation, leak detective, chunk handling, printf_hooks, strongswan.conf
2401 attributes, ASN.1 parser, etc.) from the libstrongswan library.
b752f873 2402
558c89e7
AS		 2403- Up to two DNS and WINS servers to be sent via IKEv1 ModeConfig can be
2404 configured in the pluto section of strongswan.conf.
dfd7ba80 2405
247e665a 2406
623bca40
AS		 2407strongswan-4.2.14
2408-----------------
2409
22180558 2410- The new server-side EAP RADIUS plugin (--enable-eap-radius)
f3bb1bd0 2411 relays EAP messages to and from a RADIUS server. Successfully
22180558
AS		 2412 tested with with a freeradius server using EAP-MD5 and EAP-SIM.
2413
79b27294
AS		 2414- A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
2415 Gerd v. Egidy <gerd.von.egidy@intra2net.com> of Intra2net AG affecting
2416 all Openswan and strongSwan releases. A malicious (or expired ISAKMP)
2417 R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet can cause the
2418 pluto IKE daemon to crash and restart. No authentication or encryption
2419 is required to trigger this bug. One spoofed UDP packet can cause the
2420 pluto IKE daemon to restart and be unresponsive for a few seconds while
2421 restarting. This DPD null state vulnerability has been officially
2422 registered as CVE-2009-0790 and is fixed by this release.
2423
22180558
AS		 2424- ASN.1 to time_t conversion caused a time wrap-around for
2425 dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
2426 As a workaround such dates are set to the maximum representable
2427 time, i.e. Jan 19 03:14:07 UTC 2038.
2428
2429- Distinguished Names containing wildcards (*) are not sent in the
b6b90b68 2430 IDr payload anymore.
623bca40
AS		 2431
2432
076e7853
AS		 2433strongswan-4.2.13
2434-----------------
2435
2436- Fixed a use-after-free bug in the DPD timeout section of the
2437 IKEv1 pluto daemon which sporadically caused a segfault.
2438
f3bb1bd0 2439- Fixed a crash in the IKEv2 charon daemon occurring with
b6b90b68 2440 mixed RAM-based and SQL-based virtual IP address pools.
076e7853 2441
f15483ef
AS		 2442- Fixed ASN.1 parsing of algorithmIdentifier objects where the
2443 parameters field is optional.
2444
03991bc1
MW		 2445- Ported nm plugin to NetworkManager 7.1.
2446
076e7853 2447
bfde75ee 2448strongswan-4.2.12
076e7853 2449-----------------
bfde75ee
AS		 2450
2451- Support of the EAP-MSCHAPv2 protocol enabled by the option
2452 --enable-eap-mschapv2. Requires the MD4 hash algorithm enabled
2453 either by --enable-md4 or --enable-openssl.
2454
2455- Assignment of up to two DNS and up to two WINS servers to peers via
b6b90b68 2456 the IKEv2 Configuration Payload (CP). The IPv4 or IPv6 nameserver
bfde75ee
AS		 2457 addresses are defined in strongswan.conf.
2458
2459- The strongSwan applet for the Gnome NetworkManager is now built and
2460 distributed as a separate tarball under the name NetworkManager-strongswan.
2461
b6b90b68 2462
0519ca90
AS		 2463strongswan-4.2.11
2464-----------------
2465
ae1ae574
AS		 2466- Fixed ESP NULL encryption broken by the refactoring of keymat.c.
2467 Also introduced proper initialization and disposal of keying material.
2468
2469- Fixed the missing listing of connection definitions in ipsec statusall
2470 broken by an unfortunate local variable overload.
0519ca90
AS		 2471
2472
4856241c
MW		 2473strongswan-4.2.10
2474-----------------
2475
2476- Several performance improvements to handle thousands of tunnels with almost
2477 linear upscaling. All relevant data structures have been replaced by faster
2478 counterparts with better lookup times.
2479
2480- Better parallelization to run charon on multiple cores. Due to improved
1003cf23 2481 resource locking and other optimizations the daemon can take full
4856241c
MW		 2482 advantage of 16 or even more cores.
2483
2484- The load-tester plugin can use a NULL Diffie-Hellman group and simulate
2485 unique identities and certificates by signing peer certificates using a CA
2486 on the fly.
2487
2488- The redesigned stroke in-memory IP pool handles leases. The "ipsec leases"
2489 command queries assigned leases.
2490
2491- Added support for smartcards in charon by using the ENGINE API provided by
2492 OpenSSL, based on patches by Michael Roßberg.
2493
2494- The Padlock plugin supports the hardware RNG found on VIA CPUs to provide a
2495 reliable source of randomness.
2496
73937bd8
MW		 2497strongswan-4.2.9
2498----------------
2499
509e07c5
AS		 2500- Flexible configuration of logging subsystem allowing to log to multiple
2501 syslog facilities or to files using fine-grained log levels for each target.
73937bd8
MW		 2502
2503- Load testing plugin to do stress testing of the IKEv2 daemon against self
2504 or another host. Found and fixed issues during tests in the multi-threaded
2505 use of the OpenSSL plugin.
2506
2507- Added profiling code to synchronization primitives to find bottlenecks if
7bdc931e 2508 running on multiple cores. Found and fixed an issue where parts of the
73937bd8
MW		 2509 Diffie-Hellman calculation acquired an exclusive lock. This greatly improves
2510 parallelization to multiple cores.
2511
509e07c5
AS		 2512- updown script invocation has been separated into a plugin of its own to
2513 further slim down the daemon core.
73937bd8 2514
509e07c5 2515- Separated IKE_SA/CHILD_SA key derivation process into a closed system,
7bdc931e 2516 allowing future implementations to use a secured environment in e.g. kernel
73937bd8
MW		 2517 memory or hardware.
2518
509e07c5
AS		 2519- The kernel interface of charon has been modularized. XFRM NETLINK (default)
2520 and PFKEY (--enable-kernel-pfkey) interface plugins for the native IPsec
2521 stack of the Linux 2.6 kernel as well as a PFKEY interface for the KLIPS
2522 IPsec stack (--enable-kernel-klips) are provided.
2523
2524- Basic Mobile IPv6 support has been introduced, securing Binding Update
2525 messages as well as tunneled traffic between Mobile Node and Home Agent.
2526 The installpolicy=no option allows peaceful cooperation with a dominant
2527 mip6d daemon and the new type=transport_proxy implements the special MIPv6
2528 IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
f3bb1bd0 2529 but the IPsec SA is set up for the Home Address.
7bdc931e 2530
4dc0dce8
AS		 2531- Implemented migration of Mobile IPv6 connections using the KMADDRESS
2532 field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon
2533 via the Linux 2.6.28 (or appropriately patched) kernel.
2534
73937bd8 2535
e39b271b
AS		 2536strongswan-4.2.8
2537----------------
2538
5dadb16e 2539- IKEv2 charon daemon supports authentication based on raw public keys
e39b271b
AS		 2540 stored in the SQL database backend. The ipsec listpubkeys command
2541 lists the available raw public keys via the stroke interface.
2542
4f0241e6
MW		 2543- Several MOBIKE improvements: Detect changes in NAT mappings in DPD exchanges,
2544 handle events if kernel detects NAT mapping changes in UDP-encapsulated
2db6d5b8 2545 ESP packets (requires kernel patch), reuse old addresses in MOBIKE updates as
4f0241e6
MW		 2546 long as possible and other fixes.
2547
5dadb16e
AS		 2548- Fixed a bug in addr_in_subnet() which caused insertion of wrong source
2549 routes for destination subnets having netwmasks not being a multiple of 8 bits.
2550 Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug.
2551
e39b271b 2552
e376d75f
MW		 2553strongswan-4.2.7
2554----------------
2555
b37cda82
AS		 2556- Fixed a Denial-of-Service vulnerability where an IKE_SA_INIT message with
2557 a KE payload containing zeroes only can cause a crash of the IKEv2 charon
2558 daemon due to a NULL pointer returned by the mpz_export() function of the
2559 GNU Multiprecision Library (GMP). Thanks go to Mu Dynamics Research Labs
b6b90b68 2560 for making us aware of this problem.
b37cda82 2561
b6b90b68 2562- The new agent plugin provides a private key implementation on top of an
e376d75f
MW		 2563 ssh-agent.
2564
2565- The NetworkManager plugin has been extended to support certificate client
b1f47854 2566 authentication using RSA keys loaded from a file or using ssh-agent.
e376d75f
MW		 2567
2568- Daemon capability dropping has been ported to libcap and must be enabled
2569 explicitly --with-capabilities=libcap. Future version will support the
2570 newer libcap2 library.
2571
b37cda82
AS		 2572- ipsec listalgs lists the IKEv2 cryptografic algorithms registered with the
2573 charon keying daemon.
2574
2575
9f9d6ece
AS		 2576strongswan-4.2.6
2577----------------
2578
609166f4
MW		 2579- A NetworkManager plugin allows GUI-based configuration of road-warrior
2580 clients in a simple way. It features X509 based gateway authentication
2581 and EAP client authentication, tunnel setup/teardown and storing passwords
2582 in the Gnome Keyring.
2583
2584- A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt and allows
2585 username/password authentication against any PAM service on the gateway.
b6b90b68 2586 The new EAP method interacts nicely with the NetworkManager plugin and allows
609166f4
MW		 2587 client authentication against e.g. LDAP.
2588
2589- Improved support for the EAP-Identity method. The new ipsec.conf eap_identity
2590 parameter defines an additional identity to pass to the server in EAP
2591 authentication.
2592
9f9d6ece
AS		 2593- The "ipsec statusall" command now lists CA restrictions, EAP
2594 authentication types and EAP identities.
2595
2596- Fixed two multithreading deadlocks occurring when starting up
2597 several hundred tunnels concurrently.
2598
2599- Fixed the --enable-integrity-test configure option which
2600 computes a SHA-1 checksum over the libstrongswan library.
2601
2602
174216c7
AS		 2603strongswan-4.2.5
2604----------------
2605
b6b90b68 2606- Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
8124e491
AS		 2607
2608- Improved the performance of the SQL-based virtual IP address pool
2609 by introducing an additional addresses table. The leases table
2610 storing only history information has become optional and can be
2611 disabled by setting charon.plugins.sql.lease_history = no in
2612 strongswan.conf.
2613
eb0cc338 2614- The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
de5f70e7 2615 and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
eb0cc338 2616
174216c7
AS		 2617- management of different virtual IP pools for different
2618 network interfaces have become possible.
2619
b6b90b68 2620- fixed a bug which prevented the assignment of more than 256
174216c7
AS		 2621 virtual IP addresses from a pool managed by an sql database.
2622
8124e491
AS		 2623- fixed a bug which did not delete own IPCOMP SAs in the kernel.
2624
b6b90b68 2625
179dd12c
AS		 2626strongswan-4.2.4
2627----------------
2628
9de95037
AS		 2629- Added statistics functions to ipsec pool --status and ipsec pool --leases
2630 and input validation checks to various ipsec pool commands.
179dd12c 2631
73a8eed3 2632- ipsec statusall now lists all loaded charon plugins and displays
9de95037 2633 the negotiated IKEv2 cipher suite proposals.
73a8eed3
AS		 2634
2635- The openssl plugin supports the elliptic curve Diffie-Hellman groups
2636 19, 20, 21, 25, and 26.
2637
2638- The openssl plugin supports ECDSA authentication using elliptic curve
2639 X.509 certificates.
2640
2641- Fixed a bug in stroke which caused multiple charon threads to close
2642 the file descriptors during packet transfers over the stroke socket.
b6b90b68 2643
e0bb4dbb
AS		 2644- ESP sequence numbers are now migrated in IPsec SA updates handled by
2645 MOBIKE. Works only with Linux kernels >= 2.6.17.
2646
179dd12c 2647
83d9e870
AS		 2648strongswan-4.2.3
2649----------------
2650
b6b90b68 2651- Fixed the strongswan.conf path configuration problem that occurred when
83d9e870
AS		 2652 --sysconfig was not set explicitly in ./configure.
2653
2654- Fixed a number of minor bugs that where discovered during the 4th
2655 IKEv2 interoperability workshop in San Antonio, TX.
2656
2657
7f491111
MW		 2658strongswan-4.2.2
2659----------------
2660
a57cd446
AS		 2661- Plugins for libstrongswan and charon can optionally be loaded according
2662 to a configuration in strongswan.conf. Most components provide a
7f491111 2663 "load = " option followed by a space separated list of plugins to load.
a57cd446
AS		 2664 This allows e.g. the fallback from a hardware crypto accelerator to
2665 to software-based crypto plugins.
7f491111
MW		 2666
2667- Charons SQL plugin has been extended by a virtual IP address pool.
a57cd446
AS		 2668 Configurations with a rightsourceip=%poolname setting query a SQLite or
2669 MySQL database for leases. The "ipsec pool" command helps in administrating
2670 the pool database. See ipsec pool --help for the available options
2671
2672- The Authenticated Encryption Algorithms AES-CCM-8/12/16 and AES-GCM-8/12/16
b6b90b68 2673 for ESP are now supported starting with the Linux 2.6.25 kernel. The
a57cd446
AS		 2674 syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.
2675
7f491111 2676
5c5d67d6
AS		 2677strongswan-4.2.1
2678----------------
2679
c306dfb1 2680- Support for "Hash and URL" encoded certificate payloads has been implemented
b1f8fc0c
TB		 2681 in the IKEv2 daemon charon. Using the "certuribase" option of a CA section
2682 allows to assign a base URL to all certificates issued by the specified CA.
2683 The final URL is then built by concatenating that base and the hex encoded
2684 SHA1 hash of the DER encoded certificate. Note that this feature is disabled
2685 by default and must be enabled using the option "charon.hash_and_url".
5c5d67d6 2686
58caabf7
MW		 2687- The IKEv2 daemon charon now supports the "uniqueids" option to close multiple
2688 IKE_SAs with the same peer. The option value "keep" prefers existing
2689 connection setups over new ones, where the value "replace" replaces existing
2690 connections.
b6b90b68 2691
f3bb1bd0 2692- The crypto factory in libstrongswan additionally supports random number
58caabf7 2693 generators, plugins may provide other sources of randomness. The default
c306dfb1 2694 plugin reads raw random data from /dev/(u)random.
58caabf7 2695
b6b90b68 2696- Extended the credential framework by a caching option to allow plugins
58caabf7 2697 persistent caching of fetched credentials. The "cachecrl" option has been
c306dfb1 2698 re-implemented.
58caabf7
MW		 2699
2700- The new trustchain verification introduced in 4.2.0 has been parallelized.
2701 Threads fetching CRL or OCSP information no longer block other threads.
5c5d67d6 2702
58caabf7
MW		 2703- A new IKEv2 configuration attribute framework has been introduced allowing
2704 plugins to provide virtual IP addresses, and in the future, other
2705 configuration attribute services (e.g. DNS/WINS servers).
5c5d67d6 2706
466abb49 2707- The stroke plugin has been extended to provide virtual IP addresses from
58caabf7
MW		 2708 a pool defined in ipsec.conf. The "rightsourceip" parameter now accepts
2709 address pools in CIDR notation (e.g. 10.1.1.0/24). The parameter also accepts
2710 the value "%poolname", where "poolname" identifies a pool provided by a
466abb49 2711 separate plugin.
58caabf7 2712
c306dfb1 2713- Fixed compilation on uClibc and a couple of other minor bugs.
58caabf7 2714
c306dfb1 2715- Set DPD defaults in ipsec starter to dpd_delay=30s and dpd_timeout=150s.
466abb49
AS		 2716
2717- The IKEv1 pluto daemon now supports the ESP encryption algorithm CAMELLIA
c306dfb1 2718 with key lengths of 128, 192, and 256 bits, as well as the authentication
466abb49
AS		 2719 algorithm AES_XCBC_MAC. Configuration example: esp=camellia192-aesxcbc.
2720
5c5d67d6 2721
a11ea97d
AS		 2722strongswan-4.2.0
2723----------------
2724
16f5dacd
MW		 2725- libstrongswan has been modularized to attach crypto algorithms,
2726 credential implementations (keys, certificates) and fetchers dynamically
2727 through plugins. Existing code has been ported to plugins:
2728 - RSA/Diffie-Hellman implementation using the GNU Multi Precision library
2729 - X509 certificate system supporting CRLs, OCSP and attribute certificates
2730 - Multiple plugins providing crypto algorithms in software
2731 - CURL and OpenLDAP fetcher
a11ea97d 2732
16f5dacd
MW		 2733- libstrongswan gained a relational database API which uses pluggable database
2734 providers. Plugins for MySQL and SQLite are available.
2735
2736- The IKEv2 keying daemon charon is more extensible. Generic plugins may provide
2737 connection configuration, credentials and EAP methods or control the daemon.
2738 Existing code has been ported to plugins:
2739 - EAP-AKA, EAP-SIM, EAP-MD5 and EAP-Identity
2740 - stroke configuration, credential and control (compatible to pluto)
2741 - XML bases management protocol to control and query the daemon
2742 The following new plugins are available:
2743 - An experimental SQL configuration, credential and logging plugin on
2744 top of either MySQL or SQLite
2745 - A unit testing plugin to run tests at daemon startup
2746
2747- The authentication and credential framework in charon has been heavily
2748 refactored to support modular credential providers, proper
2749 CERTREQ/CERT payload exchanges and extensible authorization rules.
2750
89bd016e 2751- The framework of strongSwan Manager has evolved to the web application
16f5dacd
MW		 2752 framework libfast (FastCGI Application Server w/ Templates) and is usable
2753 by other applications.
b6b90b68 2754
a11ea97d 2755
6859f760
AS		 2756strongswan-4.1.11
2757-----------------
fb6d76cd 2758
a561f74d
AS		 2759- IKE rekeying in NAT situations did not inherit the NAT conditions
2760 to the rekeyed IKE_SA so that the UDP encapsulation was lost with
2761 the next CHILD_SA rekeying.
2762
2763- Wrong type definition of the next_payload variable in id_payload.c
b6b90b68 2764 caused an INVALID_SYNTAX error on PowerPC platforms.
fb6d76cd 2765
e6b50b3f
AS		 2766- Implemented IKEv2 EAP-SIM server and client test modules that use
2767 triplets stored in a file. For details on the configuration see
2768 the scenario 'ikev2/rw-eap-sim-rsa'.
2769
fb6d76cd 2770
83e0d841
AS		 2771strongswan-4.1.10
2772-----------------
2773
2774- Fixed error in the ordering of the certinfo_t records in the ocsp cache that
b6b90b68 2775 caused multiple entries of the same serial number to be created.
83e0d841 2776
fdc7c943
MW		 2777- Implementation of a simple EAP-MD5 module which provides CHAP
2778 authentication. This may be interesting in conjunction with certificate
2779 based server authentication, as weak passwords can't be brute forced
2780 (in contradiction to traditional IKEv2 PSK).
2781
2782- A complete software based implementation of EAP-AKA, using algorithms
2783 specified in 3GPP2 (S.S0055). This implementation does not use an USIM,
2784 but reads the secrets from ipsec.secrets. Make sure to read eap_aka.h
2785 before using it.
2786
2787- Support for vendor specific EAP methods using Expanded EAP types. The
b6b90b68 2788 interface to EAP modules has been slightly changed, so make sure to
fdc7c943 2789 check the changes if you're already rolling your own modules.
83e0d841 2790
fb6d76cd 2791
5076770c
AS		 2792strongswan-4.1.9
2793----------------
2794
800b3356
AS		 2795- The default _updown script now dynamically inserts and removes ip6tables
2796 firewall rules if leftfirewall=yes is set in IPv6 connections. New IPv6
2797 net-net and roadwarrior (PSK/RSA) scenarios for both IKEv1 and IKEV2 were
2798 added.
5076770c 2799
6f274c2a
MW		 2800- Implemented RFC4478 repeated authentication to force EAP/Virtual-IP clients
2801 to reestablish an IKE_SA within a given timeframe.
2802
2803- strongSwan Manager supports configuration listing, initiation and termination
2804 of IKE and CHILD_SAs.
2805
2806- Fixes and improvements to multithreading code.
2807
8b678ad4 2808- IKEv2 plugins have been renamed to libcharon-* to avoid naming conflicts.
b6b90b68 2809 Make sure to remove the old plugins in $libexecdir/ipsec, otherwise they get
8b678ad4 2810 loaded twice.
5076770c 2811
83e0d841 2812
b82e8231
AS		 2813strongswan-4.1.8
2814----------------
2815
5076770c 2816- Removed recursive pthread mutexes since uClibc doesn't support them.
b82e8231
AS		 2817
2818
a4a3632c
AS		 2819strongswan-4.1.7
2820----------------
2821
2822- In NAT traversal situations and multiple queued Quick Modes,
2823 those pending connections inserted by auto=start after the
2db6d5b8 2824 port floating from 500 to 4500 were erroneously deleted.
a4a3632c 2825
6e193274 2826- Added a "forceencaps" connection parameter to enforce UDP encapsulation
078b6008 2827 to surmount restrictive firewalls. NAT detection payloads are faked to
6e193274
MW		 2828 simulate a NAT situation and trick the other peer into NAT mode (IKEv2 only).
2829
2830- Preview of strongSwan Manager, a web based configuration and monitoring
df18934d 2831 application. It uses a new XML control interface to query the IKEv2 daemon.
6e193274
MW		 2832
2833- Experimental SQLite configuration backend which will provide the configuration
2834 interface for strongSwan Manager in future releases.
2835
2836- Further improvements to MOBIKE support.
2837
a4a3632c 2838
3dcf9dbd
AS		 2839strongswan-4.1.6
2840----------------
2841
3eac4dfd
AS		 2842- Since some third party IKEv2 implementations run into
2843 problems with strongSwan announcing MOBIKE capability per
2844 default, MOBIKE can be disabled on a per-connection-basis
2845 using the mobike=no option. Whereas mobike=no disables the
2846 sending of the MOBIKE_SUPPORTED notification and the floating
2847 to UDP port 4500 with the IKE_AUTH request even if no NAT
2848 situation has been detected, strongSwan will still support
2849 MOBIKE acting as a responder.
2850
2851- the default ipsec routing table plus its corresponding priority
2852 used for inserting source routes has been changed from 100 to 220.
2853 It can be configured using the --with-ipsec-routing-table and
b6b90b68
MW		 2854 --with-ipsec-routing-table-prio options.
2855
bdc0b55b
AS		 2856- the --enable-integrity-test configure option tests the
2857 integrity of the libstrongswan crypto code during the charon
2858 startup.
b6b90b68 2859
3eac4dfd
AS		 2860- the --disable-xauth-vid configure option disables the sending
2861 of the XAUTH vendor ID. This can be used as a workaround when
2862 interoperating with some Windows VPN clients that get into
2863 trouble upon reception of an XAUTH VID without eXtended
2864 AUTHentication having been configured.
b6b90b68 2865
f872f9d1
AS		 2866- ipsec stroke now supports the rereadsecrets, rereadaacerts,
2867 rereadacerts, and listacerts options.
3dcf9dbd
AS		 2868
2869
7ad634a2
AS		 2870strongswan-4.1.5
2871----------------
2872
2873- If a DNS lookup failure occurs when resolving right=%<FQDN>
2874 or right=<FQDN> combined with rightallowany=yes then the
2875 connection is not updated by ipsec starter thus preventing
2876 the disruption of an active IPsec connection. Only if the DNS
2877 lookup successfully returns with a changed IP address the
2878 corresponding connection definition is updated.
2879
8f5b363c
MW		 2880- Routes installed by the keying daemons are now in a separate
2881 routing table with the ID 100 to avoid conflicts with the main
2882 table. Route lookup for IKEv2 traffic is done in userspace to ignore
2883 routes installed for IPsec, as IKE traffic shouldn't get encapsulated.
2884
7ad634a2 2885
e93c68ba
AS		 2886strongswan-4.1.4
2887----------------
2888
f6aafb30 2889- The pluto IKEv1 daemon now exhibits the same behavior as its
e93c68ba
AS		 2890 IKEv2 companion charon by inserting an explicit route via the
2891 _updown script only if a sourceip exists. This is admissible
2892 since routing through the IPsec tunnel is handled automatically
b7af55ac
AS		 2893 by NETKEY's IPsec policies. As a consequence the left|rightnexthop
2894 parameter is not required any more.
078ce348
AS		 2895
2896- The new IKEv1 parameter right|leftallowany parameters helps to handle
2897 the case where both peers possess dynamic IP addresses that are
2898 usually resolved using DynDNS or a similar service. The configuration
2899
2900 right=peer.foo.bar
2901 rightallowany=yes
2902
2903 can be used by the initiator to start up a connection to a peer
2904 by resolving peer.foo.bar into the currently allocated IP address.
2905 Thanks to the rightallowany flag the connection behaves later on
2906 as
2907
53f8ac3d 2908 right=%any
078ce348
AS		 2909
2910 so that the peer can rekey the connection as an initiator when his
1fbdab85
AS		 2911 IP address changes. An alternative notation is
2912
2913 right=%peer.foo.bar
2914
2915 which will implicitly set rightallowany=yes.
2916
2917- ipsec starter now fails more gracefully in the presence of parsing
2918 errors. Flawed ca and conn section are discarded and pluto is started
2919 if non-fatal errors only were encountered. If right=%peer.foo.bar
2920 cannot be resolved by DNS then right=%any will be used so that passive
2921 connections as a responder are still possible.
078ce348 2922
a0a0bdd7
AS		 2923- The new pkcs11initargs parameter that can be placed in the
2924 setup config section of /etc/ipsec.conf allows the definition
2925 of an argument string that is used with the PKCS#11 C_Initialize()
2926 function. This non-standard feature is required by the NSS softoken
2927 library. This patch was contributed by Robert Varga.
b6b90b68 2928
a0a0bdd7
AS		 2929- Fixed a bug in ipsec starter introduced by strongswan-2.8.5
2930 which caused a segmentation fault in the presence of unknown
2931 or misspelt keywords in ipsec.conf. This bug fix was contributed
2932 by Robert Varga.
2933
e3606f2b
MW		 2934- Partial support for MOBIKE in IKEv2. The initiator acts on interface/
2935 address configuration changes and updates IKE and IPsec SAs dynamically.
e93c68ba 2936
06651827 2937
a3354a69
AS		 2938strongswan-4.1.3
2939----------------
2940
b6b90b68 2941- IKEv2 peer configuration selection now can be based on a given
35d4809c
AS		 2942 certification authority using the rightca= statement.
2943
2944- IKEv2 authentication based on RSA signatures now can handle multiple
41e16cf4
AS		 2945 certificates issued for a given peer ID. This allows a smooth transition
2946 in the case of a peer certificate renewal.
a3354a69 2947
998ca0ea
MW		 2948- IKEv2: Support for requesting a specific virtual IP using leftsourceip on the
2949 client and returning requested virtual IPs using rightsourceip=%config
2950 on the server. If the server does not support configuration payloads, the
2951 client enforces its leftsourceip parameter.
2952
2953- The ./configure options --with-uid/--with-gid allow pluto and charon
2954 to drop their privileges to a minimum and change to an other UID/GID. This
2955 improves the systems security, as a possible intruder may only get the
2956 CAP_NET_ADMIN capability.
2957
b6b90b68 2958- Further modularization of charon: Pluggable control interface and
998ca0ea
MW		 2959 configuration backend modules provide extensibility. The control interface
2960 for stroke is included, and further interfaces using DBUS (NetworkManager)
2961 or XML are on the way. A backend for storing configurations in the daemon
b6b90b68 2962 is provided and more advanced backends (using e.g. a database) are trivial
998ca0ea 2963 to implement.
a3354a69 2964
53f8ac3d
TB		 2965- Fixed a compilation failure in libfreeswan occurring with Linux kernel
2966 headers > 2.6.17.
41e16cf4
AS		 2967
2968
8ea7b96f
AS		 2969strongswan-4.1.2
2970----------------
2971
e23d98a7 2972- Support for an additional Diffie-Hellman exchange when creating/rekeying
37fb0355
MW		 2973 a CHILD_SA in IKEv2 (PFS). PFS is enabled when the proposal contains a
2974 DH group (e.g. "esp=aes128-sha1-modp1536"). Further, DH group negotiation
2975 is implemented properly for rekeying.
2976
2977- Support for the AES-XCBC-96 MAC algorithm for IPsec SAs when using IKEv2
2978 (requires linux >= 2.6.20). It is enabled using e.g. "esp=aes256-aesxcbc".
2979
d931f465
MW		 2980- Working IPv4-in-IPv6 and IPv6-in-IPv4 tunnels for linux >= 2.6.21.
2981
37fb0355
MW		 2982- Added support for EAP modules which do not establish an MSK.
2983
dfbe2a0f 2984- Removed the dependencies from the /usr/include/linux/ headers by
9f78f957 2985 including xfrm.h, ipsec.h, and pfkeyv2.h in the distribution.
b6b90b68 2986
9f78f957
AS		 2987- crlNumber is now listed by ipsec listcrls
2988
8ea7b96f
AS		 2989- The xauth_modules.verify_secret() function now passes the
2990 connection name.
2991
e23d98a7 2992
ed284399
MW		 2993strongswan-4.1.1
2994----------------
2995
2996- Server side cookie support. If to may IKE_SAs are in CONNECTING state,
2997 cookies are enabled and protect against DoS attacks with faked source
2998 addresses. Number of IKE_SAs in CONNECTING state is also limited per
2999 peer address to avoid resource exhaustion. IKE_SA_INIT messages are
3000 compared to properly detect retransmissions and incoming retransmits are
3001 detected even if the IKE_SA is blocked (e.g. doing OCSP fetches).
3002
db88e37d
AS		 3003- The IKEv2 daemon charon now supports dynamic http- and ldap-based CRL
3004 fetching enabled by crlcheckinterval > 0 and caching fetched CRLs
3005 enabled by cachecrls=yes.
3006
3b4f7d92
AS		 3007- Added the configuration options --enable-nat-transport which enables
3008 the potentially insecure NAT traversal for IPsec transport mode and
3009 --disable-vendor-id which disables the sending of the strongSwan
3010 vendor ID.
3011
3012- Fixed a long-standing bug in the pluto IKEv1 daemon which caused
3013 a segmentation fault if a malformed payload was detected in the
3014 IKE MR2 message and pluto tried to send an encrypted notification
3015 message.
3016
46b9ff68
AS		 3017- Added the NATT_IETF_02_N Vendor ID in order to support IKEv1 connections
3018 with Windows 2003 Server which uses a wrong VID hash.
3019
3b4f7d92 3020
34bbd0c3 3021strongswan-4.1.0
cd3958f8
AS		 3022----------------
3023
3024- Support of SHA2_384 hash function for protecting IKEv1
3025 negotiations and support of SHA2 signatures in X.509 certificates.
3026
3027- Fixed a serious bug in the computation of the SHA2-512 HMAC
3028 function. Introduced automatic self-test of all IKEv1 hash
3029 and hmac functions during pluto startup. Failure of a self-test
3030 currently issues a warning only but does not exit pluto [yet].
3031
9b45443d
MW		 3032- Support for SHA2-256/384/512 PRF and HMAC functions in IKEv2.
3033
c5d0fbb6 3034- Full support of CA information sections. ipsec listcainfos
b6b90b68 3035 now shows all collected crlDistributionPoints and OCSP
c5d0fbb6
AS		 3036 accessLocations.
3037
69ed04bf
AS		 3038- Support of the Online Certificate Status Protocol (OCSP) for IKEv2.
3039 This feature requires the HTTP fetching capabilities of the libcurl
3040 library which must be enabled by setting the --enable-http configure
3041 option.
3042
9b45443d
MW		 3043- Refactored core of the IKEv2 message processing code, allowing better
3044 code reuse and separation.
3045
3046- Virtual IP support in IKEv2 using INTERNAL_IP4/6_ADDRESS configuration
3047 payload. Additionally, the INTERNAL_IP4/6_DNS attribute is interpreted
3048 by the requestor and installed in a resolv.conf file.
3049
3050- The IKEv2 daemon charon installs a route for each IPsec policy to use
3051 the correct source address even if an application does not explicitly
3052 specify it.
3053
3054- Integrated the EAP framework into charon which loads pluggable EAP library
3055 modules. The ipsec.conf parameter authby=eap initiates EAP authentication
3056 on the client side, while the "eap" parameter on the server side defines
3057 the EAP method to use for client authentication.
3058 A generic client side EAP-Identity module and an EAP-SIM authentication
3059 module using a third party card reader implementation are included.
3060
3061- Added client side support for cookies.
3062
3063- Integrated the fixes done at the IKEv2 interoperability bakeoff, including
3064 strict payload order, correct INVALID_KE_PAYLOAD rejection and other minor
3065 fixes to enhance interoperability with other implementations.
cd3958f8 3066
e23d98a7 3067
1c266d7d
AS		 3068strongswan-4.0.7
3069----------------
3070
6fdf5f44
AS		 3071- strongSwan now interoperates with the NCP Secure Entry Client,
3072 the Shrew Soft VPN Client, and the Cisco VPN client, doing both
3073 XAUTH and Mode Config.
1c266d7d
AS		 3074
3075- UNITY attributes are now recognized and UNITY_BANNER is set
3076 to a default string.
3077
3078
2b4405a3
MW		 3079strongswan-4.0.6
3080----------------
3081
e38a15d4
AS		 3082- IKEv1: Support for extended authentication (XAUTH) in combination
3083 with ISAKMP Main Mode RSA or PSK authentication. Both client and
3084 server side were implemented. Handling of user credentials can
3085 be done by a run-time loadable XAUTH module. By default user
b6b90b68
MW		 3086 credentials are stored in ipsec.secrets.
3087
2b4405a3
MW		 3088- IKEv2: Support for reauthentication when rekeying
3089
5903179b 3090- IKEv2: Support for transport mode
af87afed 3091
5903179b 3092- fixed a lot of bugs related to byte order
2b4405a3 3093
5903179b 3094- various other bugfixes
2b4405a3
MW		 3095
3096
0cd645d2
AS		 3097strongswan-4.0.5
3098----------------
3099
3100- IKEv1: Implementation of ModeConfig push mode via the new connection
3101 keyword modeconfig=push allows interoperability with Cisco VPN gateways.
3102
3103- IKEv1: The command ipsec statusall now shows "DPD active" for all
3104 ISAKMP SAs that are under active Dead Peer Detection control.
3105
3106- IKEv2: Charon's logging and debugging framework has been completely rewritten.
3107 Instead of logger, special printf() functions are used to directly
3108 print objects like hosts (%H) identifications (%D), certificates (%Q),
3109 etc. The number of debugging levels have been reduced to:
03bf883d 3110
0cd645d2 3111 0 (audit), 1 (control), 2 (controlmore), 3 (raw), 4 (private)
03bf883d 3112
0cd645d2
AS		 3113 The debugging levels can either be specified statically in ipsec.conf as
3114
3115 config setup
53f8ac3d 3116 charondebug="lib 1, cfg 3, net 2"
0cd645d2 3117
03bf883d 3118 or changed at runtime via stroke as
0cd645d2 3119
03bf883d 3120 ipsec stroke loglevel cfg 2
0cd645d2
AS		 3121
3122
48dc3934
MW		 3123strongswan-4.0.4
3124----------------
3125
3126- Implemented full support for IPv6-in-IPv6 tunnels.
3127
3128- Added configuration options for dead peer detection in IKEv2. dpd_action
3129 types "clear", "hold" and "restart" are supported. The dpd_timeout
3130 value is not used, as the normal retransmission policy applies to
3131 detect dead peers. The dpd_delay parameter enables sending of empty
3132 informational message to detect dead peers in case of inactivity.
3133
3134- Added support for preshared keys in IKEv2. PSK keys configured in
3135 ipsec.secrets are loaded. The authby parameter specifies the authentication
b3ab7a48 3136 method to authenticate ourself, the other peer may use PSK or RSA.
48dc3934
MW		 3137
3138- Changed retransmission policy to respect the keyingtries parameter.
3139
112ad7c3
AS		 3140- Added private key decryption. PEM keys encrypted with AES-128/192/256
3141 or 3DES are supported.
48dc3934
MW		 3142
3143- Implemented DES/3DES algorithms in libstrongswan. 3DES can be used to
3144 encrypt IKE traffic.
3145
3146- Implemented SHA-256/384/512 in libstrongswan, allows usage of certificates
3147 signed with such a hash algorithm.
3148
3149- Added initial support for updown scripts. The actions up-host/client and
3150 down-host/client are executed. The leftfirewall=yes parameter
3151 uses the default updown script to insert dynamic firewall rules, a custom
3152 updown script may be specified with the leftupdown parameter.
3153
3154
a1310b6b
MW		 3155strongswan-4.0.3
3156----------------
3157
3158- Added support for the auto=route ipsec.conf parameter and the
b6b90b68
MW		 3159 ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and
3160 CHILD_SAs dynamically on demand when traffic is detected by the
a1310b6b
MW		 3161 kernel.
3162
3163- Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter.
3164 As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only
3165 new keys are generated using perfect forward secrecy. An optional flag
3166 which enforces reauthentication will be implemented later.
3167
b425d998
AS		 3168- "sha" and "sha1" are now treated as synonyms in the ike= and esp=
3169 algorithm configuration statements.
3170
3171
bf4df11f
AS		 3172strongswan-4.0.2
3173----------------
3174
623d3dcf
AS		 3175- Full X.509 certificate trust chain verification has been implemented.
3176 End entity certificates can be exchanged via CERT payloads. The current
3177 default is leftsendcert=always, since CERTREQ payloads are not supported
3178 yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls.
efa40c11 3179
b6b90b68 3180- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2
efa40c11 3181 would offer more possibilities for traffic selection, but the Linux kernel
b6b90b68 3182 currently does not support it. That's why we stick with these simple
efa40c11
MW		 3183 ipsec.conf rules for now.
3184
623d3dcf
AS		 3185- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
3186 IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
3187 dpddelay=60s).
3188
efa40c11
MW		 3189- Initial NAT traversal support in IKEv2. Charon includes NAT detection
3190 notify payloads to detect NAT routers between the peers. It switches
3191 to port 4500, uses UDP encapsulated ESP packets, handles peer address
3192 changes gracefully and sends keep alive message periodically.
3193
b6b90b68
MW		 3194- Reimplemented IKE_SA state machine for charon, which allows simultaneous
3195 rekeying, more shared code, cleaner design, proper retransmission
efa40c11
MW		 3196 and a more extensible code base.
3197
cfd8b27f
AS		 3198- The mixed PSK/RSA roadwarrior detection capability introduced by the
3199 strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal
3200 payloads by the responder right before any defined IKE Main Mode state had
3201 been established. Although any form of bad proposal syntax was being correctly
3202 detected by the payload parser, the subsequent error handler didn't check
3203 the state pointer before logging current state information, causing an
3204 immediate crash of the pluto keying daemon due to a NULL pointer.
3205
bf4df11f 3206
7e81e975
MW		 3207strongswan-4.0.1
3208----------------
3209
b6b90b68 3210- Added algorithm selection to charon: New default algorithms for
c15c3d4b
MW		 3211 ike=aes128-sha-modp2048, as both daemons support it. The default
3212 for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles
3213 the ike/esp parameter the same way as pluto. As this syntax does
b6b90b68 3214 not allow specification of a pseudo random function, the same
c15c3d4b
MW		 3215 algorithm as for integrity is used (currently sha/md5). Supported
3216 algorithms for IKE:
3217 Encryption: aes128, aes192, aes256
3218 Integrity/PRF: md5, sha (using hmac)
3219 DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192
3220 and for ESP:
b6b90b68 3221 Encryption: aes128, aes192, aes256, 3des, blowfish128,
c15c3d4b
MW		 3222 blowfish192, blowfish256
3223 Integrity: md5, sha1
3224 More IKE encryption algorithms will come after porting libcrypto into
b6b90b68 3225 libstrongswan.
f2c2d395 3226
c15c3d4b
MW		 3227- initial support for rekeying CHILD_SAs using IKEv2. Currently no
3228 perfect forward secrecy is used. The rekeying parameters rekey,
22ff6f57 3229 rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported
c15c3d4b
MW		 3230 when using IKEv2. WARNING: charon currently is unable to handle
3231 simultaneous rekeying. To avoid such a situation, use a large
3232 rekeyfuzz, or even better, set rekey=no on one peer.
22ff6f57 3233
7e81e975
MW		 3234- support for host2host, net2net, host2net (roadwarrior) tunnels
3235 using predefined RSA certificates (see uml scenarios for
3236 configuration examples).
3237
f2c2d395
MW		 3238- new build environment featuring autotools. Features such
3239 as HTTP, LDAP and smartcard support may be enabled using
b6b90b68 3240 the ./configure script. Changing install directories
f2c2d395
MW		 3241 is possible, too. See ./configure --help for more details.
3242
22ff6f57
MW		 3243- better integration of charon with ipsec starter, which allows
3244 (almost) transparent operation with both daemons. charon
3245 handles ipsec commands up, down, status, statusall, listall,
3246 listcerts and allows proper load, reload and delete of connections
3247 via ipsec starter.
3248
b425d998 3249
9820c0e2
MW		 3250strongswan-4.0.0
3251----------------
3252
3253- initial support of the IKEv2 protocol. Connections in
b6b90b68 3254 ipsec.conf designated by keyexchange=ikev2 are negotiated
9820c0e2
MW		 3255 by the new IKEv2 charon keying daemon whereas those marked
3256 by keyexchange=ikev1 or the default keyexchange=ike are
3257 handled thy the IKEv1 pluto keying daemon. Currently only
3258 a limited subset of functions are available with IKEv2
3259 (Default AES encryption, authentication based on locally
3260 imported X.509 certificates, unencrypted private RSA keys
3261 in PKCS#1 file format, limited functionality of the ipsec
3262 status command).
3263
3264
997358a6
MW		 3265strongswan-2.7.0
3266----------------
3267
3268- the dynamic iptables rules from the _updown_x509 template
3269 for KLIPS and the _updown_policy template for NETKEY have
3270 been merged into the default _updown script. The existing
3271 left|rightfirewall keyword causes the automatic insertion
3272 and deletion of ACCEPT rules for tunneled traffic upon
3273 the successful setup and teardown of an IPsec SA, respectively.
b3ab7a48 3274 left|rightfirewall can be used with KLIPS under any Linux 2.4
997358a6 3275 kernel or with NETKEY under a Linux kernel version >= 2.6.16
f3bb1bd0 3276 in conjunction with iptables >= 1.3.5. For NETKEY under a Linux
997358a6
MW		 3277 kernel version < 2.6.16 which does not support IPsec policy
3278 matching yet, please continue to use a copy of the _updown_espmark
3279 template loaded via the left|rightupdown keyword.
3280
3281- a new left|righthostaccess keyword has been introduced which
3282 can be used in conjunction with left|rightfirewall and the
3283 default _updown script. By default leftfirewall=yes inserts
3284 a bi-directional iptables FORWARD rule for a local client network
3285 with a netmask different from 255.255.255.255 (single host).
3286 This does not allow to access the VPN gateway host via its
3287 internal network interface which is part of the client subnet
3288 because an iptables INPUT and OUTPUT rule would be required.
3289 lefthostaccess=yes will cause this additional ACCEPT rules to
b6b90b68 3290 be inserted.
997358a6
MW		 3291
3292- mixed PSK|RSA roadwarriors are now supported. The ISAKMP proposal
3293 payload is preparsed in order to find out whether the roadwarrior
3294 requests PSK or RSA so that a matching connection candidate can
3295 be found.
3296
3297
3298strongswan-2.6.4
3299----------------
3300
3301- the new _updown_policy template allows ipsec policy based
3302 iptables firewall rules. Required are iptables version
3303 >= 1.3.5 and linux kernel >= 2.6.16. This script obsoletes
b6b90b68 3304 the _updown_espmark template, so that no INPUT mangle rules
997358a6
MW		 3305 are required any more.
3306
3307- added support of DPD restart mode
3308
3309- ipsec starter now allows the use of wildcards in include
3310 statements as e.g. in "include /etc/my_ipsec/*.conf".
3311 Patch courtesy of Matthias Haas.
3312
3313- the Netscape OID 'employeeNumber' is now recognized and can be
3314 used as a Relative Distinguished Name in certificates.
3315
3316
3317strongswan-2.6.3
3318----------------
3319
b6b90b68 3320- /etc/init.d/ipsec or /etc/rc.d/ipsec is now a copy of the ipsec
997358a6
MW		 3321 command and not of ipsec setup any more.
3322
3323- ipsec starter now supports AH authentication in conjunction with
3324 ESP encryption. AH authentication is configured in ipsec.conf
3325 via the auth=ah parameter.
b6b90b68 3326
997358a6
MW		 3327- The command ipsec scencrypt|scdecrypt <args> is now an alias for
3328 ipsec whack --scencrypt|scdecrypt <args>.
3329
3330- get_sa_info() now determines for the native netkey IPsec stack
3331 the exact time of the last use of an active eroute. This information
3332 is used by the Dead Peer Detection algorithm and is also displayed by
3333 the ipsec status command.
b6b90b68 3334
997358a6
MW		 3335
3336strongswan-2.6.2
3337----------------
3338
3339- running under the native Linux 2.6 IPsec stack, the function
3340 get_sa_info() is called by ipsec auto --status to display the current
3341 number of transmitted bytes per IPsec SA.
3342
3343- get_sa_info() is also used by the Dead Peer Detection process to detect
3344 recent ESP activity. If ESP traffic was received from the peer within
3345 the last dpd_delay interval then no R_Y_THERE notification must be sent.
3346
3347- strongSwan now supports the Relative Distinguished Name "unstructuredName"
3348 in ID_DER_ASN1_DN identities. The following notations are possible:
3349
3350 rightid="unstructuredName=John Doe"
3351 rightid="UN=John Doe"
3352
3353- fixed a long-standing bug which caused PSK-based roadwarrior connections
3354 to segfault in the function id.c:same_id() called by keys.c:get_secret()
3355 if an FQDN, USER_FQDN, or Key ID was defined, as in the following example.
3356
3357 conn rw
53f8ac3d
TB		 3358 right=%any
3359 rightid=@foo.bar
3360 authby=secret
997358a6
MW		 3361
3362- the ipsec command now supports most ipsec auto commands (e.g. ipsec listall).
3363
3364- ipsec starter didn't set host_addr and client.addr ports in whack msg.
3365
3366- in order to guarantee backwards-compatibility with the script-based
3367 auto function (e.g. auto --replace), the ipsec starter scripts stores
3368 the defaultroute information in the temporary file /var/run/ipsec.info.
3369
3370- The compile-time option USE_XAUTH_VID enables the sending of the XAUTH
3371 Vendor ID which is expected by Cisco PIX 7 boxes that act as IKE Mode Config
3372 servers.
3373
3374- the ipsec starter now also recognizes the parameters authby=never and
3375 type=passthrough|pass|drop|reject.
3376
3377
3378strongswan-2.6.1
3379----------------
3380
3381- ipsec starter now supports the also parameter which allows
3382 a modular structure of the connection definitions. Thus
3383 "ipsec start" is now ready to replace "ipsec setup".
3384
3385
3386strongswan-2.6.0
3387----------------
3388
3389- Mathieu Lafon's popular ipsec starter tool has been added to the
3390 strongSwan distribution. Many thanks go to Stephan Scholz from astaro
3391 for his integration work. ipsec starter is a C program which is going
3392 to replace the various shell and awk starter scripts (setup, _plutoload,
3393 _plutostart, _realsetup, _startklips, _confread, and auto). Since
3394 ipsec.conf is now parsed only once, the starting of multiple tunnels is
b3ab7a48 3395 accelerated tremendously.
997358a6
MW		 3396
3397- Added support of %defaultroute to the ipsec starter. If the IP address
b6b90b68 3398 changes, a HUP signal to the ipsec starter will automatically
997358a6
MW		 3399 reload pluto's connections.
3400
3401- moved most compile time configurations from pluto/Makefile to
3402 Makefile.inc by defining the options USE_LIBCURL, USE_LDAP,
3403 USE_SMARTCARD, and USE_NAT_TRAVERSAL_TRANSPORT_MODE.
3404
3405- removed the ipsec verify and ipsec newhostkey commands
3406
3407- fixed some 64-bit issues in formatted print statements
3408
3409- The scepclient functionality implementing the Simple Certificate
3410 Enrollment Protocol (SCEP) is nearly complete but hasn't been
3411 documented yet.
3412
3413
3414strongswan-2.5.7
3415----------------
3416
2db6d5b8 3417- CA certificates are now automatically loaded from a smartcard
997358a6
MW		 3418 or USB crypto token and appear in the ipsec auto --listcacerts
3419 listing.
3420
3421
3422strongswan-2.5.6
3423----------------
3424
3425- when using "ipsec whack --scencrypt <data>" with a PKCS#11
3426 library that does not support the C_Encrypt() Cryptoki
3427 function (e.g. OpenSC), the RSA encryption is done in
3428 software using the public key fetched from the smartcard.
3429
b6b90b68 3430- The scepclient function now allows to define the
997358a6
MW		 3431 validity of a self-signed certificate using the --days,
3432 --startdate, and --enddate options. The default validity
3433 has been changed from one year to five years.
3434
3435
3436strongswan-2.5.5
3437----------------
3438
3439- the config setup parameter pkcs11proxy=yes opens pluto's PKCS#11
3440 interface to other applications for RSA encryption and decryption
3441 via the whack interface. Notation:
3442
3443 ipsec whack --scencrypt <data>
3444 [--inbase 16|hex|64|base64|256|text|ascii]
3445 [--outbase 16|hex|64|base64|256|text|ascii]
3446 [--keyid <keyid>]
3447
3448 ipsec whack --scdecrypt <data>
3449 [--inbase 16|hex|64|base64|256|text|ascii]
3450 [--outbase 16|hex|64|base64|256|text|ascii]
3451 [--keyid <keyid>]
3452
b6b90b68 3453 The default setting for inbase and outbase is hex.
997358a6
MW		 3454
3455 The new proxy interface can be used for securing symmetric
3456 encryption keys required by the cryptoloop or dm-crypt
3457 disk encryption schemes, especially in the case when
3458 pkcs11keepstate=yes causes pluto to lock the pkcs11 slot
3459 permanently.
3460
3461- if the file /etc/ipsec.secrets is lacking during the startup of
3462 pluto then the root-readable file /etc/ipsec.d/private/myKey.der
3463 containing a 2048 bit RSA private key and a matching self-signed
3464 certificate stored in the file /etc/ipsec.d/certs/selfCert.der
3465 is automatically generated by calling the function
3466
3467 ipsec scepclient --out pkcs1 --out cert-self
3468
3469 scepclient was written by Jan Hutter and Martin Willi, students
3470 at the University of Applied Sciences in Rapperswil, Switzerland.
3471
3472
3473strongswan-2.5.4
3474----------------
3475
3476- the current extension of the PKCS#7 framework introduced
3477 a parsing error in PKCS#7 wrapped X.509 certificates that are
3478 e.g. transmitted by Windows XP when multi-level CAs are used.
3479 the parsing syntax has been fixed.
3480
3481- added a patch by Gerald Richter which tolerates multiple occurrences
3482 of the ipsec0 interface when using KLIPS.
3483
3484
3485strongswan-2.5.3
3486----------------
3487
3488- with gawk-3.1.4 the word "default2 has become a protected
3489 keyword for use in switch statements and cannot be used any
3490 more in the strongSwan scripts. This problem has been
3491 solved by renaming "default" to "defaults" and "setdefault"
3492 in the scripts _confread and auto, respectively.
3493
3494- introduced the parameter leftsendcert with the values
3495
3496 always|yes (the default, always send a cert)
3497 ifasked (send the cert only upon a cert request)
3498 never|no (never send a cert, used for raw RSA keys and
b6b90b68 3499 self-signed certs)
997358a6
MW		 3500
3501- fixed the initialization of the ESP key length to a default of
3502 128 bits in the case that the peer does not send a key length
53f8ac3d 3503 attribute for AES encryption.
997358a6
MW		 3504
3505- applied Herbert Xu's uniqueIDs patch
3506
3507- applied Herbert Xu's CLOEXEC patches
3508
3509
3510strongswan-2.5.2
3511----------------
3512
3513- CRLs can now be cached also in the case when the issuer's
3514 certificate does not contain a subjectKeyIdentifier field.
3515 In that case the subjectKeyIdentifier is computed by pluto as the
3516 160 bit SHA-1 hash of the issuer's public key in compliance
3517 with section 4.2.1.2 of RFC 3280.
3518
3519- Fixed a bug introduced by strongswan-2.5.1 which eliminated
3520 not only multiple Quick Modes of a given connection but also
3521 multiple connections between two security gateways.
3522
3523
3524strongswan-2.5.1
3525----------------
3526
3527- Under the native IPsec of the Linux 2.6 kernel, a %trap eroute
3528 installed either by setting auto=route in ipsec.conf or by
b3ab7a48 3529 a connection put into hold, generates an XFRM_ACQUIRE event
2db6d5b8 3530 for each packet that wants to use the not-yet existing
b3ab7a48 3531 tunnel. Up to now each XFRM_ACQUIRE event led to an entry in
997358a6
MW		 3532 the Quick Mode queue, causing multiple IPsec SA to be
3533 established in rapid succession. Starting with strongswan-2.5.1
3534 only a single IPsec SA is established per host-pair connection.
3535
3536- Right after loading the PKCS#11 module, all smartcard slots are
3537 searched for certificates. The result can be viewed using
3538 the command
3539
3540 ipsec auto --listcards
3541
3542 The certificate objects found in the slots are numbered
3543 starting with #1, #2, etc. This position number can be used to address
3544 certificates (leftcert=%smartcard) and keys (: PIN %smartcard)
3545 in ipsec.conf and ipsec.secrets, respectively:
3546
3547 %smartcard (selects object #1)
3548 %smartcard#1 (selects object #1)
3549 %smartcard#3 (selects object #3)
3550
3551 As an alternative the existing retrieval scheme can be used:
3552
3553 %smartcard:45 (selects object with id=45)
3554 %smartcard0 (selects first object in slot 0)
3555 %smartcard4:45 (selects object in slot 4 with id=45)
3556
3557- Depending on the settings of CKA_SIGN and CKA_DECRYPT
3558 private key flags either C_Sign() or C_Decrypt() is used
3559 to generate a signature.
3560
3561- The output buffer length parameter siglen in C_Sign()
3562 is now initialized to the actual size of the output
3563 buffer prior to the function call. This fixes the
3564 CKR_BUFFER_TOO_SMALL error that could occur when using
3565 the OpenSC PKCS#11 module.
3566
3567- Changed the initialization of the PKCS#11 CK_MECHANISM in
3568 C_SignInit() to mech = { CKM_RSA_PKCS, NULL_PTR, 0 }.
3569
3570- Refactored the RSA public/private key code and transferred it
3571 from keys.c to the new pkcs1.c file as a preparatory step
3572 towards the release of the SCEP client.
3573
3574
3575strongswan-2.5.0
3576----------------
3577
3578- The loading of a PKCS#11 smartcard library module during
3579 runtime does not require OpenSC library functions any more
3580 because the corresponding code has been integrated into
3581 smartcard.c. Also the RSAREF pkcs11 header files have been
3582 included in a newly created pluto/rsaref directory so that
3583 no external include path has to be defined any longer.
3584
3585- A long-awaited feature has been implemented at last:
3586 The local caching of CRLs fetched via HTTP or LDAP, activated
3587 by the parameter cachecrls=yes in the config setup section
3588 of ipsec.conf. The dynamically fetched CRLs are stored under
3589 a unique file name containing the issuer's subjectKeyID
3590 in /etc/ipsec.d/crls.
b6b90b68 3591
997358a6
MW		 3592- Applied a one-line patch courtesy of Michael Richardson
3593 from the Openswan project which fixes the kernel-oops
3594 in KLIPS when an snmp daemon is running on the same box.
3595
3596
3597strongswan-2.4.4
3598----------------
3599
3600- Eliminated null length CRL distribution point strings.
3601
3602- Fixed a trust path evaluation bug introduced with 2.4.3
3603
3604
3605strongswan-2.4.3
3606----------------
3607
3608- Improved the joint OCSP / CRL revocation policy.
3609 OCSP responses have precedence over CRL entries.
3610
3611- Introduced support of CRLv2 reason codes.
3612
3613- Fixed a bug with key-pad equipped readers which caused
3614 pluto to prompt for the pin via the console when the first
3615 occasion to enter the pin via the key-pad was missed.
3616
3617- When pluto is built with LDAP_V3 enabled, the library
3618 liblber required by newer versions of openldap is now
3619 included.
3620
3621
3622strongswan-2.4.2
3623----------------
3624
3625- Added the _updown_espmark template which requires all
3626 incoming ESP traffic to be marked with a default mark
3627 value of 50.
b6b90b68 3628
997358a6
MW		 3629- Introduced the pkcs11keepstate parameter in the config setup
3630 section of ipsec.conf. With pkcs11keepstate=yes the PKCS#11
b6b90b68 3631 session and login states are kept as long as possible during
997358a6
MW		 3632 the lifetime of pluto. This means that a PIN entry via a key
3633 pad has to be done only once.
3634
3635- Introduced the pkcs11module parameter in the config setup
3636 section of ipsec.conf which specifies the PKCS#11 module
3637 to be used with smart cards. Example:
b6b90b68 3638
997358a6 3639 pkcs11module=/usr/lib/pkcs11/opensc-pkcs11.lo
b6b90b68 3640
997358a6
MW		 3641- Added support of smartcard readers equipped with a PIN pad.
3642
3643- Added patch by Jay Pfeifer which detects when netkey
3644 modules have been statically built into the Linux 2.6 kernel.
3645
3646- Added two patches by Herbert Xu. The first uses ip xfrm
3647 instead of setkey to flush the IPsec policy database. The
3648 second sets the optional flag in inbound IPComp SAs only.
b6b90b68 3649
997358a6
MW		 3650- Applied Ulrich Weber's patch which fixes an interoperability
3651 problem between native IPsec and KLIPS systems caused by
3652 setting the replay window to 32 instead of 0 for ipcomp.
3653
3654
3655strongswan-2.4.1
3656----------------
3657
3658- Fixed a bug which caused an unwanted Mode Config request
3659 to be initiated in the case where "right" was used to denote
3660 the local side in ipsec.conf and "left" the remote side,
3661 contrary to the recommendation that "right" be remote and
3662 "left" be"local".
3663
3664
3665strongswan-2.4.0a
3666-----------------
3667
3668- updated Vendor ID to strongSwan-2.4.0
3669
3670- updated copyright statement to include David Buechi and
3671 Michael Meier
b6b90b68
MW		 3672
3673
997358a6
MW		 3674strongswan-2.4.0
3675----------------
3676
3677- strongSwan now communicates with attached smartcards and
3678 USB crypto tokens via the standardized PKCS #11 interface.
3679 By default the OpenSC library from www.opensc.org is used
3680 but any other PKCS#11 library could be dynamically linked.
3681 strongSwan's PKCS#11 API was implemented by David Buechi
3682 and Michael Meier, both graduates of the Zurich University
3683 of Applied Sciences in Winterthur, Switzerland.
3684
3685- When a %trap eroute is triggered by an outgoing IP packet
3686 then the native IPsec stack of the Linux 2.6 kernel [often/
3687 always?] returns an XFRM_ACQUIRE message with an undefined
3688 protocol family field and the connection setup fails.
3689 As a workaround IPv4 (AF_INET) is now assumed.
b6b90b68
MW		 3690
3691- the results of the UML test scenarios are now enhanced
997358a6 3692 with block diagrams of the virtual network topology used
b6b90b68 3693 in a particular test.
997358a6
MW		 3694
3695
3696strongswan-2.3.2
3697----------------
3698
3699- fixed IV used to decrypt informational messages.
3700 This bug was introduced with Mode Config functionality.
b6b90b68 3701
997358a6
MW		 3702- fixed NCP Vendor ID.
3703
3704- undid one of Ulrich Weber's maximum udp size patches
3705 because it caused a segmentation fault with NAT-ed
3706 Delete SA messages.
b6b90b68 3707
997358a6
MW		 3708- added UML scenarios wildcards and attr-cert which
3709 demonstrate the implementation of IPsec policies based
3710 on wildcard parameters contained in Distinguished Names and
3711 on X.509 attribute certificates, respectively.
3712
3713
3714strongswan-2.3.1
3715----------------
3716
3717- Added basic Mode Config functionality
3718
3719- Added Mathieu Lafon's patch which upgrades the status of
3720 the NAT-Traversal implementation to RFC 3947.
b6b90b68 3721
997358a6
MW		 3722- The _startklips script now also loads the xfrm4_tunnel
3723 module.
b6b90b68 3724
997358a6
MW		 3725- Added Ulrich Weber's netlink replay window size and
3726 maximum udp size patches.
3727
3728- UML testing now uses the Linux 2.6.10 UML kernel by default.
b6b90b68 3729
997358a6
MW		 3730
3731strongswan-2.3.0
3732----------------
3733
3734- Eric Marchionni and Patrik Rayo, both recent graduates from
3735 the Zuercher Hochschule Winterthur in Switzerland, created a
3736 User-Mode-Linux test setup for strongSwan. For more details
3737 please read the INSTALL and README documents in the testing
3738 subdirectory.
3739
3740- Full support of group attributes based on X.509 attribute
b6b90b68 3741 certificates. Attribute certificates can be generated
997358a6 3742 using the openac facility. For more details see
b6b90b68 3743
997358a6 3744 man ipsec_openac.
b6b90b68 3745
997358a6
MW		 3746 The group attributes can be used in connection definitions
3747 in order to give IPsec access to specific user groups.
3748 This is done with the new parameter left|rightgroups as in
b6b90b68 3749
997358a6
MW		 3750 rightgroups="Research, Sales"
3751
3752 giving access to users possessing the group attributes
3753 Research or Sales, only.
3754
3755- In Quick Mode clients with subnet mask /32 are now
b6b90b68 3756 coded as IP_V4_ADDRESS or IP_V6_ADDRESS. This should
997358a6
MW		 3757 fix rekeying problems with the SafeNet/SoftRemote and NCP
3758 Secure Entry Clients.
3759
3760- Changed the defaults of the ikelifetime and keylife parameters
3761 to 3h and 1h, respectively. The maximum allowable values are
3762 now both set to 24 h.
3763
3764- Suppressed notification wars between two IPsec peers that
3765 could e.g. be triggered by incorrect ISAKMP encryption.
3766
3767- Public RSA keys can now have identical IDs if either the
3768 issuing CA or the serial number is different. The serial
3769 number of a certificate is now shown by the command
b6b90b68 3770
997358a6
MW		 3771 ipsec auto --listpubkeys
3772
3773
3774strongswan-2.2.2
3775----------------
3776
3777- Added Tuomo Soini's sourceip feature which allows a strongSwan
3778 roadwarrior to use a fixed Virtual IP (see README section 2.6)
3779 and reduces the well-known four tunnel case on VPN gateways to
3780 a single tunnel definition (see README section 2.4).
3781
f3bb1bd0 3782- Fixed a bug occurring with NAT-Traversal enabled when the responder
997358a6
MW		 3783 suddenly turns initiator and the initiator cannot find a matching
3784 connection because of the floated IKE port 4500.
b6b90b68 3785
997358a6
MW		 3786- Removed misleading ipsec verify command from barf.
3787
3788- Running under the native IP stack, ipsec --version now shows
3789 the Linux kernel version (courtesy to the Openswan project).
3790
3791
3792strongswan-2.2.1
3793----------------
3794
3795- Introduced the ipsec auto --listalgs monitoring command which lists
3796 all currently registered IKE and ESP algorithms.
3797
f3bb1bd0 3798- Fixed a bug in the ESP algorithm selection occurring when the strict flag
997358a6 3799 is set and the first proposed transform does not match.
b6b90b68 3800
997358a6 3801- Fixed another deadlock in the use of the lock_certs_and_keys() mutex,
f3bb1bd0 3802 occurring when a smartcard is present.
997358a6
MW		 3803
3804- Prevented that a superseded Phase1 state can trigger a DPD_TIMEOUT event.
b6b90b68 3805
997358a6
MW		 3806- Fixed the printing of the notification names (null)
3807
3808- Applied another of Herbert Xu's Netlink patches.
3809
3810
3811strongswan-2.2.0
3812----------------
3813
3814- Support of Dead Peer Detection. The connection parameter
3815
3816 dpdaction=clear|hold
b6b90b68 3817
997358a6
MW		 3818 activates DPD for the given connection.
3819
3820- The default Opportunistic Encryption (OE) policy groups are not
3821 automatically included anymore. Those wishing to activate OE can include
3822 the policy group with the following statement in ipsec.conf:
b6b90b68 3823
997358a6 3824 include /etc/ipsec.d/examples/oe.conf
b6b90b68 3825
997358a6
MW		 3826 The default for [right|left]rsasigkey is now set to %cert.
3827
3828- strongSwan now has a Vendor ID of its own which can be activated
3829 using the compile option VENDORID
3830
3831- Applied Herbert Xu's patch which sets the compression algorithm correctly.
3832
3833- Applied Herbert Xu's patch fixing an ESPINUDP problem
3834
3835- Applied Herbert Xu's patch setting source/destination port numbers.
3836
3837- Reapplied one of Herbert Xu's NAT-Traversal patches which got
3838 lost during the migration from SuperFreeS/WAN.
b6b90b68 3839
997358a6
MW		 3840- Fixed a deadlock in the use of the lock_certs_and_keys() mutex.
3841
3842- Fixed the unsharing of alg parameters when instantiating group
3843 connection.
b6b90b68 3844
997358a6
MW		 3845
3846strongswan-2.1.5
3847----------------
3848
3849- Thomas Walpuski made me aware of a potential DoS attack via
3850 a PKCS#7-wrapped certificate bundle which could overwrite valid CA
3851 certificates in Pluto's authority certificate store. This vulnerability
3852 was fixed by establishing trust in CA candidate certificates up to a
3853 trusted root CA prior to insertion into Pluto's chained list.
3854
3855- replaced the --assign option by the -v option in the auto awk script
3856 in order to make it run with mawk under debian/woody.
3857
3858
3859strongswan-2.1.4
3860----------------
3861
3862- Split of the status information between ipsec auto --status (concise)
3863 and ipsec auto --statusall (verbose). Both commands can be used with
3864 an optional connection selector:
3865
3866 ipsec auto --status[all] <connection_name>
3867
3868- Added the description of X.509 related features to the ipsec_auto(8)
3869 man page.
3870
3871- Hardened the ASN.1 parser in debug mode, especially the printing
3872 of malformed distinguished names.
3873
3874- The size of an RSA public key received in a certificate is now restricted to
3875
3876 512 bits <= modulus length <= 8192 bits.
3877
3878- Fixed the debug mode enumeration.
3879
3880
3881strongswan-2.1.3
3882----------------
3883
3884- Fixed another PKCS#7 vulnerability which could lead to an
3885 endless loop while following the X.509 trust chain.
b6b90b68 3886
997358a6
MW		 3887
3888strongswan-2.1.2
3889----------------
3890
3891- Fixed the PKCS#7 vulnerability discovered by Thomas Walpuski
3892 that accepted end certificates having identical issuer and subject
3893 distinguished names in a multi-tier X.509 trust chain.
b6b90b68 3894
997358a6
MW		 3895
3896strongswan-2.1.1
3897----------------
3898
3899- Removed all remaining references to ipsec_netlink.h in KLIPS.
3900
3901
3902strongswan-2.1.0
3903----------------
3904
3905- The new "ca" section allows to define the following parameters:
3906
3907 ca kool
53f8ac3d
TB		 3908 cacert=koolCA.pem # cacert of kool CA
3909 ocspuri=http://ocsp.kool.net:8001 # ocsp server
3910 ldapserver=ldap.kool.net # default ldap server
3911 crluri=http://www.kool.net/kool.crl # crl distribution point
3912 crluri2="ldap:///O=Kool, C= .." # crl distribution point #2
3913 auto=add # add, ignore
b6b90b68 3914
997358a6 3915 The ca definitions can be monitored via the command
b6b90b68 3916
53f8ac3d 3917 ipsec auto --listcainfos
997358a6
MW		 3918
3919- Fixed cosmetic corruption of /proc filesystem by integrating
3920 D. Hugh Redelmeier's freeswan-2.06 kernel fixes.
3921
3922
3923strongswan-2.0.2
3924----------------
3925
3926- Added support for the 818043 NAT-Traversal update of Microsoft's
3927 Windows 2000/XP IPsec client which sends an ID_FQDN during Quick Mode.
b6b90b68
MW		 3928
3929- A symbolic link to libcrypto is now added in the kernel sources
997358a6 3930 during kernel compilation
b6b90b68 3931
997358a6
MW		 3932- Fixed a couple of 64 bit issues (mostly casts to int).
3933 Thanks to Ken Bantoft who checked my sources on a 64 bit platform.
3934
3935- Replaced s[n]printf() statements in the kernel by ipsec_snprintf().
3936 Credits go to D. Hugh Redelmeier, Michael Richardson, and Sam Sgro
3937 of the FreeS/WAN team who solved this problem with the 2.4.25 kernel.
3938
3939
3940strongswan-2.0.1
3941----------------
3942
3943- an empty ASN.1 SEQUENCE OF or SET OF object (e.g. a subjectAltName
3944 certificate extension which contains no generalName item) can cause
3945 a pluto crash. This bug has been fixed. Additionally the ASN.1 parser has
3946 been hardened to make it more robust against malformed ASN.1 objects.
3947
3948- applied Herbert Xu's NAT-T patches which fixes NAT-T under the native
3949 Linux 2.6 IPsec stack.
b6b90b68
MW		 3950
3951
997358a6
MW		 3952strongswan-2.0.0
3953----------------
3954
3955- based on freeswan-2.04, x509-1.5.3, nat-0.6c, alg-0.8.1rc12
Unnamed repository; edit this file 'description' to name the repository.