From: Tobias Brunner Date: Fri, 26 May 2017 16:33:12 +0000 (+0200) Subject: NEWS: Added some news X-Git-Tag: 5.5.3~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=85ee4107c5375a870f7b46f55eb85547ad108b87;p=thirdparty%2Fstrongswan.git NEWS: Added some news --- diff --git a/NEWS b/NEWS index 51b1bad8db..a049ab6074 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,46 @@ strongswan-5.5.3 ---------------- +- The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid + traffic loss. The responder now only installs the new inbound SA and delays + installing the outbound SA until it receives the DELETE for the replaced + CHILD_SA. Similarly, the inbound SA of the replaced CHILD_SA is not removed + for a configurable amount of seconds (charon.delete_rekeyed_delay) after the + DELETE has been processed to reduce the chance of dropping delayed packets. + +- The code base has been ported to Apple's ARM64 iOS platform, whose calling + conventions for variadic and regular functions are different. This means + assigning non-variadic functions to variadic function pointers does not work. + To avoid this issue the enumerator_t interface has been changed and the + signatures of the callback functions for enumerator_create_filter(), and the + invoke_function() and find_first() methods on linked_list_t have been changed. + The return type of find_first() also changed from status_t to bool. + +- Added support for fuzzing the certificate parser provided by the default + plugins (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure. Several + issues found while fuzzing these plugins were fixed. + +- Two new options have been added to charon's retransmission settings: + retransmit_limit and retransmit_jitter. The former adds an upper limit to the + calculated retransmission timeout, the latter randomly reduces it. + +- A bug in swanctl's --load-creds command was fixed that caused unencrypted + private keys to get unloaded if the command was called multiple times. The + load-key VICI command now returns the key ID of the loaded key on success. + +- The credential manager now enumerates local credential sets before global + ones. This means certificates supplied by the peer will now be preferred over + certificates with the same identity that may be locally stored (e.g. in the + certificate cache). + +- Added support for hardware offload of IPsec SAs as introduced by Linux 4.11 + for hardware that supports this. + +- When building the libraries monolithically and statically the plugin + constructors are now hard-coded in each library so the plugin code is not + removed by the linker because it thinks none of their symbols are ever + referenced. + - The pki tool loads the curve25519 plugin by default.