Annotation of embedaddon/strongswan/NEWS, revision 1.1.1.1
1.1 misho 1: strongswan-5.8.4
2: ----------------
3:
4: - In IKEv1 Quick Mode make sure that a proposal exists before determining
5: lifetimes (fixes crash due to null pointer exception).
6:
7: - OpenSSL currently doesn't support squeezing bytes out of a SHAKE128/256
8: XOF (eXtended Output Function) multiple times. Unfortunately,
9: EVP_DigestFinalXOF() completely resets the context and later calls not
10: simply fail, they cause a null-pointer dereference in libcrypto. This
11: fixes the crash at the cost of repeating initializing the whole state
12: and allocating too much data for subsequent calls.
13:
14:
15: strongswan-5.8.3
16: ----------------
17:
18: - Updates for the NM backend (and plugin), among others: EAP-TLS authentication,
19: configurable local and remote IKE identities, custom server port, redirection
20: and reauthentication support.
21:
22: - Previously used reqids are now reallocated to workaround an issue on FreeBSD
23: where the daemon can't use reqids > 16383.
24:
25: - On Linux, throw type routes are installed for passthrough policies. They act
26: as fallbacks on routes in other tables and require less information, so they
27: can be installed earlier and are not affected by updates.
28:
29: - For IKEv1, the lifetimes of the selected transform are returned to the
30: initiator, which is an issue with peers that propose different lifetimes in
31: different transforms. We also return the correct transform and proposal IDs.
32:
33: - IKE_SAs are not re-established anymore if a deletion has been queued.
34:
35: - Added support for Ed448 keys and certificates via openssl plugin and pki tool.
36: The openssl plugin also supports SHA-3 and SHAKE128/256.
37:
38: - The use of algorithm IDs from the private use ranges can now be enabled
39: globally, to use them even if no strongSwan vendor ID was exchanged.
40:
41:
42: strongswan-5.8.2
43: ----------------
44:
45: - Identity-based CA constraints are supported via vici/swanctl.conf. They
46: enforce that the remote's certificate chain contains a CA certificate with a
47: specific identity. While similar to the existing CA constraints, they don't
48: require that the CA certificate is locally installed such as intermediate CA
49: certificates received from peers. Compared to wildcard identity matching (e.g.
50: "..., OU=Research, CN=*") this requires less trust in the intermediate CAs (to
51: only issue certificates with legitimate subject DNs) as long as path length
52: basic constraints prevent them from issuing further intermediate CAs.
53:
54: - Intermediate CA certificates may now be sent in hash-and-URL encoding by
55: configuring a base URL for the parent CA.
56:
57: - Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
58: based on AES-CTR and SHA2-HMAC modes. Currently used by gmp and ntru plugins.
59:
60: - Random nonces sent in an OCSP requests are now expected in the corresponding
61: OCSP responses.
62:
63: - The kernel-netlink plugin ignores deprecated IPv6 addresses for MOBIKE.
64: Whether temporary or permanent IPv6 addresses are included depends on the
65: charon.prefer_temporary_addrs setting.
66:
67: - Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the
68: kernel.
69:
70: - Unique section names are used for CHILD_SAs in vici child-updown events and
71: more information (e.g. statistics) are included for individually deleted
72: CHILD_SAs (in particular for IKEv1).
73:
74: - So fallbacks to other plugins work properly, creating HMACs via openssl plugin
75: now fails instantly if the underlying hash algorithm isn't supported (e.g.
76: MD5 in FIPS-mode).
77:
78: - Exponents of RSA keys read from TPM 2.0 via SAPI are now correctly converted.
79:
80: - Routing table IDs > 255 are supported for custom routes on Linux.
81:
82: - The D-Bus config file for charon-nm is now installed in
83: $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d.
84:
85: - INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same
86: exchange type and using the same message ID as the request.
87:
88: - IKEv2 SAs are immediately destroyed when sending or receiving INVALID_SYNTAX
89: notifies in authenticated messages.
90:
91:
92: strongswan-5.8.1
93: ----------------
94:
95: - RDNs in Distinguished Names can now optionally be matched less strict. The
96: global option charon.rdn_matching takes two alternative values that cause the
97: matching algorithm to either ignore the order of matched RDNs or additionally
98: accept DNs that contain more RDNs than configured (unmatched RDNs are treated
99: like wildcard matches).
100:
101: - The updown plugin now passes the same interface to the script that is also
102: used for the automatically installed routes, i.e. the interface over which the
103: peer is reached instead of the interface on which the local address is found.
104:
105: - TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple
106: IKE_SAs use the same private key concurrently.
107:
108:
109: strongswan-5.8.0
110: ----------------
111:
112: - The systemd service units have been renamed. The modern unit, which was called
113: strongswan-swanctl, is now called strongswan (the previous name is configured
114: as alias). The legacy unit is now called strongswan-starter.
115:
116: - Support for XFRM interfaces (available since Linux 4.19) has been added.
117: Configuration is possible via swanctl.conf. Interfaces may be created
118: dynamically via updown/vici scripts, or statically before or after
119: establishing the SAs. Routes must be added manually as needed (the daemon will
120: not install any routes for outbound policies with an interface ID).
121:
122: - Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and
123: supported by the responder, no CHILD_SA is established during IKE_AUTH. This
124: allows using a separate DH exchange even for the first CHILD_SA, which is
125: otherwise created with keys derived from the IKE_SA's key material.
126:
127: - The NetworkManager backend and plugin support IPv6.
128:
129: - The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks
130: to Sean Parkinson of wolfSSL Inc. for the initial patch.
131:
132: - IKE SPIs may optionally be labeled via the charon.spi_mask|label options. This
133: feature was extracted from charon-tkm, however, now applies the mask/label in
134: network order.
135:
136: - The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
137:
138: - The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not
139: correctly implemented when sending either a CRETRY or SRETRY batch. These
140: batches can only be sent in the "Decided" state and a CRETRY batch can
141: immediately carry all messages usually transported by a CDATA batch. It is
142: currently not possible to send a SRETRY batch since full-duplex mode for
143: PT-TLS transport is not supported.
144:
145: - Instead of marking virtual IPv6 addresses as deprecated, the kernel-netlink
146: plugin uses address labels to avoid their use for non-VPN traffic.
147:
148: - The agent plugin creates sockets to the ssh/gpg-agent dynamically and does not
149: keep them open, which otherwise can prevent the agent from getting terminated.
150:
151: - To avoid broadcast loops the forecast plugin now only reinjects packets that
152: are marked or received from the configured interface.
153:
154: - UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses
155: an UTF-16LE encoding to calculate the NT hash.
156:
157: - Adds the build-certs script to generate the keys and certificates used for
158: regression tests dynamically. They are built with the pki version installed
159: in the KVM root image so it's not necessary to have an up-to-date version with
160: all required plugins installed on the host system.
161:
162:
163: strongswan-5.7.2
164: ----------------
165:
166: - Private key implementations may optionally provide a list of supported
167: signature schemes, which is used by the tpm plugin because for each key on a
168: TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined.
169:
170: - For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt
171: length (as defined by the length of the key and hash). However, if the TPM is
172: FIPS-168-4 compliant, the salt length equals the hash length. This is assumed
173: for FIPS-140-2 compliant TPMs, but if that's not the case, it might be
174: necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't
175: use the maximum salt length.
176:
177: - swanctl now accesses directories for credentials relative to swanctl.conf, in
178: particular, when it's loaded from a custom location via --file argument. The
179: base directory that's used if --file is not given is configurable at runtime
180: via SWANCTL_DIR environment variable.
181:
182: - With RADIUS Accounting enabled, the eap-radius plugin adds the session ID to
183: Access-Request messages, simplifying associating database entries for IP
184: leases and accounting with sessions.
185:
186: - IPs assigned by RADIUS servers are included in Accounting-Stop even if clients
187: don't claim them, allowing releasing them early on connection errors.
188:
189: - Selectors installed on transport mode SAs by the kernel-netlink plugin are
190: updated on IP address changes (e.g. via MOBIKE).
191:
192: - Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin.
193: For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature
194: authentication has to be disabled via charon.signature_authentication.
195:
196: - The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
197:
198: - The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys
199: and signatures when built against OpenSSL 1.1.1.
200:
201: - Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
202:
203: - The mysql plugin now properly handles database connections with transactions
204: under heavy load.
205:
206: - IP addresses in HA pools are now distributed evenly among all segments.
207:
208: - On newer FreeBSD kernels, the kernel-pfkey plugin reads the reqid directly
209: from SADB_ACQUIRE messages, i.e. not requiring previous policy installation by
210: the plugin, e.g. for compatibility with if_ipsec(4) VTIs.
211:
212:
213: strongswan-5.7.1
214: ----------------
215:
216: - Fixes a vulnerability in the gmp plugin triggered by crafted certificates with
217: RSA keys with very small moduli. When verifying signatures with such keys,
218: the code patched with the fix for CVE-2018-16151/2 caused an integer underflow
219: and subsequent heap buffer overflow that results in a crash of the daemon.
220: The vulnerability has been registered as CVE-2018-17540.
221:
222:
223: strongswan-5.7.0
224: ----------------
225:
226: - Fixes a potential authorization bypass vulnerability in the gmp plugin that
227: was caused by a too lenient verification of PKCS#1 v1.5 signatures. Several
228: flaws could be exploited by a Bleichenbacher-style attack to forge signatures
229: for low-exponent keys (i.e. with e=3). CVE-2018-16151 has been assigned to
230: the problem of accepting random bytes after the OID of the hash function in
231: such signatures, and CVE-2018-16152 has been assigned to the issue of not
232: verifying that the parameters in the ASN.1 algorithmIdentifier structure is
233: empty. Other flaws that don't lead to a vulnerability directly (e.g. not
234: checking for at least 8 bytes of padding) have no separate CVE assigned.
235:
236: - Dots are not allowed anymore in section names in swanctl.conf and
237: strongswan.conf. This mainly affects the configuration of file loggers. If the
238: path for such a log file contains dots it now has to be configured in the new
239: `path` setting within the arbitrarily renamed subsection in the `filelog`
240: section.
241:
242: - Sections in swanctl.conf and strongswan.conf may now reference other sections.
243: All settings and subsections from such a section are inherited. This allows
244: to simplify configs as redundant information has only to be specified once
245: and may then be included in other sections (refer to the example in the man
246: page for strongswan.conf).
247:
248: - The originally selected IKE config (based on the IPs and IKE version) can now
249: change if no matching algorithm proposal is found. This way the order
250: of the configs doesn't matter that much anymore and it's easily possible to
251: specify separate configs for clients that require weak algorithms (instead
252: of having to also add them in other configs that might be selected).
253:
254: - Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2)
255: has been added.
256:
257: - The new botan plugin is a wrapper around the Botan C++ crypto library. It
258: requires a fairly recent build from Botan's master branch (or the upcoming
259: 2.8.0 release). Thanks to René Korthaus and his team from Rohde & Schwarz
260: Cybersecurity for the initial patch.
261:
262: - The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using
263: the syntax --san xmppaddr:<jid>.
264:
265: - Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA)
266: for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger on apt
267: history.log file resulting in a ClientRetry PB-TNC batch to initialize
268: a new measurement cycle.
269:
270: - Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA
271: protocols on Google's OSS-Fuzz infrastructure.
272:
273: - Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of
274: the in-kernel /dev/tpmrm0 resource manager is automatically detected.
275:
276: - Marks the in- and/or outbound SA should apply to packets after processing may
277: be configured in swanctl.conf on Linux. For outbound SAs this requires at
278: least a 4.14 kernel. Setting a mask and configuring a mark/mask for inbound
279: SAs will be added with the upcoming 4.19 kernel.
280:
281: - New options in swanctl.conf allow configuring how/whether DF, ECN and DS
282: fields in the IP headers are copied during IPsec processing. Controlling this
283: is currently only possible on Linux.
284:
285: - To avoid conflicts, the dhcp plugin now only uses the DHCP server port if
286: explicitly configured.
287:
288:
289: strongswan-5.6.3
290: ----------------
291:
292: - Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is
293: used in FIPS mode and HMAC-MD5 is negotiated as PRF.
294: This vulnerability has been registered as CVE-2018-10811.
295:
296: - Fixed a vulnerability in the stroke plugin, which did not check the received
297: length before reading a message from the socket. Unless a group is configured,
298: root privileges are required to access that socket, so in the default
299: configuration this shouldn't be an issue.
300: This vulnerability has been registered as CVE-2018-5388.
301:
302: ⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios
303: where expired certificates are removed from CRLs and the clock on the host
304: doing the revocation check is trailing behind that of the host issuing CRLs.
305:
306: - The issuer of fetched CRLs is now compared to the issuer of the checked
307: certificate.
308:
309: - CRL validation results other than revocation (e.g. a skipped check because
310: the CRL couldn't be fetched) are now stored also for intermediate CA
311: certificates and not only for end-entity certificates, so a strict CRL policy
312: can be enforced in such cases.
313:
314: - In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
315: now either not contain a keyUsage extension (like the ones generated by pki)
316: or have at least one of the digitalSignature or nonRepudiation bits set.
317:
318: - New options for vici/swanctl allow forcing the local termination of an IKE_SA.
319: This might be useful in situations where it's known the other end is not
320: reachable anymore, or that it already removed the IKE_SA, so retransmitting a
321: DELETE and waiting for a response would be pointless. Waiting only a certain
322: amount of time for a response before destroying the IKE_SA is also possible
323: by additionally specifying a timeout.
324:
325: - When removing routes, the kernel-netlink plugin now checks if it tracks other
326: routes for the same destination and replaces the installed route instead of
327: just removing it. Same during installation, where existing routes previously
328: weren't replaced. This should allow using traps with virtual IPs on Linux.
329:
330: - The dhcp plugin only sends the client identifier option if identity_lease is
331: enabled. It can also send identities of up to 255 bytes length, instead of
332: the previous 64 bytes. If a server address is configured, DHCP requests are
333: now sent from port 67 instead of 68 to avoid ICMP port unreachables.
334:
335: - Roam events are now completely ignored for IKEv1 SAs.
336:
337: - ChaCha20/Poly1305 is now correctly proposed without key length. For
338: compatibility with older releases the chacha20poly1305compat keyword may be
339: included in proposals to also propose the algorithm with a key length.
340:
341: - Configuration of hardware offload of IPsec SAs is now more flexible and allows
342: a new mode, which automatically uses it if the kernel and device support it.
343:
344: - SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
345:
346: - The pki --verify tool may load CA certificates and CRLs from directories.
347:
348: - Fixed an issue with DNS servers passed to NetworkManager in charon-nm.
349:
350:
351: strongswan-5.6.2
352: ----------------
353:
354: - Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that
355: was caused by insufficient input validation. One of the configurable
356: parameters in algorithm identifier structures for RSASSA-PSS signatures is the
357: mask generation function (MGF). Only MGF1 is currently specified for this
358: purpose. However, this in turn takes itself a parameter that specifies the
359: underlying hash function. strongSwan's parser did not correctly handle the
360: case of this parameter being absent, causing an undefined data read.
361: This vulnerability has been registered as CVE-2018-6459.
362:
363: - The previously negotiated DH group is reused when rekeying an SA, instead of
364: using the first group in the configured proposals, which avoids an additional
365: exchange if the peer selected a different group via INVALID_KE_PAYLOAD when
366: the SA was created initially.
367: The selected DH group is also moved to the front of all sent proposals that
368: contain it and all proposals that don't are moved to the back in order to
369: convey the preference for this group to the peer.
370:
371: - Handling of MOBIKE task queuing has been improved. In particular, the response
372: to an address update is not ignored anymore if only an address list update or
373: DPD is queued.
374:
375: - The fallback drop policies installed to avoid traffic leaks when replacing
376: addresses in installed policies are now replaced by temporary drop policies,
377: which also prevent acquires because we currently delete and reinstall IPsec
378: SAs to update their addresses.
379:
380: - Access X.509 certificates held in non-volatile storage of a TPM 2.0
381: referenced via the NV index.
382:
383: - Adding the --keyid parameter to pki --print allows to print private keys
384: or certificates stored in a smartcard or a TPM 2.0.
385:
386: - Fixed proposal selection if a peer incorrectly sends DH groups in the ESP
387: proposals during IKE_AUTH and also if a DH group is configured in the local
388: ESP proposal and charon.prefer_configured_proposals is disabled.
389:
390: - MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility
391: issues with EAP-MSCHAPv2 and PRFs that have a block size < 64 bytes (e.g.
392: AES-XCBC-PRF-128).
393:
394: - The tpm_extendpcr command line tool extends a digest into a TPM PCR.
395:
396: - Ported the NetworkManager backend from the deprecated libnm-glib to libnm.
397:
398: - The save-keys debugging/development plugin saves IKE and/or ESP keys to files
399: compatible with Wireshark.
400:
401:
402: strongswan-5.6.1
403: ----------------
404:
405: - In compliance with RFCs 8221 and 8247 several algorithms were removed from the
406: default ESP/AH and IKEv2 proposals, respectively (3DES, Blowfish and MD5 from
407: ESP/AH, MD5 and MODP-1024 from IKEv2). These algorithms may still be used in
408: custom proposals.
409:
410: - Added support for RSASSA-PSS signatures. For backwards compatibility they are
411: not used automatically by default, enable charon.rsa_pss to change that. To
412: explicitly use or require such signatures with IKEv2 signature authentication
413: (RFC 7427), regardless of whether that option is enabled, use ike:rsa/pss...
414: authentication constraints.
415:
416: - The pki tool can optionally sign certificates/CRLs with RSASSA-PSS via the
417: `--rsa-padding pss` option.
418:
419: - The sec-updater tool checks for security updates in dpkg-based repositories
420: (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database
421: accordingly. Additionally for each new package version a SWID tag for the
422: given OS and HW architecture is created and stored in the database.
423: Using the sec-updater.sh script template the lookup can be automated
424: (e.g. via an hourly cron job).
425:
426: - The introduction of file versions in the IMV database scheme broke file
427: reference hash measurements. This has been fixed by creating generic product
428: versions having an empty package name.
429:
430: - A new timeout option for the systime-fix plugin stops periodic system time
431: checks after a while and enforces a certificate verification, closing or
432: reauthenticating all SAs with invalid certificates.
433:
434: - The IKE event counters, previously only available via ipsec listcounters, may
435: now be queried/reset via vici and the new swanctl --counters command. They are
436: provided by the new optional counters plugin.
437:
438: - Class attributes received in RADIUS Access-Accept messages may optionally be
439: added to RADIUS accounting messages.
440:
441: - Inbound marks may optionally be installed on the SA again (was removed with
442: 5.5.2) by enabling the mark_in_sa option in swanctl.conf.
443:
444:
445: strongswan-5.6.0
446: ----------------
447:
448: - Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient
449: input validation when verifying RSA signatures, which requires decryption
450: with the operation m^e mod n, where m is the signature, and e and n are the
451: exponent and modulus of the public key. The value m is an integer between
452: 0 and n-1, however, the gmp plugin did not verify this. So if m equals n the
453: calculation results in 0, in which case mpz_export() returns NULL. This
454: result wasn't handled properly causing a null-pointer dereference.
455: This vulnerability has been registered as CVE-2017-11185.
456:
457: - New SWIMA IMC/IMV pair implements the "draft-ietf-sacm-nea-swima-patnc"
458: Internet Draft and has been demonstrated at the IETF 99 Prague Hackathon.
459:
460: - The IMV database template has been adapted to achieve full compliance
461: with the ISO 19770-2:2015 SWID tag standard.
462:
463: - The sw-collector tool extracts software events from apt history logs
464: and stores them in an SQLite database to be used by the SWIMA IMC.
465: The tool can also generate SWID tags both for installed and removed
466: package versions.
467:
468: - The pt-tls-client can attach and use TPM 2.0 protected private keys
469: via the --keyid parameter.
470:
471: - libtpmtss supports Intel's TSS2 Architecture Broker and Resource
472: Manager interface (tcti-tabrmd).
473:
474: - The new eap-aka-3gpp plugin implements the 3GPP MILENAGE algorithms
475: in software. K (optionally concatenated with OPc) may be configured as
476: binary EAP secret.
477:
478: - CHILD_SA rekeying was fixed in charon-tkm and was slightly changed: The
479: switch to the new outbound IPsec SA now happens via SPI on the outbound
480: policy on Linux, and in case of lost rekey collisions no outbound SA/policy
481: is temporarily installed for the redundant CHILD_SA.
482:
483: - The new %unique-dir value for mark* settings allocates separate unique marks
484: for each CHILD_SA direction (in/out).
485:
486:
487: strongswan-5.5.3
488: ----------------
489:
490: - Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient
491: input validation when verifying RSA signatures. More specifically,
492: mpz_powm_sec() has two requirements regarding the passed exponent and modulus
493: that the plugin did not enforce, if these are not met the calculation will
494: result in a floating point exception that crashes the whole process.
495: This vulnerability has been registered as CVE-2017-9022.
496:
497: - Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1
498: parser didn't handle ASN.1 CHOICE types properly, which could result in an
499: infinite loop when parsing X.509 extensions that use such types.
500: This vulnerability has been registered as CVE-2017-9023.
501:
502: - The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
503: traffic loss. The responder now only installs the new inbound SA and delays
504: installing the outbound SA until it receives the DELETE for the replaced
505: CHILD_SA. Similarly, the inbound SA of the replaced CHILD_SA is not removed
506: for a configurable amount of seconds (charon.delete_rekeyed_delay) after the
507: DELETE has been processed to reduce the chance of dropping delayed packets.
508:
509: - The code base has been ported to Apple's ARM64 iOS platform, whose calling
510: conventions for variadic and regular functions are different. This means
511: assigning non-variadic functions to variadic function pointers does not work.
512: To avoid this issue the enumerator_t interface has been changed and the
513: signatures of the callback functions for enumerator_create_filter(), and the
514: invoke_function() and find_first() methods on linked_list_t have been changed.
515: The return type of find_first() also changed from status_t to bool.
516:
517: - Added support for fuzzing the certificate parser provided by the default
518: plugins (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure. Several
519: issues found while fuzzing these plugins were fixed.
520:
521: - Two new options have been added to charon's retransmission settings:
522: retransmit_limit and retransmit_jitter. The former adds an upper limit to the
523: calculated retransmission timeout, the latter randomly reduces it.
524:
525: - A bug in swanctl's --load-creds command was fixed that caused unencrypted
526: private keys to get unloaded if the command was called multiple times. The
527: load-key VICI command now returns the key ID of the loaded key on success.
528:
529: - The credential manager now enumerates local credential sets before global
530: ones. This means certificates supplied by the peer will now be preferred over
531: certificates with the same identity that may be locally stored (e.g. in the
532: certificate cache).
533:
534: - Added support for hardware offload of IPsec SAs as introduced by Linux 4.11
535: for hardware that supports this.
536:
537: - When building the libraries monolithically and statically the plugin
538: constructors are now hard-coded in each library so the plugin code is not
539: removed by the linker because it thinks none of their symbols are ever
540: referenced.
541:
542: - The pki tool loads the curve25519 plugin by default.
543:
544:
545: strongswan-5.5.2
546: ----------------
547:
548: - Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined
549: by RFC 8031.
550:
551: - Support of Ed25519 digital signature algorithm for IKEv2 as defined by
552: draft-ietf-ipsecme-eddsa. Ed25519-based public key pairs, X.509 certificates
553: and CRLs can be generated and printed by the pki tool.
554:
555: - The new "tpm" libtpmtss plugin allows to use persistent private RSA and ECDSA
556: keys bound to a TPM 2.0 for both IKE and TLS authentication. Using the
557: TPM 2.0 object handle as keyid parameter, the pki --pub tool can extract
558: the public key from the TPM thereby replacing the aikpub2 tool. In a similar
559: fashion pki --req can generate a PKCS#10 certificate request signed with
560: the TPM private key.
561:
562: - The pki tool gained support for generating certificates with the RFC 3779
563: addrblock extension. The charon addrblock plugin now dynamically narrows
564: traffic selectors based on the certificate addrblocks instead of rejecting
565: non-matching selectors completely. This allows generic connections, where
566: the allowed selectors are defined by the used certificates only.
567:
568: - In-place update of cached base and delta CRLs does not leave dozens
569: of stale copies in cache memory.
570:
571: - Several new features for the VICI interface and the swanctl utility: Querying
572: specific pools, enumerating and unloading keys and shared secrets, loading
573: keys and certificates from PKCS#11 tokens, the ability to initiate, install
574: and uninstall connections and policies by their exact name (if multiple child
575: sections in different connections share the same name), a command to initiate
576: the rekeying of IKE and IPsec SAs, support for settings previously only
577: supported by the old config files (plain pubkeys, dscp, certificate policies,
578: IPv6 Transport Proxy Mode, NT Hash secrets, mediation extension).
579:
580: Important: Due to issues with VICI bindings that map sub-sections to
581: dictionaries the CHILD_SA sections returned via list-sas now have a unique
582: name, the original name of a CHILD_SA is returned in the "name" key of its
583: section.
584:
585:
586: strongswan-5.5.1
587: ----------------
588:
589: - The newhope plugin implements the post-quantum NewHope key exchange algorithm
590: proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
591: Peter Schwabe.
592:
593: - The libstrongswan crypto factory now offers the registration of Extended
594: Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
595: implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin
596: and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
597: SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.
598:
599: - The pki tool, with help of the pkcs1 or openssl plugins, can parse private
600: keys in any of the supported formats without having to know the exact type.
601: So instead of having to specify rsa or ecdsa explicitly the keyword priv may
602: be used to indicate a private key of any type. Similarly, swanctl can load
603: any type of private key from the swanctl/private directory.
604:
605: - The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
606: sha3 and gmp plugins.
607:
608: - The VICI flush-certs command flushes certificates from the volatile
609: certificate cache. Optionally the type of the certificates to be
610: flushed (e.g. type = x509_crl) can be specified.
611:
612: - Setting cache_crls = yes in strongswan.conf the vici plugin saves regular,
613: base and delta CRLs to disk.
614:
615: - IKE fragmentation is now enabled by default with the default fragment size
616: set to 1280 bytes for both IP address families.
617:
618: - libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
619: tss2_tcti_finalize().
620:
621:
622: strongswan-5.5.0
623: ----------------
624:
625: - The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0
626: Trusted Platform Modules. This allows the Attestation IMC/IMV pair to
627: do TPM 2.0 based attestation.
628:
629: - The behavior during IKEv2 exchange collisions has been improved/fixed in
630: several corner cases and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND
631: notifies, as defined by RFC 7296, has been added.
632:
633: - IPsec policy priorities can be set manually (e.g. for high-priority drop
634: policies) and outbound policies may be restricted to a network interface.
635:
636: - The scheme for the automatically calculated default priorities has been
637: changed and now also considers port masks, which were added with 5.4.0.
638:
639: - FWD policies are now installed in both directions in regards to the traffic
640: selectors. Because such "outbound" FWD policies could conflict with "inbound"
641: FWD policies of other SAs they are installed with a lower priority and don't
642: have a reqid set, which allows kernel plugins to distinguish between the two
643: and prefer those with a reqid.
644:
645: - For outbound IPsec SAs no replay window is configured anymore.
646:
647: - Enhanced the functionality of the swanctl --list-conns command by listing
648: IKE_SA and CHILD_SA reauthentication and rekeying settings, and EAP/XAuth
649: identities and EAP types.
650:
651: - DNS servers installed by the resolve plugin are now refcounted, which should
652: fix its use with make-before-break reauthentication. Any output written to
653: stderr/stdout by resolvconf is now logged.
654:
655: - The methods in the kernel interfaces have been changed to take structs instead
656: of long lists of arguments. Similarly the constructors for peer_cfg_t and
657: child_cfg_t now take structs.
658:
659:
660: strongswan-5.4.0
661: ----------------
662:
663: - Support for IKEv2 redirection (RFC 5685) has been added. Plugins may
664: implement the redirect_provider_t interface to decide if and when to redirect
665: connecting clients. It is also possible to redirect established IKE_SAs based
666: on different selectors via VICI/swanctl. Unless disabled in strongswan.conf
667: the charon daemon will follow redirect requests received from servers.
668:
669: - The ike: prefix enables the explicit configuration of signature scheme
670: constraints against IKEv2 authentication in rightauth, which allows the use
671: of different signature schemes for trustchain verification and authentication.
672:
673: - The initiator of an IKEv2 make-before-break reauthentication now suspends
674: online certificate revocation checks (OCSP, CRLs) until the new IKE_SA and all
675: CHILD_SAs are established. This is required if the checks are done over the
676: CHILD_SA established with the new IKE_SA. This is not possible until the
677: initiator installs this SA and that only happens after the authentication is
678: completed successfully. So we suspend the checks during the reauthentication
679: and do them afterwards, if they fail the IKE_SA is closed. This change has no
680: effect on the behavior during the authentication of the initial IKE_SA.
681:
682: - For the vici plugin a Vici:Session Perl CPAN module has been added to allow
683: Perl applications to control and/or monitor the IKE daemon using the VICI
684: interface, similar to the existing Python egg or Ruby gem.
685:
686: - Traffic selectors with port ranges can now be configured in the Linux kernel:
687: e.g. remote_ts = 10.1.0.0/16[tcp/20-23] local_ts = dynamic[tcp/32768-65535].
688: The port range must map to a port mask, though since the kernel does not
689: support arbitrary ranges.
690:
691: - The vici plugin allows the configuration of IPv4 and IPv6 address ranges
692: in local and remote traffic selectors. Since both the Linux kernel and
693: iptables cannot handle arbitrary ranges, address ranges are mapped to the next
694: larger CIDR subnet by the kernel-netlink and updown plugins, respectively.
695:
696: - Implemented IKEv1 IPv4/IPv6 address subnet and range identities that can be
697: used as owners of shared secrets.
698:
699:
700: strongswan-5.3.5
701: ----------------
702:
703: - Properly handle potential EINTR errors in sigwaitinfo(2) calls that replaced
704: sigwait(3) calls with 5.3.4.
705:
706: - RADIUS retransmission timeouts are now configurable, courtesy of Thom Troy.
707:
708:
709: strongswan-5.3.4
710: ----------------
711:
712: - Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
713: was caused by insufficient verification of the internal state when handling
714: MSCHAPv2 Success messages received by the client.
715: This vulnerability has been registered as CVE-2015-8023.
716:
717: - The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
718: Within the strongSwan framework SHA3 is currently used for BLISS signatures
719: only because the OIDs for other signature algorithms haven't been defined
720: yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
721:
722:
723: strongswan-5.3.3
724: ----------------
725:
726: - Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and
727: RFC 7634 using the chacha20poly1305 ike/esp proposal keyword. The new chapoly
728: plugin implements the cipher, if possible SSE-accelerated on x86/x64
729: architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP
730: backend. On Linux 4.2 or newer the kernel-netlink plugin can configure the
731: cipher for ESP SAs.
732:
733: - The vici interface now supports the configuration of auxiliary certification
734: authority information as CRL and OCSP URIs.
735:
736: - In the bliss plugin the c_indices derivation using a SHA-512 based random
737: oracle has been fixed, generalized and standardized by employing the MGF1 mask
738: generation function with SHA-512. As a consequence BLISS signatures using the
739: improved oracle are not compatible with the earlier implementation.
740:
741: - Support for auto=route with right=%any for transport mode connections has
742: been added (the ikev2/trap-any scenario provides examples).
743:
744: - The starter daemon does not flush IPsec policies and SAs anymore when it is
745: stopped. Already existing duplicate policies are now overwritten by the IKE
746: daemon when it installs its policies.
747:
748: - Init limits (like charon.init_limit_half_open) can now optionally be enforced
749: when initiating SAs via VICI. For this, IKE_SAs initiated by the daemon are
750: now also counted as half-open SAs, which, as a side-effect, fixes the status
751: output while connecting (e.g. in ipsec status).
752:
753: - Symmetric configuration of EAP methods in left|rightauth is now possible when
754: mutual EAP-only authentication is used (previously, the client had to
755: configure rightauth=eap or rightauth=any, which prevented it from using this
756: same config as responder).
757:
758: - The initiator flag in the IKEv2 header is compared again (wasn't the case
759: since 5.0.0) and packets that have the flag set incorrectly are again ignored.
760:
761: - Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy
762: Device Health Assessment Trusted Network Connect Binding" (HCD-TNC)
763: document drafted by the IEEE Printer Working Group (PWG).
764:
765: - Fixed IF-M segmentation which failed in the presence of multiple small
766: attributes in front of a huge attribute to be segmented.
767:
768:
769: strongswan-5.3.2
770: ----------------
771:
772: - Fixed a vulnerability that allowed rogue servers with a valid certificate
773: accepted by the client to trick it into disclosing its username and even
774: password (if the client accepts EAP-GTC). This was caused because constraints
775: against the responder's authentication were enforced too late.
776: This vulnerability has been registered as CVE-2015-4171.
777:
778:
779: strongswan-5.3.1
780: ----------------
781:
782: - Fixed a denial-of-service and potential remote code execution vulnerability
783: triggered by IKEv1/IKEv2 messages that contain payloads for the respective
784: other IKE version. Such payload are treated specially since 5.2.2 but because
785: they were still identified by their original payload type they were used as
786: such in some places causing invalid function pointer dereferences.
787: The vulnerability has been registered as CVE-2015-3991.
788:
789: - The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto
790: primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ
791: instructions and works on both x86 and x64 architectures. It provides
792: superior crypto performance in userland without any external libraries.
793:
794:
795: strongswan-5.3.0
796: ----------------
797:
798: - Added support for IKEv2 make-before-break reauthentication. By using a global
799: CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
800: This allows the use of make-before-break instead of the previously supported
801: break-before-make reauthentication, avoiding connectivity gaps during that
802: procedure. As the new mechanism may fail with peers not supporting it (such
803: as any previous strongSwan release) it must be explicitly enabled using
804: the charon.make_before_break strongswan.conf option.
805:
806: - Support for "Signature Authentication in IKEv2" (RFC 7427) has been added.
807: This allows the use of stronger hash algorithms for public key authentication.
808: By default, signature schemes are chosen based on the strength of the
809: signature key, but specific hash algorithms may be configured in leftauth.
810:
811: - Key types and hash algorithms specified in rightauth are now also checked
812: against IKEv2 signature schemes. If such constraints are used for certificate
813: chain validation in existing configurations, in particular with peers that
814: don't support RFC 7427, it may be necessary to disable this feature with the
815: charon.signature_authentication_constraints setting, because the signature
816: scheme used in classic IKEv2 public key authentication may not be strong
817: enough.
818:
819: - The new connmark plugin allows a host to bind conntrack flows to a specific
820: CHILD_SA by applying and restoring the SA mark to conntrack entries. This
821: allows a peer to handle multiple transport mode connections coming over the
822: same NAT device for client-initiated flows. A common use case is to protect
823: L2TP/IPsec, as supported by some systems.
824:
825: - The forecast plugin can forward broadcast and multicast messages between
826: connected clients and a LAN. For CHILD_SA using unique marks, it sets up
827: the required Netfilter rules and uses a multicast/broadcast listener that
828: forwards such messages to all connected clients. This plugin is designed for
829: Windows 7 IKEv2 clients, which announces its services over the tunnel if the
830: negotiated IPsec policy allows it.
831:
832: - For the vici plugin a Python Egg has been added to allow Python applications
833: to control or monitor the IKE daemon using the VICI interface, similar to the
834: existing ruby gem. The Python library has been contributed by Björn Schuberg.
835:
836: - EAP server methods now can fulfill public key constraints, such as rightcert
837: or rightca. Additionally, public key and signature constraints can be
838: specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and
839: EAP-TTLS methods provide verification details to constraints checking.
840:
841: - Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B
842: variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
843: algorithms with SHA512 being the default.
844:
845: - The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
846: as seen by the TNC server available to all IMVs. This information can be
847: forwarded to policy enforcement points (e.g. firewalls or routers).
848:
849: - The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
850: in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
851: PT-TLS transport medium.
852:
853:
854: strongswan-5.2.2
855: ----------------
856:
857: - Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
858: payload that contains the Diffie-Hellman group 1025. This identifier was
859: used internally for DH groups with custom generator and prime. Because
860: these arguments are missing when creating DH objects based on the KE payload
861: an invalid pointer dereference occurred. This allowed an attacker to crash
862: the IKE daemon with a single IKE_SA_INIT message containing such a KE
863: payload. The vulnerability has been registered as CVE-2014-9221.
864:
865: - The left/rightid options in ipsec.conf, or any other identity in strongSwan,
866: now accept prefixes to enforce an explicit type, such as email: or fqdn:.
867: Note that no conversion is done for the remaining string, refer to
868: ipsec.conf(5) for details.
869:
870: - The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
871: an IKEv2 public key authentication method. The pki tool offers full support
872: for the generation of BLISS key pairs and certificates.
873:
874: - Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
875: cause interoperability issues when connecting to older versions of charon.
876:
877:
878: strongswan-5.2.1
879: ----------------
880:
881: - The new charon-systemd IKE daemon implements an IKE daemon tailored for use
882: with systemd. It avoids the dependency on ipsec starter and uses swanctl
883: as configuration backend, building a simple and lightweight solution. It
884: supports native systemd journal logging.
885:
886: - Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1
887: fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
888:
889: - Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
890: All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
891: and IETF/Installed Packages attributes can be processed incrementally on a
892: per segment basis.
893:
894: - The new ext-auth plugin calls an external script to implement custom IKE_SA
895: authorization logic, courtesy of Vyronas Tsingaras.
896:
897: - For the vici plugin a ruby gem has been added to allow ruby applications
898: to control or monitor the IKE daemon. The vici documentation has been updated
899: to include a description of the available operations and some simple examples
900: using both the libvici C interface and the ruby gem.
901:
902:
903: strongswan-5.2.0
904: ----------------
905:
906: - strongSwan has been ported to the Windows platform. Using a MinGW toolchain,
907: many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2
908: and newer releases. charon-svc implements a Windows IKE service based on
909: libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec
910: backend on the Windows platform. socket-win provides a native IKE socket
911: implementation, while winhttp fetches CRL and OCSP information using the
912: WinHTTP API.
913:
914: - The new vici plugin provides a Versatile IKE Configuration Interface for
915: charon. Using the stable IPC interface, external applications can configure,
916: control and monitor the IKE daemon. Instead of scripting the ipsec tool
917: and generating ipsec.conf, third party applications can use the new interface
918: for more control and better reliability.
919:
920: - Built upon the libvici client library, swanctl implements the first user of
921: the VICI interface. Together with a swanctl.conf configuration file,
922: connections can be defined, loaded and managed. swanctl provides a portable,
923: complete IKE configuration and control interface for the command line.
924: The first six swanctl example scenarios have been added.
925:
926: - The SWID IMV implements a JSON-based REST API which allows the exchange
927: of SWID tags and Software IDs with the strongTNC policy manager.
928:
929: - The SWID IMC can extract all installed packages from the dpkg (Debian,
930: Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or
931: pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using the
932: swidGenerator (https://github.com/strongswan/swidGenerator) which generates
933: SWID tags according to the new ISO/IEC 19770-2:2014 standard.
934:
935: - All IMVs now share the access requestor ID, device ID and product info
936: of an access requestor via a common imv_session object.
937:
938: - The Attestation IMC/IMV pair supports the IMA-NG measurement format
939: introduced with the Linux 3.13 kernel.
940:
941: - The aikgen tool generates an Attestation Identity Key bound to a TPM.
942:
943: - Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
944: Connect.
945:
946: - The ipsec.conf replay_window option defines connection specific IPsec replay
947: windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from
948: 6Wind.
949:
950:
951: strongswan-5.1.3
952: ----------------
953:
954: - Fixed an authentication bypass vulnerability triggered by rekeying an
955: unestablished IKEv2 SA while it gets actively initiated. This allowed an
956: attacker to trick a peer's IKE_SA state to established, without the need to
957: provide any valid authentication credentials. The vulnerability has been
958: registered as CVE-2014-2338.
959:
960: - The acert plugin evaluates X.509 Attribute Certificates. Group membership
961: information encoded as strings can be used to fulfill authorization checks
962: defined with the rightgroups option. Attribute Certificates can be loaded
963: locally or get exchanged in IKEv2 certificate payloads.
964:
965: - The pki command gained support to generate X.509 Attribute Certificates
966: using the --acert subcommand, while the --print command supports the ac type.
967: The openac utility has been removed in favor of the new pki functionality.
968:
969: - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
970: has been extended by AEAD mode support, currently limited to AES-GCM.
971:
972:
973: strongswan-5.1.2
974: ----------------
975:
976: - A new default configuration file layout is introduced. The new default
977: strongswan.conf file mainly includes config snippets from the strongswan.d
978: and strongswan.d/charon directories (the latter containing snippets for all
979: plugins). The snippets, with commented defaults, are automatically
980: generated and installed, if they don't exist yet. They are also installed
981: in $prefix/share/strongswan/templates so existing files can be compared to
982: the current defaults.
983:
984: - As an alternative to the non-extensible charon.load setting, the plugins
985: to load in charon (and optionally other applications) can now be determined
986: via the charon.plugins.<name>.load setting for each plugin (enabled in the
987: new default strongswan.conf file via the charon.load_modular option).
988: The load setting optionally takes a numeric priority value that allows
989: reordering the plugins (otherwise the default plugin order is preserved).
990:
991: - All strongswan.conf settings that were formerly defined in library specific
992: "global" sections are now application specific (e.g. settings for plugins in
993: libstrongswan.plugins can now be set only for charon in charon.plugins).
994: The old options are still supported, which now allows to define defaults for
995: all applications in the libstrongswan section.
996:
997: - The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
998: computer IKE key exchange mechanism. The implementation is based on the
999: ntru-crypto library from the NTRUOpenSourceProject. The supported security
1000: strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH
1001: group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be
1002: sent (charon.send_vendor_id = yes) in order to use NTRU.
1003:
1004: - Defined a TPMRA remote attestation workitem and added support for it to the
1005: Attestation IMV.
1006:
1007: - Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as
1008: well as multiple subnets in left|rightsubnet have been fixed.
1009:
1010: - When enabling its "session" strongswan.conf option, the xauth-pam plugin opens
1011: and closes a PAM session for each established IKE_SA. Patch courtesy of
1012: Andrea Bonomi.
1013:
1014: - The strongSwan unit testing framework has been rewritten without the "check"
1015: dependency for improved flexibility and portability. It now properly supports
1016: multi-threaded and memory leak testing and brings a bunch of new test cases.
1017:
1018:
1019: strongswan-5.1.1
1020: ----------------
1021:
1022: - Fixed a denial-of-service vulnerability and potential authorization bypass
1023: triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an insufficient
1024: length check when comparing such identities. The vulnerability has been
1025: registered as CVE-2013-6075.
1026:
1027: - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
1028: fragmentation payload. The cause is a NULL pointer dereference. The
1029: vulnerability has been registered as CVE-2013-6076.
1030:
1031: - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session
1032: with a strongSwan policy enforcement point which uses the tnc-pdp charon
1033: plugin.
1034:
1035: - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either
1036: full SWID Tag or concise SWID Tag ID inventories.
1037:
1038: - The XAuth backend in eap-radius now supports multiple XAuth exchanges for
1039: different credential types and display messages. All user input gets
1040: concatenated and verified with a single User-Password RADIUS attribute on
1041: the AAA. With an AAA supporting it, one for example can implement
1042: Password+Token authentication with proper dialogs on iOS and OS X clients.
1043:
1044: - charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf
1045: modeconfig=push option enables it for both client and server, the same way
1046: as pluto used it.
1047:
1048: - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 connections,
1049: charon can negotiate and install Security Associations integrity-protected by
1050: the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only,
1051: but not the deprecated RFC2401 style ESP+AH bundles.
1052:
1053: - The generation of initialization vectors for IKE and ESP (when using libipsec)
1054: is now modularized and IVs for e.g. AES-GCM are now correctly allocated
1055: sequentially, while other algorithms like AES-CBC still use random IVs.
1056:
1057: - The left and right options in ipsec.conf can take multiple address ranges
1058: and subnets. This allows connection matching against a larger set of
1059: addresses, for example to use a different connection for clients connecting
1060: from a internal network.
1061:
1062: - For all those who have a queasy feeling about the NIST elliptic curve set,
1063: the Brainpool curves introduced for use with IKE by RFC 6932 might be a
1064: more trustworthy alternative.
1065:
1066: - The kernel-libipsec userland IPsec backend now supports usage statistics,
1067: volume based rekeying and accepts ESPv3 style TFC padded packets.
1068:
1069: - With two new strongswan.conf options fwmarks can be used to implement
1070: host-to-host tunnels with kernel-libipsec.
1071:
1072: - load-tester supports transport mode connections and more complex traffic
1073: selectors, including such using unique ports for each tunnel.
1074:
1075: - The new dnscert plugin provides support for authentication via CERT RRs that
1076: are protected via DNSSEC. The plugin was created by Ruslan N. Marchenko.
1077:
1078: - The eap-radius plugin supports forwarding of several Cisco Unity specific
1079: RADIUS attributes in corresponding configuration payloads.
1080:
1081: - Database transactions are now abstracted and implemented by the two backends.
1082: If you use MySQL make sure all tables use the InnoDB engine.
1083:
1084: - libstrongswan now can provide an experimental custom implementation of the
1085: printf family functions based on klibc if neither Vstr nor glibc style printf
1086: hooks are available. This can avoid the Vstr dependency on some systems at
1087: the cost of slower and less complete printf functions.
1088:
1089:
1090: strongswan-5.1.0
1091: ----------------
1092:
1093: - Fixed a denial-of-service vulnerability triggered by specific XAuth usernames
1094: and EAP identities (since 5.0.3), and PEM files (since 4.1.11). The crash
1095: was caused by insufficient error handling in the is_asn1() function.
1096: The vulnerability has been registered as CVE-2013-5018.
1097:
1098: - The new charon-cmd command line IKE client can establish road warrior
1099: connections using IKEv1 or IKEv2 with different authentication profiles.
1100: It does not depend on any configuration files and can be configured using a
1101: few simple command line options.
1102:
1103: - The kernel-pfroute networking backend has been greatly improved. It now
1104: can install virtual IPs on TUN devices on OS X and FreeBSD, allowing these
1105: systems to act as a client in common road warrior scenarios.
1106:
1107: - The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec
1108: processing in userland on Linux, FreeBSD and Mac OS X.
1109:
1110: - The eap-radius plugin can now serve as an XAuth backend called xauth-radius,
1111: directly verifying XAuth credentials using RADIUS User-Name/User-Password
1112: attributes. This is more efficient than the existing xauth-eap+eap-radius
1113: combination, and allows RADIUS servers without EAP support to act as AAA
1114: backend for IKEv1.
1115:
1116: - The new osx-attr plugin installs configuration attributes (currently DNS
1117: servers) via SystemConfiguration on Mac OS X. The keychain plugin provides
1118: certificates from the OS X keychain service.
1119:
1120: - The sshkey plugin parses SSH public keys, which, together with the --agent
1121: option for charon-cmd, allows the use of ssh-agent for authentication.
1122: To configure SSH keys in ipsec.conf the left|rightrsasigkey options are
1123: replaced with left|rightsigkey, which now take public keys in one of three
1124: formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and
1125: PKCS#1 (the default, no prefix).
1126:
1127: - Extraction of certificates and private keys from PKCS#12 files is now provided
1128: by the new pkcs12 plugin or the openssl plugin. charon-cmd (--p12) as well
1129: as charon (via P12 token in ipsec.secrets) can make use of this.
1130:
1131: - IKEv2 can now negotiate transport mode and IPComp in NAT situations.
1132:
1133: - IKEv2 exchange initiators now properly close an established IKE or CHILD_SA
1134: on error conditions using an additional exchange, keeping state in sync
1135: between peers.
1136:
1137: - Using a SQL database interface a Trusted Network Connect (TNC) Policy Manager
1138: can generate specific measurement workitems for an arbitrary number of
1139: Integrity Measurement Verifiers (IMVs) based on the history of the VPN user
1140: and/or device.
1141:
1142: - Several core classes in libstrongswan are now tested with unit tests. These
1143: can be enabled with --enable-unit-tests and run with 'make check'. Coverage
1144: reports can be generated with --enable-coverage and 'make coverage' (this
1145: disables any optimization, so it should not be enabled when building
1146: production releases).
1147:
1148: - The leak-detective developer tool has been greatly improved. It works much
1149: faster/stabler with multiple threads, does not use deprecated malloc hooks
1150: anymore and has been ported to OS X.
1151:
1152: - chunk_hash() is now based on SipHash-2-4 with a random key. This provides
1153: better distribution and prevents hash flooding attacks when used with
1154: hashtables.
1155:
1156: - All default plugins implement the get_features() method to define features
1157: and their dependencies. The plugin loader has been improved, so that plugins
1158: in a custom load statement can be ordered freely or to express preferences
1159: without being affected by dependencies between plugin features.
1160:
1161: - A centralized thread can take care for watching multiple file descriptors
1162: concurrently. This removes the need for a dedicated listener threads in
1163: various plugins. The number of "reserved" threads for such tasks has been
1164: reduced to about five, depending on the plugin configuration.
1165:
1166: - Plugins that can be controlled by a UNIX socket IPC mechanism gained network
1167: transparency. Third party applications querying these plugins now can use
1168: TCP connections from a different host.
1169:
1170: - libipsec now supports AES-GCM.
1171:
1172:
1173: strongswan-5.0.4
1174: ----------------
1175:
1176: - Fixed a security vulnerability in the openssl plugin which was reported by
1177: Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944.
1178: Before the fix, if the openssl plugin's ECDSA signature verification was used,
1179: due to a misinterpretation of the error code returned by the OpenSSL
1180: ECDSA_verify() function, an empty or zeroed signature was accepted as a
1181: legitimate one.
1182:
1183: - The handling of a couple of other non-security relevant openssl return codes
1184: was fixed as well.
1185:
1186: - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its
1187: TCG TNC IF-MAP 2.1 interface.
1188:
1189: - The charon.initiator_only option causes charon to ignore IKE initiation
1190: requests.
1191:
1192: - The openssl plugin can now use the openssl-fips library.
1193:
1194:
1195: strongswan-5.0.3
1196: ----------------
1197:
1198: - The new ipseckey plugin enables authentication based on trustworthy public
1199: keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
1200: To do so it uses a DNSSEC enabled resolver, like the one provided by the new
1201: unbound plugin, which is based on libldns and libunbound. Both plugins were
1202: created by Reto Guadagnini.
1203:
1204: - Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
1205: available to an IMV. The OS IMV stores the AR identity together with the
1206: device ID in the attest database.
1207:
1208: - The openssl plugin now uses the AES-NI accelerated version of AES-GCM
1209: if the hardware supports it.
1210:
1211: - The eap-radius plugin can now assign virtual IPs to IKE clients using the
1212: Framed-IP-Address attribute by using the "%radius" named pool in the
1213: rightsourceip ipsec.conf option. Cisco Banner attributes are forwarded to
1214: Unity-capable IKEv1 clients during mode config. charon now sends Interim
1215: Accounting updates if requested by the RADIUS server, reports
1216: sent/received packets in Accounting messages, and adds a Terminate-Cause
1217: to Accounting-Stops.
1218:
1219: - The recently introduced "ipsec listcounters" command can report connection
1220: specific counters by passing a connection name, and global or connection
1221: counters can be reset by the "ipsec resetcounters" command.
1222:
1223: - The strongSwan libpttls library provides an experimental implementation of
1224: PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
1225:
1226: - The charon systime-fix plugin can disable certificate lifetime checks on
1227: embedded systems if the system time is obviously out of sync after bootup.
1228: Certificates lifetimes get checked once the system time gets sane, closing
1229: or reauthenticating connections using expired certificates.
1230:
1231: - The "ikedscp" ipsec.conf option can set DiffServ code points on outgoing
1232: IKE packets.
1233:
1234: - The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
1235: clients that cannot be configured without XAuth authentication. The plugin
1236: simply concludes the XAuth exchange successfully without actually performing
1237: any authentication. Therefore, to use this backend it has to be selected
1238: explicitly with rightauth2=xauth-noauth.
1239:
1240: - The new charon-tkm IKEv2 daemon delegates security critical operations to a
1241: separate process. This has the benefit that the network facing daemon has no
1242: knowledge of keying material used to protect child SAs. Thus subverting
1243: charon-tkm does not result in the compromise of cryptographic keys.
1244: The extracted functionality has been implemented from scratch in a minimal TCB
1245: (trusted computing base) in the Ada programming language. Further information
1246: can be found at https://www.codelabs.ch/tkm/.
1247:
1248: strongswan-5.0.2
1249: ----------------
1250:
1251: - Implemented all IETF Standard PA-TNC attributes and an OS IMC/IMV
1252: pair using them to transfer operating system information.
1253:
1254: - The new "ipsec listcounters" command prints a list of global counter values
1255: about received and sent IKE messages and rekeyings.
1256:
1257: - A new lookip plugin can perform fast lookup of tunnel information using a
1258: clients virtual IP and can send notifications about established or deleted
1259: tunnels. The "ipsec lookip" command can be used to query such information
1260: or receive notifications.
1261:
1262: - The new error-notify plugin catches some common error conditions and allows
1263: an external application to receive notifications for them over a UNIX socket.
1264:
1265: - IKE proposals can now use a PRF algorithm different to that defined for
1266: integrity protection. If an algorithm with a "prf" prefix is defined
1267: explicitly (such as prfsha1 or prfsha256), no implicit PRF algorithm based on
1268: the integrity algorithm is added to the proposal.
1269:
1270: - The pkcs11 plugin can now load leftcert certificates from a smartcard for a
1271: specific ipsec.conf conn section and cacert CA certificates for a specific ca
1272: section.
1273:
1274: - The load-tester plugin gained additional options for certificate generation
1275: and can load keys and multiple CA certificates from external files. It can
1276: install a dedicated outer IP address for each tunnel and tunnel initiation
1277: batches can be triggered and monitored externally using the
1278: "ipsec load-tester" tool.
1279:
1280: - PKCS#7 container parsing has been modularized, and the openssl plugin
1281: gained an alternative implementation to decrypt and verify such files.
1282: In contrast to our own DER parser, OpenSSL can handle BER files, which is
1283: required for interoperability of our scepclient with EJBCA.
1284:
1285: - Support for the proprietary IKEv1 fragmentation extension has been added.
1286: Fragments are always handled on receipt but only sent if supported by the peer
1287: and if enabled with the new fragmentation ipsec.conf option.
1288:
1289: - IKEv1 in charon can now parse certificates received in PKCS#7 containers and
1290: supports NAT traversal as used by Windows clients. Patches courtesy of
1291: Volker Rümelin.
1292:
1293: - The new rdrand plugin provides a high quality / high performance random
1294: source using the Intel rdrand instruction found on Ivy Bridge processors.
1295:
1296: - The integration test environment was updated and now uses KVM and reproducible
1297: guest images based on Debian.
1298:
1299:
1300: strongswan-5.0.1
1301: ----------------
1302:
1303: - Introduced the sending of the standard IETF Assessment Result
1304: PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
1305:
1306: - Extended PTS Attestation IMC/IMV pair to provide full evidence of
1307: the Linux IMA measurement process. All pertinent file information
1308: of a Linux OS can be collected and stored in an SQL database.
1309:
1310: - The PA-TNC and PB-TNC protocols can now process huge data payloads
1311: >64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
1312: and these messages over several PB-TNC batches. As long as no
1313: consolidated recommendation from all IMVs can be obtained, the TNC
1314: server requests more client data by sending an empty SDATA batch.
1315:
1316: - The rightgroups2 ipsec.conf option can require group membership during
1317: a second authentication round, for example during XAuth authentication
1318: against a RADIUS server.
1319:
1320: - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
1321: clients against any PAM service. The IKEv2 eap-gtc plugin does not use
1322: PAM directly anymore, but can use any XAuth backend to verify credentials,
1323: including xauth-pam.
1324:
1325: - The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
1326: Extension. As client, charon narrows traffic selectors to the received
1327: Split-Include attributes and automatically installs IPsec bypass policies
1328: for received Local-LAN attributes. As server, charon sends Split-Include
1329: attributes for leftsubnet definitions containing multiple subnets to Unity-
1330: aware clients.
1331:
1332: - An EAP-Nak payload is returned by clients if the gateway requests an EAP
1333: method that the client does not support. Clients can also request a specific
1334: EAP method by configuring that method with leftauth.
1335:
1336: - The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
1337: these to select a different EAP method supported/requested by the client.
1338: The plugin initially requests the first registered method or the first method
1339: configured with charon.plugins.eap-dynamic.preferred.
1340:
1341: - The new left/rightdns options specify connection specific DNS servers to
1342: request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
1343: can be any (comma separated) combination of %config4 and %config6 to request
1344: multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server
1345: IP addresses to return.
1346:
1347: - The left/rightsourceip options now accept multiple addresses or pools.
1348: leftsourceip can be any (comma separated) combination of %config4, %config6
1349: or fixed IP addresses to request. rightsourceip accepts multiple explicitly
1350: specified or referenced named pools.
1351:
1352: - Multiple connections can now share a single address pool when they use the
1353: same definition in one of the rightsourceip pools.
1354:
1355: - The options charon.interfaces_ignore and charon.interfaces_use allow one to
1356: configure the network interfaces used by the daemon.
1357:
1358: - The kernel-netlink plugin supports the charon.install_virtual_ip_on option,
1359: which specifies the interface on which virtual IP addresses will be installed.
1360: If it is not specified the current behavior of using the outbound interface
1361: is preserved.
1362:
1363: - The kernel-netlink plugin tries to keep the current source address when
1364: looking for valid routes to reach other hosts.
1365:
1366: - The autotools build has been migrated to use a config.h header. strongSwan
1367: development headers will get installed during "make install" if
1368: --with-dev-headers has been passed to ./configure.
1369:
1370: - All crypto primitives gained return values for most operations, allowing
1371: crypto backends to fail, for example when using hardware accelerators.
1372:
1373:
1374: strongswan-5.0.0
1375: ----------------
1376:
1377: - The charon IKE daemon gained experimental support for the IKEv1 protocol.
1378: Pluto has been removed from the 5.x series, and unless strongSwan is
1379: configured with --disable-ikev1 or --disable-ikev2, charon handles both
1380: keying protocols. The feature-set of IKEv1 in charon is almost on par with
1381: pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
1382: RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
1383: mode. Information for interoperability and migration is available at
1384: https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
1385:
1386: - Charon's bus_t has been refactored so that loggers and other listeners are
1387: now handled separately. The single lock was previously cause for deadlocks
1388: if extensive listeners, such as the one provided by the updown plugin, wanted
1389: to acquire locks that were held by other threads which in turn tried to log
1390: messages, and thus were waiting to acquire the same lock currently held by
1391: the thread calling the listener.
1392: The implemented changes also allow the use of a read/write-lock for the
1393: loggers which increases performance if multiple loggers are registered.
1394: Besides several interface changes this last bit also changes the semantics
1395: for loggers as these may now be called by multiple threads at the same time.
1396:
1397: - Source routes are reinstalled if interfaces are reactivated or IP addresses
1398: reappear.
1399:
1400: - The thread pool (processor_t) now has more control over the lifecycle of
1401: a job (see job.h for details). In particular, it now controls the destruction
1402: of jobs after execution and the cancellation of jobs during shutdown. Due to
1403: these changes the requeueing feature, previously available to callback_job_t
1404: only, is now available to all jobs (in addition to a new rescheduling
1405: feature).
1406:
1407: - In addition to trustchain key strength definitions for different public key
1408: systems, the rightauth option now takes a list of signature hash algorithms
1409: considered save for trustchain validation. For example, the setting
1410: rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512 requires a trustchain
1411: that uses at least RSA-2048 or ECDSA-256 keys and certificate signatures
1412: using SHA-256 or better.
1413:
1414:
1415: strongswan-4.6.4
1416: ----------------
1417:
1418: - Fixed a security vulnerability in the gmp plugin. If this plugin was used
1419: for RSA signature verification an empty or zeroed signature was handled as
1420: a legitimate one.
1421:
1422: - Fixed several issues with reauthentication and address updates.
1423:
1424:
1425: strongswan-4.6.3
1426: ----------------
1427:
1428: - The tnc-pdp plugin implements a RADIUS server interface allowing
1429: a strongSwan TNC server to act as a Policy Decision Point.
1430:
1431: - The eap-radius authentication backend enforces Session-Timeout attributes
1432: using RFC4478 repeated authentication and acts upon RADIUS Dynamic
1433: Authorization extensions, RFC 5176. Currently supported are disconnect
1434: requests and CoA messages containing a Session-Timeout.
1435:
1436: - The eap-radius plugin can forward arbitrary RADIUS attributes from and to
1437: clients using custom IKEv2 notify payloads. The new radattr plugin reads
1438: attributes to include from files and prints received attributes to the
1439: console.
1440:
1441: - Added support for untruncated MD5 and SHA1 HMACs in ESP as used in
1442: RFC 4595.
1443:
1444: - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms
1445: as defined in RFC 4494 and RFC 4615, respectively.
1446:
1447: - The resolve plugin automatically installs nameservers via resolvconf(8),
1448: if it is installed, instead of modifying /etc/resolv.conf directly.
1449:
1450: - The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110
1451: DNSKEY and PKCS#1 file format.
1452:
1453:
1454: strongswan-4.6.2
1455: ----------------
1456:
1457: - Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3
1458: which supports IF-TNCCS 2.0 long message types, the exclusive flags
1459: and multiple IMC/IMV IDs. Both the TNC Client and Server as well as
1460: the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated.
1461:
1462: - Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M"
1463: standard (TLV-based messages only). TPM-based remote attestation of
1464: Linux IMA (Integrity Measurement Architecture) possible. Measurement
1465: reference values are automatically stored in an SQLite database.
1466:
1467: - The EAP-RADIUS authentication backend supports RADIUS accounting. It sends
1468: start/stop messages containing Username, Framed-IP and Input/Output-Octets
1469: attributes and has been tested against FreeRADIUS and Microsoft NPS.
1470:
1471: - Added support for PKCS#8 encoded private keys via the libstrongswan
1472: pkcs8 plugin. This is the default format used by some OpenSSL tools since
1473: version 1.0.0 (e.g. openssl req with -keyout).
1474:
1475: - Added session resumption support to the strongSwan TLS stack.
1476:
1477:
1478: strongswan-4.6.1
1479: ----------------
1480:
1481: - Because of changing checksums before and after installation which caused
1482: the integrity tests to fail we avoided directly linking libsimaka, libtls and
1483: libtnccs to those libcharon plugins which make use of these dynamic libraries.
1484: Instead we linked the libraries to the charon daemon. Unfortunately Ubuntu
1485: 11.10 activated the --as-needed ld option which discards explicit links
1486: to dynamic libraries that are not actually used by the charon daemon itself,
1487: thus causing failures during the loading of the plugins which depend on these
1488: libraries for resolving external symbols.
1489:
1490: - Therefore our approach of computing integrity checksums for plugins had to be
1491: changed radically by moving the hash generation from the compilation to the
1492: post-installation phase.
1493:
1494:
1495: strongswan-4.6.0
1496: ----------------
1497:
1498: - The new libstrongswan certexpire plugin collects expiration information of
1499: all used certificates and exports them to CSV files. It either directly
1500: exports them or uses cron style scheduling for batch exports.
1501:
1502: - starter passes unresolved hostnames to charon, allowing it to do name
1503: resolution not before the connection attempt. This is especially useful with
1504: connections between hosts using dynamic IP addresses. Thanks to Mirko Parthey
1505: for the initial patch.
1506:
1507: - The android plugin can now be used without the Android frontend patch and
1508: provides DNS server registration and logging to logcat.
1509:
1510: - Pluto and starter (plus stroke and whack) have been ported to Android.
1511:
1512: - Support for ECDSA private and public key operations has been added to the
1513: pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 and can
1514: use tokens as random number generators (RNG). By default only private key
1515: operations are enabled, more advanced features have to be enabled by their
1516: option in strongswan.conf. This also applies to public key operations (even
1517: for keys not stored on the token) which were enabled by default before.
1518:
1519: - The libstrongswan plugin system now supports detailed plugin dependencies.
1520: Many plugins have been extended to export its capabilities and requirements.
1521: This allows the plugin loader to resolve plugin loading order automatically,
1522: and in future releases, to dynamically load the required features on demand.
1523: Existing third party plugins are source (but not binary) compatible if they
1524: properly initialize the new get_features() plugin function to NULL.
1525:
1526: - The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can deliver
1527: metadata about IKE_SAs via a SOAP interface to a MAP server. The tnc-ifmap
1528: plugin requires the Apache Axis2/C library.
1529:
1530:
1531: strongswan-4.5.3
1532: ----------------
1533:
1534: - Our private libraries (e.g. libstrongswan) are not installed directly in
1535: prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by
1536: default). The plugins directory is also moved from libexec/ipsec/ to that
1537: directory.
1538:
1539: - The dynamic IMC/IMV libraries were moved from the plugins directory to
1540: a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
1541:
1542: - Job priorities were introduced to prevent thread starvation caused by too
1543: many threads handling blocking operations (such as CRL fetching). Refer to
1544: strongswan.conf(5) for details.
1545:
1546: - Two new strongswan.conf options allow to fine-tune performance on IKEv2
1547: gateways by dropping IKE_SA_INIT requests on high load.
1548:
1549: - IKEv2 charon daemon supports start PASS and DROP shunt policies
1550: preventing traffic to go through IPsec connections. Installation of the
1551: shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel
1552: interfaces.
1553:
1554: - The history of policies installed in the kernel is now tracked so that e.g.
1555: trap policies are correctly updated when reauthenticated SAs are terminated.
1556:
1557: - IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
1558: Using "netstat -l" the IMC scans open listening ports on the TNC client
1559: and sends a port list to the IMV which based on a port policy decides if
1560: the client is admitted to the network.
1561: (--enable-imc-scanner/--enable-imv-scanner).
1562:
1563: - IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
1564: (--enable-imc-test/--enable-imv-test).
1565:
1566: - The IKEv2 close action does not use the same value as the ipsec.conf dpdaction
1567: setting, but the value defined by its own closeaction keyword. The action
1568: is triggered if the remote peer closes a CHILD_SA unexpectedly.
1569:
1570:
1571: strongswan-4.5.2
1572: ----------------
1573:
1574: - The whitelist plugin for the IKEv2 daemon maintains an in-memory identity
1575: whitelist. Any connection attempt of peers not whitelisted will get rejected.
1576: The 'ipsec whitelist' utility provides a simple command line frontend for
1577: whitelist administration.
1578:
1579: - The duplicheck plugin provides a specialized form of duplicate checking,
1580: doing a liveness check on the old SA and optionally notify a third party
1581: application about detected duplicates.
1582:
1583: - The coupling plugin permanently couples two or more devices by limiting
1584: authentication to previously used certificates.
1585:
1586: - In the case that the peer config and child config don't have the same name
1587: (usually in SQL database defined connections), ipsec up|route <peer config>
1588: starts|routes all associated child configs and ipsec up|route <child config>
1589: only starts|routes the specific child config.
1590:
1591: - fixed the encoding and parsing of X.509 certificate policy statements (CPS).
1592:
1593: - Duncan Salerno contributed the eap-sim-pcsc plugin implementing a
1594: pcsc-lite based SIM card backend.
1595:
1596: - The eap-peap plugin implements the EAP PEAP protocol. Interoperates
1597: successfully with a FreeRADIUS server and Windows 7 Agile VPN clients.
1598:
1599: - The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs
1600: all plugins to reload. Currently only the eap-radius and the attr plugins
1601: support configuration reloading.
1602:
1603: - Added userland support to the IKEv2 daemon for Extended Sequence Numbers
1604: support coming with Linux 2.6.39. To enable ESN on a connection, add
1605: the 'esn' keyword to the proposal. The default proposal uses 32-bit sequence
1606: numbers only ('noesn'), and the same value is used if no ESN mode is
1607: specified. To negotiate ESN support with the peer, include both, e.g.
1608: esp=aes128-sha1-esn-noesn.
1609:
1610: - In addition to ESN, Linux 2.6.39 gained support for replay windows larger
1611: than 32 packets. The new global strongswan.conf option 'charon.replay_window'
1612: configures the size of the replay window, in packets.
1613:
1614:
1615: strongswan-4.5.1
1616: ----------------
1617:
1618: - Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (BP)
1619: compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol
1620: requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend
1621: on the libtnc library. Any available IMV/IMC pairs conforming to the
1622: Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification
1623: can be loaded via /etc/tnc_config.
1624:
1625: - Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv
1626: in place of the external libtnc library.
1627:
1628: - The tnccs_dynamic plugin loaded on a TNC server in addition to the
1629: tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS
1630: protocol version used by a TNC client and invokes an instance of
1631: the corresponding protocol stack.
1632:
1633: - IKE and ESP proposals can now be stored in an SQL database using a
1634: new proposals table. The start_action field in the child_configs
1635: tables allows the automatic starting or routing of connections stored
1636: in an SQL database.
1637:
1638: - The new certificate_authorities and certificate_distribution_points
1639: tables make it possible to store CRL and OCSP Certificate Distribution
1640: points in an SQL database.
1641:
1642: - The new 'include' statement allows to recursively include other files in
1643: strongswan.conf. Existing sections and values are thereby extended and
1644: replaced, respectively.
1645:
1646: - Due to the changes in the parser for strongswan.conf, the configuration
1647: syntax for the attr plugin has changed. Previously, it was possible to
1648: specify multiple values of a specific attribute type by adding multiple
1649: key/value pairs with the same key (e.g. dns) to the plugins.attr section.
1650: Because values with the same key now replace previously defined values
1651: this is not possible anymore. As an alternative, multiple values can be
1652: specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5).
1653:
1654: - ipsec listalgs now appends (set in square brackets) to each crypto
1655: algorithm listed the plugin that registered the function.
1656:
1657: - Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used
1658: by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given
1659: boundary, the special value '%mtu' pads all packets to the path MTU.
1660:
1661: - The new af-alg plugin can use various crypto primitives of the Linux Crypto
1662: API using the AF_ALG interface introduced with 2.6.38. This removes the need
1663: for additional userland implementations of symmetric cipher, hash, hmac and
1664: xcbc algorithms.
1665:
1666: - The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and
1667: responder. The notify is sent when initiating configurations with a unique
1668: policy, set in ipsec.conf via the global 'uniqueids' option.
1669:
1670: - The conftest conformance testing framework enables the IKEv2 stack to perform
1671: many tests using a distinct tool and configuration frontend. Various hooks
1672: can alter reserved bits, flags, add custom notifies and proposals, reorder
1673: or drop messages and much more. It is enabled using the --enable-conftest
1674: ./configure switch.
1675:
1676: - The new libstrongswan constraints plugin provides advanced X.509 constraint
1677: checking. In addition to X.509 pathLen constraints, the plugin checks for
1678: nameConstraints and certificatePolicies, including policyMappings and
1679: policyConstraints. The x509 certificate plugin and the pki tool have been
1680: enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf
1681: connection keywords take OIDs a peer certificate must have.
1682:
1683: - The left/rightauth ipsec.conf keywords accept values with a minimum strength
1684: for trustchain public keys in bits, such as rsa-2048 or ecdsa-256.
1685:
1686: - The revocation and x509 libstrongswan plugins and the pki tool gained basic
1687: support for delta CRLs.
1688:
1689:
1690: strongswan-4.5.0
1691: ----------------
1692:
1693: - IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
1694: from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
1695: IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
1696: come for IKEv1 to go into retirement and to cede its place to the much more
1697: robust, powerful and versatile IKEv2 protocol!
1698:
1699: - Added new ctr, ccm and gcm plugins providing Counter, Counter with CBC-MAC
1700: and Galois/Counter Modes based on existing CBC implementations. These
1701: new plugins bring support for AES and Camellia Counter and CCM algorithms
1702: and the AES GCM algorithms for use in IKEv2.
1703:
1704: - The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and
1705: the pki utility using one or more PKCS#11 libraries. It currently supports
1706: RSA private and public key operations and loads X.509 certificates from
1707: tokens.
1708:
1709: - Implemented a general purpose TLS stack based on crypto and credential
1710: primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2,
1711: ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based
1712: client authentication.
1713:
1714: - Based on libtls, the eap-tls plugin brings certificate based EAP
1715: authentication for client and server. It is compatible to Windows 7 IKEv2
1716: Smartcard authentication and the OpenSSL based FreeRADIUS EAP-TLS backend.
1717:
1718: - Implemented the TNCCS 1.1 Trusted Network Connect protocol using the
1719: libtnc library on the strongSwan client and server side via the tnccs_11
1720: plugin and optionally connecting to a TNC@FHH-enhanced FreeRADIUS AAA server.
1721: Depending on the resulting TNC Recommendation, strongSwan clients are granted
1722: access to a network behind a strongSwan gateway (allow), are put into a
1723: remediation zone (isolate) or are blocked (none), respectively. Any number
1724: of Integrity Measurement Collector/Verifier pairs can be attached
1725: via the tnc-imc and tnc-imv charon plugins.
1726:
1727: - The IKEv1 daemon pluto now uses the same kernel interfaces as the IKEv2
1728: daemon charon. As a result of this, pluto now supports xfrm marks which
1729: were introduced in charon with 4.4.1.
1730:
1731: - Applets for Maemo 5 (Nokia) allow to easily configure and control IKEv2
1732: based VPN connections with EAP authentication on supported devices.
1733:
1734: - The RADIUS plugin eap-radius now supports multiple RADIUS servers for
1735: redundant setups. Servers are selected by a defined priority, server load and
1736: availability.
1737:
1738: - The simple led plugin controls hardware LEDs through the Linux LED subsystem.
1739: It currently shows activity of the IKE daemon and is a good example how to
1740: implement a simple event listener.
1741:
1742: - Improved MOBIKE behavior in several corner cases, for instance, if the
1743: initial responder moves to a different address.
1744:
1745: - Fixed left-/rightnexthop option, which was broken since 4.4.0.
1746:
1747: - Fixed a bug not releasing a virtual IP address to a pool if the XAUTH
1748: identity was different from the IKE identity.
1749:
1750: - Fixed the alignment of ModeConfig messages on 4-byte boundaries in the
1751: case where the attributes are not a multiple of 4 bytes (e.g. Cisco's
1752: UNITY_BANNER).
1753:
1754: - Fixed the interoperability of the socket_raw and socket_default
1755: charon plugins.
1756:
1757: - Added man page for strongswan.conf
1758:
1759:
1760: strongswan-4.4.1
1761: ----------------
1762:
1763: - Support of xfrm marks in IPsec SAs and IPsec policies introduced
1764: with the Linux 2.6.34 kernel. For details see the example scenarios
1765: ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
1766:
1767: - The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used
1768: in a user-specific updown script to set marks on inbound ESP or
1769: ESP_IN_UDP packets.
1770:
1771: - The openssl plugin now supports X.509 certificate and CRL functions.
1772:
1773: - OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled
1774: by default. Please update manual load directives in strongswan.conf.
1775:
1776: - RFC3779 ipAddrBlock constraint checking has been moved to the addrblock
1777: plugin, disabled by default. Enable it and update manual load directives
1778: in strongswan.conf, if required.
1779:
1780: - The pki utility supports CRL generation using the --signcrl command.
1781:
1782: - The ipsec pki --self, --issue and --req commands now support output in
1783: PEM format using the --outform pem option.
1784:
1785: - The major refactoring of the IKEv1 Mode Config functionality now allows
1786: the transport and handling of any Mode Config attribute.
1787:
1788: - The RADIUS proxy plugin eap-radius now supports multiple servers. Configured
1789: servers are chosen randomly, with the option to prefer a specific server.
1790: Non-responding servers are degraded by the selection process.
1791:
1792: - The ipsec pool tool manages arbitrary configuration attributes stored
1793: in an SQL database. ipsec pool --help gives the details.
1794:
1795: - The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA,
1796: reading triplets/quintuplets from an SQL database.
1797:
1798: - The High Availability plugin now supports a HA enabled in-memory address
1799: pool and Node reintegration without IKE_SA rekeying. The latter allows
1800: clients without IKE_SA rekeying support to keep connected during
1801: reintegration. Additionally, many other issues have been fixed in the ha
1802: plugin.
1803:
1804: - Fixed a potential remote code execution vulnerability resulting from
1805: the misuse of snprintf(). The vulnerability is exploitable by
1806: unauthenticated users.
1807:
1808:
1809: strongswan-4.4.0
1810: ----------------
1811:
1812: - The IKEv2 High Availability plugin has been integrated. It provides
1813: load sharing and failover capabilities in a cluster of currently two nodes,
1814: based on an extend ClusterIP kernel module. More information is available at
1815: https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
1816: The development of the High Availability functionality was sponsored by
1817: secunet Security Networks AG.
1818:
1819: - Added IKEv1 and IKEv2 configuration support for the AES-GMAC
1820: authentication-only ESP cipher. Our aes_gmac kernel patch or a Linux
1821: 2.6.34 kernel is required to make AES-GMAC available via the XFRM
1822: kernel interface.
1823:
1824: - Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp, gcrypt
1825: and openssl plugins, usable by both pluto and charon. The new proposal
1826: keywords are modp1024s160, modp2048s224 and modp2048s256. Thanks to Joy Latten
1827: from IBM for his contribution.
1828:
1829: - The IKEv1 pluto daemon supports RAM-based virtual IP pools using
1830: the rightsourceip directive with a subnet from which addresses
1831: are allocated.
1832:
1833: - The ipsec pki --gen and --pub commands now allow the output of
1834: private and public keys in PEM format using the --outform pem
1835: command line option.
1836:
1837: - The new DHCP plugin queries virtual IP addresses for clients from a DHCP
1838: server using broadcasts, or a defined server using the
1839: charon.plugins.dhcp.server strongswan.conf option. DNS/WINS server information
1840: is additionally served to clients if the DHCP server provides such
1841: information. The plugin is used in ipsec.conf configurations having
1842: rightsourceip set to %dhcp.
1843:
1844: - A new plugin called farp fakes ARP responses for virtual IP addresses
1845: handed out to clients from the IKEv2 daemon charon. The plugin lets a
1846: road-warrior act as a client on the local LAN if it uses a virtual IP
1847: from the responders subnet, e.g. acquired using the DHCP plugin.
1848:
1849: - The existing IKEv2 socket implementations have been migrated to the
1850: socket-default and the socket-raw plugins. The new socket-dynamic plugin
1851: binds sockets dynamically to ports configured via the left-/rightikeport
1852: ipsec.conf connection parameters.
1853:
1854: - The android charon plugin stores received DNS server information as "net.dns"
1855: system properties, as used by the Android platform.
1856:
1857:
1858: strongswan-4.3.6
1859: ----------------
1860:
1861: - The IKEv2 daemon supports RFC 3779 IP address block constraints
1862: carried as a critical X.509v3 extension in the peer certificate.
1863:
1864: - The ipsec pool --add|del dns|nbns command manages DNS and NBNS name
1865: server entries that are sent via the IKEv1 Mode Config or IKEv2
1866: Configuration Payload to remote clients.
1867:
1868: - The Camellia cipher can be used as an IKEv1 encryption algorithm.
1869:
1870: - The IKEv1 and IKEV2 daemons now check certificate path length constraints.
1871:
1872: - The new ipsec.conf conn option "inactivity" closes a CHILD_SA if no traffic
1873: was sent or received within the given interval. To close the complete IKE_SA
1874: if its only CHILD_SA was inactive, set the global strongswan.conf option
1875: "charon.inactivity_close_ike" to yes.
1876:
1877: - More detailed IKEv2 EAP payload information in debug output
1878:
1879: - IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
1880:
1881: - Added required userland changes for proper SHA256 and SHA384/512 in ESP that
1882: will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now
1883: configures the kernel with 128 bit truncation, not the non-standard 96
1884: bit truncation used by previous releases. To use the old 96 bit truncation
1885: scheme, the new "sha256_96" proposal keyword has been introduced.
1886:
1887: - Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This
1888: change makes IPcomp tunnel mode connections incompatible with previous
1889: releases; disable compression on such tunnels.
1890:
1891: - Fixed BEET mode connections on recent kernels by installing SAs with
1892: appropriate traffic selectors, based on a patch by Michael Rossberg.
1893:
1894: - Using extensions (such as BEET mode) and crypto algorithms (such as twofish,
1895: serpent, sha256_96) allocated in the private use space now require that we
1896: know its meaning, i.e. we are talking to strongSwan. Use the new
1897: "charon.send_vendor_id" option in strongswan.conf to let the remote peer know
1898: this is the case.
1899:
1900: - Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where the
1901: responder omits public key authentication in favor of a mutual authentication
1902: method. To enable EAP-only authentication, set rightauth=eap on the responder
1903: to rely only on the MSK constructed AUTH payload. This not-yet standardized
1904: extension requires the strongSwan vendor ID introduced above.
1905:
1906: - The IKEv1 daemon ignores the Juniper SRX notification type 40001, thus
1907: allowing interoperability.
1908:
1909:
1910: strongswan-4.3.5
1911: ----------------
1912:
1913: - The IKEv1 pluto daemon can now use SQL-based address pools to deal out
1914: virtual IP addresses as a Mode Config server. The pool capability has been
1915: migrated from charon's sql plugin to a new attr-sql plugin which is loaded
1916: by libstrongswan and which can be used by both daemons either with a SQLite
1917: or MySQL database and the corresponding plugin.
1918:
1919: - Plugin names have been streamlined: EAP plugins now have a dash after eap
1920: (e.g. eap-sim), as it is used with the --enable-eap-sim ./configure option.
1921: Plugin configuration sections in strongswan.conf now use the same name as the
1922: plugin itself (i.e. with a dash). Make sure to update "load" directives and
1923: the affected plugin sections in existing strongswan.conf files.
1924:
1925: - The private/public key parsing and encoding has been split up into
1926: separate pkcs1, pgp, pem and dnskey plugins. The public key implementation
1927: plugins gmp, gcrypt and openssl can all make use of them.
1928:
1929: - The EAP-AKA plugin can use different backends for USIM/quintuplet
1930: calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 software
1931: implementation has been migrated to a separate plugin.
1932:
1933: - The IKEv2 daemon charon gained basic PGP support. It can use locally installed
1934: peer certificates and can issue signatures based on RSA private keys.
1935:
1936: - The new 'ipsec pki' tool provides a set of commands to maintain a public
1937: key infrastructure. It currently supports operations to create RSA and ECDSA
1938: private/public keys, calculate fingerprints and issue or verify certificates.
1939:
1940: - Charon uses a monotonic time source for statistics and job queueing, behaving
1941: correctly if the system time changes (e.g. when using NTP).
1942:
1943: - In addition to time based rekeying, charon supports IPsec SA lifetimes based
1944: on processed volume or number of packets. They new ipsec.conf parameters
1945: 'lifetime' (an alias to 'keylife'), 'lifebytes' and 'lifepackets' handle
1946: SA timeouts, while the parameters 'margintime' (an alias to rekeymargin),
1947: 'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.
1948: The existing parameter 'rekeyfuzz' affects all margins.
1949:
1950: - If no CA/Gateway certificate is specified in the NetworkManager plugin,
1951: charon uses a set of trusted root certificates preinstalled by distributions.
1952: The directory containing CA certificates can be specified using the
1953: --with-nm-ca-dir=path configure option.
1954:
1955: - Fixed the encoding of the Email relative distinguished name in left|rightid
1956: statements.
1957:
1958: - Fixed the broken parsing of PKCS#7 wrapped certificates by the pluto daemon.
1959:
1960: - Fixed smartcard-based authentication in the pluto daemon which was broken by
1961: the ECDSA support introduced with the 4.3.2 release.
1962:
1963: - A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and vice versa
1964: tunnels established with the IKEv1 pluto daemon.
1965:
1966: - The pluto daemon now uses the libstrongswan x509 plugin for certificates and
1967: CRls and the struct id type was replaced by identification_t used by charon
1968: and the libstrongswan library.
1969:
1970:
1971: strongswan-4.3.4
1972: ----------------
1973:
1974: - IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can
1975: be found on wiki.strongswan.org.
1976:
1977: - ipsec statusall shows the number of bytes transmitted and received over
1978: ESP connections configured by the IKEv2 charon daemon.
1979:
1980: - The IKEv2 charon daemon supports include files in ipsec.secrets.
1981:
1982:
1983: strongswan-4.3.3
1984: ----------------
1985:
1986: - The configuration option --enable-integrity-test plus the strongswan.conf
1987: option libstrongswan.integrity_test = yes activate integrity tests
1988: of the IKE daemons charon and pluto, libstrongswan and all loaded
1989: plugins. Thus dynamic library misconfigurations and non-malicious file
1990: manipulations can be reliably detected.
1991:
1992: - The new default setting libstrongswan.ecp_x_coordinate_only=yes allows
1993: IKEv1 interoperability with MS Windows using the ECP DH groups 19 and 20.
1994:
1995: - The IKEv1 pluto daemon now supports the AES-CCM and AES-GCM ESP
1996: authenticated encryption algorithms.
1997:
1998: - The IKEv1 pluto daemon now supports V4 OpenPGP keys.
1999:
2000: - The RDN parser vulnerability discovered by Orange Labs research team
2001: was not completely fixed in version 4.3.2. Some more modifications
2002: had to be applied to the asn1_length() function to make it robust.
2003:
2004:
2005: strongswan-4.3.2
2006: ----------------
2007:
2008: - The new gcrypt plugin provides symmetric cipher, hasher, RNG, Diffie-Hellman
2009: and RSA crypto primitives using the LGPL licensed GNU gcrypt library.
2010:
2011: - libstrongswan features an integrated crypto selftest framework for registered
2012: algorithms. The test-vector plugin provides a first set of test vectors and
2013: allows pluto and charon to rely on tested crypto algorithms.
2014:
2015: - pluto can now use all libstrongswan plugins with the exception of x509 and xcbc.
2016: Thanks to the openssl plugin, the ECP Diffie-Hellman groups 19, 20, 21, 25, and
2017: 26 as well as ECDSA-256, ECDSA-384, and ECDSA-521 authentication can be used
2018: with IKEv1.
2019:
2020: - Applying their fuzzing tool, the Orange Labs vulnerability research team found
2021: another two DoS vulnerabilities, one in the rather old ASN.1 parser of Relative
2022: Distinguished Names (RDNs) and a second one in the conversion of ASN.1 UTCTIME
2023: and GENERALIZEDTIME strings to a time_t value.
2024:
2025:
2026: strongswan-4.3.1
2027: ----------------
2028:
2029: - The nm plugin now passes DNS/NBNS server information to NetworkManager,
2030: allowing a gateway administrator to set DNS/NBNS configuration on clients
2031: dynamically.
2032:
2033: - The nm plugin also accepts CA certificates for gateway authentication. If
2034: a CA certificate is configured, strongSwan uses the entered gateway address
2035: as its identity, requiring the gateways certificate to contain the same as
2036: subjectAltName. This allows a gateway administrator to deploy the same
2037: certificates to Windows 7 and NetworkManager clients.
2038:
2039: - The command ipsec purgeike deletes IKEv2 SAs that don't have a CHILD SA.
2040: The command ipsec down <conn>{n} deletes CHILD SA instance n of connection
2041: <conn> whereas ipsec down <conn>{*} deletes all CHILD SA instances.
2042: The command ipsec down <conn>[n] deletes IKE SA instance n of connection
2043: <conn> plus dependent CHILD SAs whereas ipsec down <conn>[*] deletes all
2044: IKE SA instances of connection <conn>.
2045:
2046: - Fixed a regression introduced in 4.3.0 where EAP authentication calculated
2047: the AUTH payload incorrectly. Further, the EAP-MSCHAPv2 MSK key derivation
2048: has been updated to be compatible with the Windows 7 Release Candidate.
2049:
2050: - Refactored installation of triggering policies. Routed policies are handled
2051: outside of IKE_SAs to keep them installed in any case. A tunnel gets
2052: established only once, even if initiation is delayed due network outages.
2053:
2054: - Improved the handling of multiple acquire signals triggered by the kernel.
2055:
2056: - Fixed two DoS vulnerabilities in the charon daemon that were discovered by
2057: fuzzing techniques: 1) Sending a malformed IKE_SA_INIT request leaved an
2058: incomplete state which caused a null pointer dereference if a subsequent
2059: CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
2060: a missing TSi or TSr payload caused a null pointer dereference because the
2061: checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
2062: developed by the Orange Labs vulnerability research team. The tool was
2063: initially written by Gabriel Campana and is now maintained by Laurent Butti.
2064:
2065: - Added support for AES counter mode in ESP in IKEv2 using the proposal
2066: keywords aes128ctr, aes192ctr and aes256ctr.
2067:
2068: - Further progress in refactoring pluto: Use of the curl and ldap plugins
2069: for fetching crls and OCSP. Use of the random plugin to get keying material
2070: from /dev/random or /dev/urandom. Use of the openssl plugin as an alternative
2071: to the aes, des, sha1, sha2, and md5 plugins. The blowfish, twofish, and
2072: serpent encryption plugins are now optional and are not enabled by default.
2073:
2074:
2075: strongswan-4.3.0
2076: ----------------
2077:
2078: - Support for the IKEv2 Multiple Authentication Exchanges extension (RFC4739).
2079: Initiators and responders can use several authentication rounds (e.g. RSA
2080: followed by EAP) to authenticate. The new ipsec.conf leftauth/rightauth and
2081: leftauth2/rightauth2 parameters define own authentication rounds or setup
2082: constraints for the remote peer. See the ipsec.conf man page for more details.
2083:
2084: - If glibc printf hooks (register_printf_function) are not available,
2085: strongSwan can use the vstr string library to run on non-glibc systems.
2086:
2087: - The IKEv2 charon daemon can now configure the ESP CAMELLIA-CBC cipher
2088: (esp=camellia128|192|256).
2089:
2090: - Refactored the pluto and scepclient code to use basic functions (memory
2091: allocation, leak detective, chunk handling, printf_hooks, strongswan.conf
2092: attributes, ASN.1 parser, etc.) from the libstrongswan library.
2093:
2094: - Up to two DNS and WINS servers to be sent via IKEv1 ModeConfig can be
2095: configured in the pluto section of strongswan.conf.
2096:
2097:
2098: strongswan-4.2.14
2099: -----------------
2100:
2101: - The new server-side EAP RADIUS plugin (--enable-eap-radius)
2102: relays EAP messages to and from a RADIUS server. Successfully
2103: tested with with a freeradius server using EAP-MD5 and EAP-SIM.
2104:
2105: - A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
2106: Gerd v. Egidy <gerd.von.egidy@intra2net.com> of Intra2net AG affecting
2107: all Openswan and strongSwan releases. A malicious (or expired ISAKMP)
2108: R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet can cause the
2109: pluto IKE daemon to crash and restart. No authentication or encryption
2110: is required to trigger this bug. One spoofed UDP packet can cause the
2111: pluto IKE daemon to restart and be unresponsive for a few seconds while
2112: restarting. This DPD null state vulnerability has been officially
2113: registered as CVE-2009-0790 and is fixed by this release.
2114:
2115: - ASN.1 to time_t conversion caused a time wrap-around for
2116: dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
2117: As a workaround such dates are set to the maximum representable
2118: time, i.e. Jan 19 03:14:07 UTC 2038.
2119:
2120: - Distinguished Names containing wildcards (*) are not sent in the
2121: IDr payload anymore.
2122:
2123:
2124: strongswan-4.2.13
2125: -----------------
2126:
2127: - Fixed a use-after-free bug in the DPD timeout section of the
2128: IKEv1 pluto daemon which sporadically caused a segfault.
2129:
2130: - Fixed a crash in the IKEv2 charon daemon occurring with
2131: mixed RAM-based and SQL-based virtual IP address pools.
2132:
2133: - Fixed ASN.1 parsing of algorithmIdentifier objects where the
2134: parameters field is optional.
2135:
2136: - Ported nm plugin to NetworkManager 7.1.
2137:
2138:
2139: strongswan-4.2.12
2140: -----------------
2141:
2142: - Support of the EAP-MSCHAPv2 protocol enabled by the option
2143: --enable-eap-mschapv2. Requires the MD4 hash algorithm enabled
2144: either by --enable-md4 or --enable-openssl.
2145:
2146: - Assignment of up to two DNS and up to two WINS servers to peers via
2147: the IKEv2 Configuration Payload (CP). The IPv4 or IPv6 nameserver
2148: addresses are defined in strongswan.conf.
2149:
2150: - The strongSwan applet for the Gnome NetworkManager is now built and
2151: distributed as a separate tarball under the name NetworkManager-strongswan.
2152:
2153:
2154: strongswan-4.2.11
2155: -----------------
2156:
2157: - Fixed ESP NULL encryption broken by the refactoring of keymat.c.
2158: Also introduced proper initialization and disposal of keying material.
2159:
2160: - Fixed the missing listing of connection definitions in ipsec statusall
2161: broken by an unfortunate local variable overload.
2162:
2163:
2164: strongswan-4.2.10
2165: -----------------
2166:
2167: - Several performance improvements to handle thousands of tunnels with almost
2168: linear upscaling. All relevant data structures have been replaced by faster
2169: counterparts with better lookup times.
2170:
2171: - Better parallelization to run charon on multiple cores. Due to improved
2172: resource locking and other optimizations the daemon can take full
2173: advantage of 16 or even more cores.
2174:
2175: - The load-tester plugin can use a NULL Diffie-Hellman group and simulate
2176: unique identities and certificates by signing peer certificates using a CA
2177: on the fly.
2178:
2179: - The redesigned stroke in-memory IP pool handles leases. The "ipsec leases"
2180: command queries assigned leases.
2181:
2182: - Added support for smartcards in charon by using the ENGINE API provided by
2183: OpenSSL, based on patches by Michael Roßberg.
2184:
2185: - The Padlock plugin supports the hardware RNG found on VIA CPUs to provide a
2186: reliable source of randomness.
2187:
2188: strongswan-4.2.9
2189: ----------------
2190:
2191: - Flexible configuration of logging subsystem allowing to log to multiple
2192: syslog facilities or to files using fine-grained log levels for each target.
2193:
2194: - Load testing plugin to do stress testing of the IKEv2 daemon against self
2195: or another host. Found and fixed issues during tests in the multi-threaded
2196: use of the OpenSSL plugin.
2197:
2198: - Added profiling code to synchronization primitives to find bottlenecks if
2199: running on multiple cores. Found and fixed an issue where parts of the
2200: Diffie-Hellman calculation acquired an exclusive lock. This greatly improves
2201: parallelization to multiple cores.
2202:
2203: - updown script invocation has been separated into a plugin of its own to
2204: further slim down the daemon core.
2205:
2206: - Separated IKE_SA/CHILD_SA key derivation process into a closed system,
2207: allowing future implementations to use a secured environment in e.g. kernel
2208: memory or hardware.
2209:
2210: - The kernel interface of charon has been modularized. XFRM NETLINK (default)
2211: and PFKEY (--enable-kernel-pfkey) interface plugins for the native IPsec
2212: stack of the Linux 2.6 kernel as well as a PFKEY interface for the KLIPS
2213: IPsec stack (--enable-kernel-klips) are provided.
2214:
2215: - Basic Mobile IPv6 support has been introduced, securing Binding Update
2216: messages as well as tunneled traffic between Mobile Node and Home Agent.
2217: The installpolicy=no option allows peaceful cooperation with a dominant
2218: mip6d daemon and the new type=transport_proxy implements the special MIPv6
2219: IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
2220: but the IPsec SA is set up for the Home Address.
2221:
2222: - Implemented migration of Mobile IPv6 connections using the KMADDRESS
2223: field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon
2224: via the Linux 2.6.28 (or appropriately patched) kernel.
2225:
2226:
2227: strongswan-4.2.8
2228: ----------------
2229:
2230: - IKEv2 charon daemon supports authentication based on raw public keys
2231: stored in the SQL database backend. The ipsec listpubkeys command
2232: lists the available raw public keys via the stroke interface.
2233:
2234: - Several MOBIKE improvements: Detect changes in NAT mappings in DPD exchanges,
2235: handle events if kernel detects NAT mapping changes in UDP-encapsulated
2236: ESP packets (requires kernel patch), reuse old addresses in MOBIKE updates as
2237: long as possible and other fixes.
2238:
2239: - Fixed a bug in addr_in_subnet() which caused insertion of wrong source
2240: routes for destination subnets having netwmasks not being a multiple of 8 bits.
2241: Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug.
2242:
2243:
2244: strongswan-4.2.7
2245: ----------------
2246:
2247: - Fixed a Denial-of-Service vulnerability where an IKE_SA_INIT message with
2248: a KE payload containing zeroes only can cause a crash of the IKEv2 charon
2249: daemon due to a NULL pointer returned by the mpz_export() function of the
2250: GNU Multiprecision Library (GMP). Thanks go to Mu Dynamics Research Labs
2251: for making us aware of this problem.
2252:
2253: - The new agent plugin provides a private key implementation on top of an
2254: ssh-agent.
2255:
2256: - The NetworkManager plugin has been extended to support certificate client
2257: authentication using RSA keys loaded from a file or using ssh-agent.
2258:
2259: - Daemon capability dropping has been ported to libcap and must be enabled
2260: explicitly --with-capabilities=libcap. Future version will support the
2261: newer libcap2 library.
2262:
2263: - ipsec listalgs lists the IKEv2 cryptografic algorithms registered with the
2264: charon keying daemon.
2265:
2266:
2267: strongswan-4.2.6
2268: ----------------
2269:
2270: - A NetworkManager plugin allows GUI-based configuration of road-warrior
2271: clients in a simple way. It features X509 based gateway authentication
2272: and EAP client authentication, tunnel setup/teardown and storing passwords
2273: in the Gnome Keyring.
2274:
2275: - A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt and allows
2276: username/password authentication against any PAM service on the gateway.
2277: The new EAP method interacts nicely with the NetworkManager plugin and allows
2278: client authentication against e.g. LDAP.
2279:
2280: - Improved support for the EAP-Identity method. The new ipsec.conf eap_identity
2281: parameter defines an additional identity to pass to the server in EAP
2282: authentication.
2283:
2284: - The "ipsec statusall" command now lists CA restrictions, EAP
2285: authentication types and EAP identities.
2286:
2287: - Fixed two multithreading deadlocks occurring when starting up
2288: several hundred tunnels concurrently.
2289:
2290: - Fixed the --enable-integrity-test configure option which
2291: computes a SHA-1 checksum over the libstrongswan library.
2292:
2293:
2294: strongswan-4.2.5
2295: ----------------
2296:
2297: - Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
2298:
2299: - Improved the performance of the SQL-based virtual IP address pool
2300: by introducing an additional addresses table. The leases table
2301: storing only history information has become optional and can be
2302: disabled by setting charon.plugins.sql.lease_history = no in
2303: strongswan.conf.
2304:
2305: - The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
2306: and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
2307:
2308: - management of different virtual IP pools for different
2309: network interfaces have become possible.
2310:
2311: - fixed a bug which prevented the assignment of more than 256
2312: virtual IP addresses from a pool managed by an sql database.
2313:
2314: - fixed a bug which did not delete own IPCOMP SAs in the kernel.
2315:
2316:
2317: strongswan-4.2.4
2318: ----------------
2319:
2320: - Added statistics functions to ipsec pool --status and ipsec pool --leases
2321: and input validation checks to various ipsec pool commands.
2322:
2323: - ipsec statusall now lists all loaded charon plugins and displays
2324: the negotiated IKEv2 cipher suite proposals.
2325:
2326: - The openssl plugin supports the elliptic curve Diffie-Hellman groups
2327: 19, 20, 21, 25, and 26.
2328:
2329: - The openssl plugin supports ECDSA authentication using elliptic curve
2330: X.509 certificates.
2331:
2332: - Fixed a bug in stroke which caused multiple charon threads to close
2333: the file descriptors during packet transfers over the stroke socket.
2334:
2335: - ESP sequence numbers are now migrated in IPsec SA updates handled by
2336: MOBIKE. Works only with Linux kernels >= 2.6.17.
2337:
2338:
2339: strongswan-4.2.3
2340: ----------------
2341:
2342: - Fixed the strongswan.conf path configuration problem that occurred when
2343: --sysconfig was not set explicitly in ./configure.
2344:
2345: - Fixed a number of minor bugs that where discovered during the 4th
2346: IKEv2 interoperability workshop in San Antonio, TX.
2347:
2348:
2349: strongswan-4.2.2
2350: ----------------
2351:
2352: - Plugins for libstrongswan and charon can optionally be loaded according
2353: to a configuration in strongswan.conf. Most components provide a
2354: "load = " option followed by a space separated list of plugins to load.
2355: This allows e.g. the fallback from a hardware crypto accelerator to
2356: to software-based crypto plugins.
2357:
2358: - Charons SQL plugin has been extended by a virtual IP address pool.
2359: Configurations with a rightsourceip=%poolname setting query a SQLite or
2360: MySQL database for leases. The "ipsec pool" command helps in administrating
2361: the pool database. See ipsec pool --help for the available options
2362:
2363: - The Authenticated Encryption Algorithms AES-CCM-8/12/16 and AES-GCM-8/12/16
2364: for ESP are now supported starting with the Linux 2.6.25 kernel. The
2365: syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.
2366:
2367:
2368: strongswan-4.2.1
2369: ----------------
2370:
2371: - Support for "Hash and URL" encoded certificate payloads has been implemented
2372: in the IKEv2 daemon charon. Using the "certuribase" option of a CA section
2373: allows to assign a base URL to all certificates issued by the specified CA.
2374: The final URL is then built by concatenating that base and the hex encoded
2375: SHA1 hash of the DER encoded certificate. Note that this feature is disabled
2376: by default and must be enabled using the option "charon.hash_and_url".
2377:
2378: - The IKEv2 daemon charon now supports the "uniqueids" option to close multiple
2379: IKE_SAs with the same peer. The option value "keep" prefers existing
2380: connection setups over new ones, where the value "replace" replaces existing
2381: connections.
2382:
2383: - The crypto factory in libstrongswan additionally supports random number
2384: generators, plugins may provide other sources of randomness. The default
2385: plugin reads raw random data from /dev/(u)random.
2386:
2387: - Extended the credential framework by a caching option to allow plugins
2388: persistent caching of fetched credentials. The "cachecrl" option has been
2389: re-implemented.
2390:
2391: - The new trustchain verification introduced in 4.2.0 has been parallelized.
2392: Threads fetching CRL or OCSP information no longer block other threads.
2393:
2394: - A new IKEv2 configuration attribute framework has been introduced allowing
2395: plugins to provide virtual IP addresses, and in the future, other
2396: configuration attribute services (e.g. DNS/WINS servers).
2397:
2398: - The stroke plugin has been extended to provide virtual IP addresses from
2399: a pool defined in ipsec.conf. The "rightsourceip" parameter now accepts
2400: address pools in CIDR notation (e.g. 10.1.1.0/24). The parameter also accepts
2401: the value "%poolname", where "poolname" identifies a pool provided by a
2402: separate plugin.
2403:
2404: - Fixed compilation on uClibc and a couple of other minor bugs.
2405:
2406: - Set DPD defaults in ipsec starter to dpd_delay=30s and dpd_timeout=150s.
2407:
2408: - The IKEv1 pluto daemon now supports the ESP encryption algorithm CAMELLIA
2409: with key lengths of 128, 192, and 256 bits, as well as the authentication
2410: algorithm AES_XCBC_MAC. Configuration example: esp=camellia192-aesxcbc.
2411:
2412:
2413: strongswan-4.2.0
2414: ----------------
2415:
2416: - libstrongswan has been modularized to attach crypto algorithms,
2417: credential implementations (keys, certificates) and fetchers dynamically
2418: through plugins. Existing code has been ported to plugins:
2419: - RSA/Diffie-Hellman implementation using the GNU Multi Precision library
2420: - X509 certificate system supporting CRLs, OCSP and attribute certificates
2421: - Multiple plugins providing crypto algorithms in software
2422: - CURL and OpenLDAP fetcher
2423:
2424: - libstrongswan gained a relational database API which uses pluggable database
2425: providers. Plugins for MySQL and SQLite are available.
2426:
2427: - The IKEv2 keying daemon charon is more extensible. Generic plugins may provide
2428: connection configuration, credentials and EAP methods or control the daemon.
2429: Existing code has been ported to plugins:
2430: - EAP-AKA, EAP-SIM, EAP-MD5 and EAP-Identity
2431: - stroke configuration, credential and control (compatible to pluto)
2432: - XML bases management protocol to control and query the daemon
2433: The following new plugins are available:
2434: - An experimental SQL configuration, credential and logging plugin on
2435: top of either MySQL or SQLite
2436: - A unit testing plugin to run tests at daemon startup
2437:
2438: - The authentication and credential framework in charon has been heavily
2439: refactored to support modular credential providers, proper
2440: CERTREQ/CERT payload exchanges and extensible authorization rules.
2441:
2442: - The framework of strongSwan Manager has evolved to the web application
2443: framework libfast (FastCGI Application Server w/ Templates) and is usable
2444: by other applications.
2445:
2446:
2447: strongswan-4.1.11
2448: -----------------
2449:
2450: - IKE rekeying in NAT situations did not inherit the NAT conditions
2451: to the rekeyed IKE_SA so that the UDP encapsulation was lost with
2452: the next CHILD_SA rekeying.
2453:
2454: - Wrong type definition of the next_payload variable in id_payload.c
2455: caused an INVALID_SYNTAX error on PowerPC platforms.
2456:
2457: - Implemented IKEv2 EAP-SIM server and client test modules that use
2458: triplets stored in a file. For details on the configuration see
2459: the scenario 'ikev2/rw-eap-sim-rsa'.
2460:
2461:
2462: strongswan-4.1.10
2463: -----------------
2464:
2465: - Fixed error in the ordering of the certinfo_t records in the ocsp cache that
2466: caused multiple entries of the same serial number to be created.
2467:
2468: - Implementation of a simple EAP-MD5 module which provides CHAP
2469: authentication. This may be interesting in conjunction with certificate
2470: based server authentication, as weak passwords can't be brute forced
2471: (in contradiction to traditional IKEv2 PSK).
2472:
2473: - A complete software based implementation of EAP-AKA, using algorithms
2474: specified in 3GPP2 (S.S0055). This implementation does not use an USIM,
2475: but reads the secrets from ipsec.secrets. Make sure to read eap_aka.h
2476: before using it.
2477:
2478: - Support for vendor specific EAP methods using Expanded EAP types. The
2479: interface to EAP modules has been slightly changed, so make sure to
2480: check the changes if you're already rolling your own modules.
2481:
2482:
2483: strongswan-4.1.9
2484: ----------------
2485:
2486: - The default _updown script now dynamically inserts and removes ip6tables
2487: firewall rules if leftfirewall=yes is set in IPv6 connections. New IPv6
2488: net-net and roadwarrior (PSK/RSA) scenarios for both IKEv1 and IKEV2 were
2489: added.
2490:
2491: - Implemented RFC4478 repeated authentication to force EAP/Virtual-IP clients
2492: to reestablish an IKE_SA within a given timeframe.
2493:
2494: - strongSwan Manager supports configuration listing, initiation and termination
2495: of IKE and CHILD_SAs.
2496:
2497: - Fixes and improvements to multithreading code.
2498:
2499: - IKEv2 plugins have been renamed to libcharon-* to avoid naming conflicts.
2500: Make sure to remove the old plugins in $libexecdir/ipsec, otherwise they get
2501: loaded twice.
2502:
2503:
2504: strongswan-4.1.8
2505: ----------------
2506:
2507: - Removed recursive pthread mutexes since uClibc doesn't support them.
2508:
2509:
2510: strongswan-4.1.7
2511: ----------------
2512:
2513: - In NAT traversal situations and multiple queued Quick Modes,
2514: those pending connections inserted by auto=start after the
2515: port floating from 500 to 4500 were erroneously deleted.
2516:
2517: - Added a "forceencaps" connection parameter to enforce UDP encapsulation
2518: to surmount restrictive firewalls. NAT detection payloads are faked to
2519: simulate a NAT situation and trick the other peer into NAT mode (IKEv2 only).
2520:
2521: - Preview of strongSwan Manager, a web based configuration and monitoring
2522: application. It uses a new XML control interface to query the IKEv2 daemon
2523: (see https://wiki.strongswan.org/wiki/Manager).
2524:
2525: - Experimental SQLite configuration backend which will provide the configuration
2526: interface for strongSwan Manager in future releases.
2527:
2528: - Further improvements to MOBIKE support.
2529:
2530:
2531: strongswan-4.1.6
2532: ----------------
2533:
2534: - Since some third party IKEv2 implementations run into
2535: problems with strongSwan announcing MOBIKE capability per
2536: default, MOBIKE can be disabled on a per-connection-basis
2537: using the mobike=no option. Whereas mobike=no disables the
2538: sending of the MOBIKE_SUPPORTED notification and the floating
2539: to UDP port 4500 with the IKE_AUTH request even if no NAT
2540: situation has been detected, strongSwan will still support
2541: MOBIKE acting as a responder.
2542:
2543: - the default ipsec routing table plus its corresponding priority
2544: used for inserting source routes has been changed from 100 to 220.
2545: It can be configured using the --with-ipsec-routing-table and
2546: --with-ipsec-routing-table-prio options.
2547:
2548: - the --enable-integrity-test configure option tests the
2549: integrity of the libstrongswan crypto code during the charon
2550: startup.
2551:
2552: - the --disable-xauth-vid configure option disables the sending
2553: of the XAUTH vendor ID. This can be used as a workaround when
2554: interoperating with some Windows VPN clients that get into
2555: trouble upon reception of an XAUTH VID without eXtended
2556: AUTHentication having been configured.
2557:
2558: - ipsec stroke now supports the rereadsecrets, rereadaacerts,
2559: rereadacerts, and listacerts options.
2560:
2561:
2562: strongswan-4.1.5
2563: ----------------
2564:
2565: - If a DNS lookup failure occurs when resolving right=%<FQDN>
2566: or right=<FQDN> combined with rightallowany=yes then the
2567: connection is not updated by ipsec starter thus preventing
2568: the disruption of an active IPsec connection. Only if the DNS
2569: lookup successfully returns with a changed IP address the
2570: corresponding connection definition is updated.
2571:
2572: - Routes installed by the keying daemons are now in a separate
2573: routing table with the ID 100 to avoid conflicts with the main
2574: table. Route lookup for IKEv2 traffic is done in userspace to ignore
2575: routes installed for IPsec, as IKE traffic shouldn't get encapsulated.
2576:
2577:
2578: strongswan-4.1.4
2579: ----------------
2580:
2581: - The pluto IKEv1 daemon now exhibits the same behaviour as its
2582: IKEv2 companion charon by inserting an explicit route via the
2583: _updown script only if a sourceip exists. This is admissible
2584: since routing through the IPsec tunnel is handled automatically
2585: by NETKEY's IPsec policies. As a consequence the left|rightnexthop
2586: parameter is not required any more.
2587:
2588: - The new IKEv1 parameter right|leftallowany parameters helps to handle
2589: the case where both peers possess dynamic IP addresses that are
2590: usually resolved using DynDNS or a similar service. The configuration
2591:
2592: right=peer.foo.bar
2593: rightallowany=yes
2594:
2595: can be used by the initiator to start up a connection to a peer
2596: by resolving peer.foo.bar into the currently allocated IP address.
2597: Thanks to the rightallowany flag the connection behaves later on
2598: as
2599:
2600: right=%any
2601:
2602: so that the peer can rekey the connection as an initiator when his
2603: IP address changes. An alternative notation is
2604:
2605: right=%peer.foo.bar
2606:
2607: which will implicitly set rightallowany=yes.
2608:
2609: - ipsec starter now fails more gracefully in the presence of parsing
2610: errors. Flawed ca and conn section are discarded and pluto is started
2611: if non-fatal errors only were encountered. If right=%peer.foo.bar
2612: cannot be resolved by DNS then right=%any will be used so that passive
2613: connections as a responder are still possible.
2614:
2615: - The new pkcs11initargs parameter that can be placed in the
2616: setup config section of /etc/ipsec.conf allows the definition
2617: of an argument string that is used with the PKCS#11 C_Initialize()
2618: function. This non-standard feature is required by the NSS softoken
2619: library. This patch was contributed by Robert Varga.
2620:
2621: - Fixed a bug in ipsec starter introduced by strongswan-2.8.5
2622: which caused a segmentation fault in the presence of unknown
2623: or misspelt keywords in ipsec.conf. This bug fix was contributed
2624: by Robert Varga.
2625:
2626: - Partial support for MOBIKE in IKEv2. The initiator acts on interface/
2627: address configuration changes and updates IKE and IPsec SAs dynamically.
2628:
2629:
2630: strongswan-4.1.3
2631: ----------------
2632:
2633: - IKEv2 peer configuration selection now can be based on a given
2634: certification authority using the rightca= statement.
2635:
2636: - IKEv2 authentication based on RSA signatures now can handle multiple
2637: certificates issued for a given peer ID. This allows a smooth transition
2638: in the case of a peer certificate renewal.
2639:
2640: - IKEv2: Support for requesting a specific virtual IP using leftsourceip on the
2641: client and returning requested virtual IPs using rightsourceip=%config
2642: on the server. If the server does not support configuration payloads, the
2643: client enforces its leftsourceip parameter.
2644:
2645: - The ./configure options --with-uid/--with-gid allow pluto and charon
2646: to drop their privileges to a minimum and change to an other UID/GID. This
2647: improves the systems security, as a possible intruder may only get the
2648: CAP_NET_ADMIN capability.
2649:
2650: - Further modularization of charon: Pluggable control interface and
2651: configuration backend modules provide extensibility. The control interface
2652: for stroke is included, and further interfaces using DBUS (NetworkManager)
2653: or XML are on the way. A backend for storing configurations in the daemon
2654: is provided and more advanced backends (using e.g. a database) are trivial
2655: to implement.
2656:
2657: - Fixed a compilation failure in libfreeswan occurring with Linux kernel
2658: headers > 2.6.17.
2659:
2660:
2661: strongswan-4.1.2
2662: ----------------
2663:
2664: - Support for an additional Diffie-Hellman exchange when creating/rekeying
2665: a CHILD_SA in IKEv2 (PFS). PFS is enabled when the proposal contains a
2666: DH group (e.g. "esp=aes128-sha1-modp1536"). Further, DH group negotiation
2667: is implemented properly for rekeying.
2668:
2669: - Support for the AES-XCBC-96 MAC algorithm for IPsec SAs when using IKEv2
2670: (requires linux >= 2.6.20). It is enabled using e.g. "esp=aes256-aesxcbc".
2671:
2672: - Working IPv4-in-IPv6 and IPv6-in-IPv4 tunnels for linux >= 2.6.21.
2673:
2674: - Added support for EAP modules which do not establish an MSK.
2675:
2676: - Removed the dependencies from the /usr/include/linux/ headers by
2677: including xfrm.h, ipsec.h, and pfkeyv2.h in the distribution.
2678:
2679: - crlNumber is now listed by ipsec listcrls
2680:
2681: - The xauth_modules.verify_secret() function now passes the
2682: connection name.
2683:
2684:
2685: strongswan-4.1.1
2686: ----------------
2687:
2688: - Server side cookie support. If to may IKE_SAs are in CONNECTING state,
2689: cookies are enabled and protect against DoS attacks with faked source
2690: addresses. Number of IKE_SAs in CONNECTING state is also limited per
2691: peer address to avoid resource exhaustion. IKE_SA_INIT messages are
2692: compared to properly detect retransmissions and incoming retransmits are
2693: detected even if the IKE_SA is blocked (e.g. doing OCSP fetches).
2694:
2695: - The IKEv2 daemon charon now supports dynamic http- and ldap-based CRL
2696: fetching enabled by crlcheckinterval > 0 and caching fetched CRLs
2697: enabled by cachecrls=yes.
2698:
2699: - Added the configuration options --enable-nat-transport which enables
2700: the potentially insecure NAT traversal for IPsec transport mode and
2701: --disable-vendor-id which disables the sending of the strongSwan
2702: vendor ID.
2703:
2704: - Fixed a long-standing bug in the pluto IKEv1 daemon which caused
2705: a segmentation fault if a malformed payload was detected in the
2706: IKE MR2 message and pluto tried to send an encrypted notification
2707: message.
2708:
2709: - Added the NATT_IETF_02_N Vendor ID in order to support IKEv1 connections
2710: with Windows 2003 Server which uses a wrong VID hash.
2711:
2712:
2713: strongswan-4.1.0
2714: ----------------
2715:
2716: - Support of SHA2_384 hash function for protecting IKEv1
2717: negotiations and support of SHA2 signatures in X.509 certificates.
2718:
2719: - Fixed a serious bug in the computation of the SHA2-512 HMAC
2720: function. Introduced automatic self-test of all IKEv1 hash
2721: and hmac functions during pluto startup. Failure of a self-test
2722: currently issues a warning only but does not exit pluto [yet].
2723:
2724: - Support for SHA2-256/384/512 PRF and HMAC functions in IKEv2.
2725:
2726: - Full support of CA information sections. ipsec listcainfos
2727: now shows all collected crlDistributionPoints and OCSP
2728: accessLocations.
2729:
2730: - Support of the Online Certificate Status Protocol (OCSP) for IKEv2.
2731: This feature requires the HTTP fetching capabilities of the libcurl
2732: library which must be enabled by setting the --enable-http configure
2733: option.
2734:
2735: - Refactored core of the IKEv2 message processing code, allowing better
2736: code reuse and separation.
2737:
2738: - Virtual IP support in IKEv2 using INTERNAL_IP4/6_ADDRESS configuration
2739: payload. Additionally, the INTERNAL_IP4/6_DNS attribute is interpreted
2740: by the requestor and installed in a resolv.conf file.
2741:
2742: - The IKEv2 daemon charon installs a route for each IPsec policy to use
2743: the correct source address even if an application does not explicitly
2744: specify it.
2745:
2746: - Integrated the EAP framework into charon which loads pluggable EAP library
2747: modules. The ipsec.conf parameter authby=eap initiates EAP authentication
2748: on the client side, while the "eap" parameter on the server side defines
2749: the EAP method to use for client authentication.
2750: A generic client side EAP-Identity module and an EAP-SIM authentication
2751: module using a third party card reader implementation are included.
2752:
2753: - Added client side support for cookies.
2754:
2755: - Integrated the fixes done at the IKEv2 interoperability bakeoff, including
2756: strict payload order, correct INVALID_KE_PAYLOAD rejection and other minor
2757: fixes to enhance interoperability with other implementations.
2758:
2759:
2760: strongswan-4.0.7
2761: ----------------
2762:
2763: - strongSwan now interoperates with the NCP Secure Entry Client,
2764: the Shrew Soft VPN Client, and the Cisco VPN client, doing both
2765: XAUTH and Mode Config.
2766:
2767: - UNITY attributes are now recognized and UNITY_BANNER is set
2768: to a default string.
2769:
2770:
2771: strongswan-4.0.6
2772: ----------------
2773:
2774: - IKEv1: Support for extended authentication (XAUTH) in combination
2775: with ISAKMP Main Mode RSA or PSK authentication. Both client and
2776: server side were implemented. Handling of user credentials can
2777: be done by a run-time loadable XAUTH module. By default user
2778: credentials are stored in ipsec.secrets.
2779:
2780: - IKEv2: Support for reauthentication when rekeying
2781:
2782: - IKEv2: Support for transport mode
2783:
2784: - fixed a lot of bugs related to byte order
2785:
2786: - various other bugfixes
2787:
2788:
2789: strongswan-4.0.5
2790: ----------------
2791:
2792: - IKEv1: Implementation of ModeConfig push mode via the new connection
2793: keyword modeconfig=push allows interoperability with Cisco VPN gateways.
2794:
2795: - IKEv1: The command ipsec statusall now shows "DPD active" for all
2796: ISAKMP SAs that are under active Dead Peer Detection control.
2797:
2798: - IKEv2: Charon's logging and debugging framework has been completely rewritten.
2799: Instead of logger, special printf() functions are used to directly
2800: print objects like hosts (%H) identifications (%D), certificates (%Q),
2801: etc. The number of debugging levels have been reduced to:
2802:
2803: 0 (audit), 1 (control), 2 (controlmore), 3 (raw), 4 (private)
2804:
2805: The debugging levels can either be specified statically in ipsec.conf as
2806:
2807: config setup
2808: charondebug="lib 1, cfg 3, net 2"
2809:
2810: or changed at runtime via stroke as
2811:
2812: ipsec stroke loglevel cfg 2
2813:
2814:
2815: strongswan-4.0.4
2816: ----------------
2817:
2818: - Implemented full support for IPv6-in-IPv6 tunnels.
2819:
2820: - Added configuration options for dead peer detection in IKEv2. dpd_action
2821: types "clear", "hold" and "restart" are supported. The dpd_timeout
2822: value is not used, as the normal retransmission policy applies to
2823: detect dead peers. The dpd_delay parameter enables sending of empty
2824: informational message to detect dead peers in case of inactivity.
2825:
2826: - Added support for preshared keys in IKEv2. PSK keys configured in
2827: ipsec.secrets are loaded. The authby parameter specifies the authentication
2828: method to authenticate ourself, the other peer may use PSK or RSA.
2829:
2830: - Changed retransmission policy to respect the keyingtries parameter.
2831:
2832: - Added private key decryption. PEM keys encrypted with AES-128/192/256
2833: or 3DES are supported.
2834:
2835: - Implemented DES/3DES algorithms in libstrongswan. 3DES can be used to
2836: encrypt IKE traffic.
2837:
2838: - Implemented SHA-256/384/512 in libstrongswan, allows usage of certificates
2839: signed with such a hash algorithm.
2840:
2841: - Added initial support for updown scripts. The actions up-host/client and
2842: down-host/client are executed. The leftfirewall=yes parameter
2843: uses the default updown script to insert dynamic firewall rules, a custom
2844: updown script may be specified with the leftupdown parameter.
2845:
2846:
2847: strongswan-4.0.3
2848: ----------------
2849:
2850: - Added support for the auto=route ipsec.conf parameter and the
2851: ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and
2852: CHILD_SAs dynamically on demand when traffic is detected by the
2853: kernel.
2854:
2855: - Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter.
2856: As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only
2857: new keys are generated using perfect forward secrecy. An optional flag
2858: which enforces reauthentication will be implemented later.
2859:
2860: - "sha" and "sha1" are now treated as synonyms in the ike= and esp=
2861: algorithm configuration statements.
2862:
2863:
2864: strongswan-4.0.2
2865: ----------------
2866:
2867: - Full X.509 certificate trust chain verification has been implemented.
2868: End entity certificates can be exchanged via CERT payloads. The current
2869: default is leftsendcert=always, since CERTREQ payloads are not supported
2870: yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls.
2871:
2872: - Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2
2873: would offer more possibilities for traffic selection, but the Linux kernel
2874: currently does not support it. That's why we stick with these simple
2875: ipsec.conf rules for now.
2876:
2877: - Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
2878: IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
2879: dpddelay=60s).
2880:
2881: - Initial NAT traversal support in IKEv2. Charon includes NAT detection
2882: notify payloads to detect NAT routers between the peers. It switches
2883: to port 4500, uses UDP encapsulated ESP packets, handles peer address
2884: changes gracefully and sends keep alive message periodically.
2885:
2886: - Reimplemented IKE_SA state machine for charon, which allows simultaneous
2887: rekeying, more shared code, cleaner design, proper retransmission
2888: and a more extensible code base.
2889:
2890: - The mixed PSK/RSA roadwarrior detection capability introduced by the
2891: strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal
2892: payloads by the responder right before any defined IKE Main Mode state had
2893: been established. Although any form of bad proposal syntax was being correctly
2894: detected by the payload parser, the subsequent error handler didn't check
2895: the state pointer before logging current state information, causing an
2896: immediate crash of the pluto keying daemon due to a NULL pointer.
2897:
2898:
2899: strongswan-4.0.1
2900: ----------------
2901:
2902: - Added algorithm selection to charon: New default algorithms for
2903: ike=aes128-sha-modp2048, as both daemons support it. The default
2904: for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles
2905: the ike/esp parameter the same way as pluto. As this syntax does
2906: not allow specification of a pseudo random function, the same
2907: algorithm as for integrity is used (currently sha/md5). Supported
2908: algorithms for IKE:
2909: Encryption: aes128, aes192, aes256
2910: Integrity/PRF: md5, sha (using hmac)
2911: DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192
2912: and for ESP:
2913: Encryption: aes128, aes192, aes256, 3des, blowfish128,
2914: blowfish192, blowfish256
2915: Integrity: md5, sha1
2916: More IKE encryption algorithms will come after porting libcrypto into
2917: libstrongswan.
2918:
2919: - initial support for rekeying CHILD_SAs using IKEv2. Currently no
2920: perfect forward secrecy is used. The rekeying parameters rekey,
2921: rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported
2922: when using IKEv2. WARNING: charon currently is unable to handle
2923: simultaneous rekeying. To avoid such a situation, use a large
2924: rekeyfuzz, or even better, set rekey=no on one peer.
2925:
2926: - support for host2host, net2net, host2net (roadwarrior) tunnels
2927: using predefined RSA certificates (see uml scenarios for
2928: configuration examples).
2929:
2930: - new build environment featuring autotools. Features such
2931: as HTTP, LDAP and smartcard support may be enabled using
2932: the ./configure script. Changing install directories
2933: is possible, too. See ./configure --help for more details.
2934:
2935: - better integration of charon with ipsec starter, which allows
2936: (almost) transparent operation with both daemons. charon
2937: handles ipsec commands up, down, status, statusall, listall,
2938: listcerts and allows proper load, reload and delete of connections
2939: via ipsec starter.
2940:
2941:
2942: strongswan-4.0.0
2943: ----------------
2944:
2945: - initial support of the IKEv2 protocol. Connections in
2946: ipsec.conf designated by keyexchange=ikev2 are negotiated
2947: by the new IKEv2 charon keying daemon whereas those marked
2948: by keyexchange=ikev1 or the default keyexchange=ike are
2949: handled thy the IKEv1 pluto keying daemon. Currently only
2950: a limited subset of functions are available with IKEv2
2951: (Default AES encryption, authentication based on locally
2952: imported X.509 certificates, unencrypted private RSA keys
2953: in PKCS#1 file format, limited functionality of the ipsec
2954: status command).
2955:
2956:
2957: strongswan-2.7.0
2958: ----------------
2959:
2960: - the dynamic iptables rules from the _updown_x509 template
2961: for KLIPS and the _updown_policy template for NETKEY have
2962: been merged into the default _updown script. The existing
2963: left|rightfirewall keyword causes the automatic insertion
2964: and deletion of ACCEPT rules for tunneled traffic upon
2965: the successful setup and teardown of an IPsec SA, respectively.
2966: left|rightfirewall can be used with KLIPS under any Linux 2.4
2967: kernel or with NETKEY under a Linux kernel version >= 2.6.16
2968: in conjunction with iptables >= 1.3.5. For NETKEY under a Linux
2969: kernel version < 2.6.16 which does not support IPsec policy
2970: matching yet, please continue to use a copy of the _updown_espmark
2971: template loaded via the left|rightupdown keyword.
2972:
2973: - a new left|righthostaccess keyword has been introduced which
2974: can be used in conjunction with left|rightfirewall and the
2975: default _updown script. By default leftfirewall=yes inserts
2976: a bi-directional iptables FORWARD rule for a local client network
2977: with a netmask different from 255.255.255.255 (single host).
2978: This does not allow to access the VPN gateway host via its
2979: internal network interface which is part of the client subnet
2980: because an iptables INPUT and OUTPUT rule would be required.
2981: lefthostaccess=yes will cause this additional ACCEPT rules to
2982: be inserted.
2983:
2984: - mixed PSK|RSA roadwarriors are now supported. The ISAKMP proposal
2985: payload is preparsed in order to find out whether the roadwarrior
2986: requests PSK or RSA so that a matching connection candidate can
2987: be found.
2988:
2989:
2990: strongswan-2.6.4
2991: ----------------
2992:
2993: - the new _updown_policy template allows ipsec policy based
2994: iptables firewall rules. Required are iptables version
2995: >= 1.3.5 and linux kernel >= 2.6.16. This script obsoletes
2996: the _updown_espmark template, so that no INPUT mangle rules
2997: are required any more.
2998:
2999: - added support of DPD restart mode
3000:
3001: - ipsec starter now allows the use of wildcards in include
3002: statements as e.g. in "include /etc/my_ipsec/*.conf".
3003: Patch courtesy of Matthias Haas.
3004:
3005: - the Netscape OID 'employeeNumber' is now recognized and can be
3006: used as a Relative Distinguished Name in certificates.
3007:
3008:
3009: strongswan-2.6.3
3010: ----------------
3011:
3012: - /etc/init.d/ipsec or /etc/rc.d/ipsec is now a copy of the ipsec
3013: command and not of ipsec setup any more.
3014:
3015: - ipsec starter now supports AH authentication in conjunction with
3016: ESP encryption. AH authentication is configured in ipsec.conf
3017: via the auth=ah parameter.
3018:
3019: - The command ipsec scencrypt|scdecrypt <args> is now an alias for
3020: ipsec whack --scencrypt|scdecrypt <args>.
3021:
3022: - get_sa_info() now determines for the native netkey IPsec stack
3023: the exact time of the last use of an active eroute. This information
3024: is used by the Dead Peer Detection algorithm and is also displayed by
3025: the ipsec status command.
3026:
3027:
3028: strongswan-2.6.2
3029: ----------------
3030:
3031: - running under the native Linux 2.6 IPsec stack, the function
3032: get_sa_info() is called by ipsec auto --status to display the current
3033: number of transmitted bytes per IPsec SA.
3034:
3035: - get_sa_info() is also used by the Dead Peer Detection process to detect
3036: recent ESP activity. If ESP traffic was received from the peer within
3037: the last dpd_delay interval then no R_Y_THERE notification must be sent.
3038:
3039: - strongSwan now supports the Relative Distinguished Name "unstructuredName"
3040: in ID_DER_ASN1_DN identities. The following notations are possible:
3041:
3042: rightid="unstructuredName=John Doe"
3043: rightid="UN=John Doe"
3044:
3045: - fixed a long-standing bug which caused PSK-based roadwarrior connections
3046: to segfault in the function id.c:same_id() called by keys.c:get_secret()
3047: if an FQDN, USER_FQDN, or Key ID was defined, as in the following example.
3048:
3049: conn rw
3050: right=%any
3051: rightid=@foo.bar
3052: authby=secret
3053:
3054: - the ipsec command now supports most ipsec auto commands (e.g. ipsec listall).
3055:
3056: - ipsec starter didn't set host_addr and client.addr ports in whack msg.
3057:
3058: - in order to guarantee backwards-compatibility with the script-based
3059: auto function (e.g. auto --replace), the ipsec starter scripts stores
3060: the defaultroute information in the temporary file /var/run/ipsec.info.
3061:
3062: - The compile-time option USE_XAUTH_VID enables the sending of the XAUTH
3063: Vendor ID which is expected by Cisco PIX 7 boxes that act as IKE Mode Config
3064: servers.
3065:
3066: - the ipsec starter now also recognizes the parameters authby=never and
3067: type=passthrough|pass|drop|reject.
3068:
3069:
3070: strongswan-2.6.1
3071: ----------------
3072:
3073: - ipsec starter now supports the also parameter which allows
3074: a modular structure of the connection definitions. Thus
3075: "ipsec start" is now ready to replace "ipsec setup".
3076:
3077:
3078: strongswan-2.6.0
3079: ----------------
3080:
3081: - Mathieu Lafon's popular ipsec starter tool has been added to the
3082: strongSwan distribution. Many thanks go to Stephan Scholz from astaro
3083: for his integration work. ipsec starter is a C program which is going
3084: to replace the various shell and awk starter scripts (setup, _plutoload,
3085: _plutostart, _realsetup, _startklips, _confread, and auto). Since
3086: ipsec.conf is now parsed only once, the starting of multiple tunnels is
3087: accelerated tremendously.
3088:
3089: - Added support of %defaultroute to the ipsec starter. If the IP address
3090: changes, a HUP signal to the ipsec starter will automatically
3091: reload pluto's connections.
3092:
3093: - moved most compile time configurations from pluto/Makefile to
3094: Makefile.inc by defining the options USE_LIBCURL, USE_LDAP,
3095: USE_SMARTCARD, and USE_NAT_TRAVERSAL_TRANSPORT_MODE.
3096:
3097: - removed the ipsec verify and ipsec newhostkey commands
3098:
3099: - fixed some 64-bit issues in formatted print statements
3100:
3101: - The scepclient functionality implementing the Simple Certificate
3102: Enrollment Protocol (SCEP) is nearly complete but hasn't been
3103: documented yet.
3104:
3105:
3106: strongswan-2.5.7
3107: ----------------
3108:
3109: - CA certificates are now automatically loaded from a smartcard
3110: or USB crypto token and appear in the ipsec auto --listcacerts
3111: listing.
3112:
3113:
3114: strongswan-2.5.6
3115: ----------------
3116:
3117: - when using "ipsec whack --scencrypt <data>" with a PKCS#11
3118: library that does not support the C_Encrypt() Cryptoki
3119: function (e.g. OpenSC), the RSA encryption is done in
3120: software using the public key fetched from the smartcard.
3121:
3122: - The scepclient function now allows to define the
3123: validity of a self-signed certificate using the --days,
3124: --startdate, and --enddate options. The default validity
3125: has been changed from one year to five years.
3126:
3127:
3128: strongswan-2.5.5
3129: ----------------
3130:
3131: - the config setup parameter pkcs11proxy=yes opens pluto's PKCS#11
3132: interface to other applications for RSA encryption and decryption
3133: via the whack interface. Notation:
3134:
3135: ipsec whack --scencrypt <data>
3136: [--inbase 16|hex|64|base64|256|text|ascii]
3137: [--outbase 16|hex|64|base64|256|text|ascii]
3138: [--keyid <keyid>]
3139:
3140: ipsec whack --scdecrypt <data>
3141: [--inbase 16|hex|64|base64|256|text|ascii]
3142: [--outbase 16|hex|64|base64|256|text|ascii]
3143: [--keyid <keyid>]
3144:
3145: The default setting for inbase and outbase is hex.
3146:
3147: The new proxy interface can be used for securing symmetric
3148: encryption keys required by the cryptoloop or dm-crypt
3149: disk encryption schemes, especially in the case when
3150: pkcs11keepstate=yes causes pluto to lock the pkcs11 slot
3151: permanently.
3152:
3153: - if the file /etc/ipsec.secrets is lacking during the startup of
3154: pluto then the root-readable file /etc/ipsec.d/private/myKey.der
3155: containing a 2048 bit RSA private key and a matching self-signed
3156: certificate stored in the file /etc/ipsec.d/certs/selfCert.der
3157: is automatically generated by calling the function
3158:
3159: ipsec scepclient --out pkcs1 --out cert-self
3160:
3161: scepclient was written by Jan Hutter and Martin Willi, students
3162: at the University of Applied Sciences in Rapperswil, Switzerland.
3163:
3164:
3165: strongswan-2.5.4
3166: ----------------
3167:
3168: - the current extension of the PKCS#7 framework introduced
3169: a parsing error in PKCS#7 wrapped X.509 certificates that are
3170: e.g. transmitted by Windows XP when multi-level CAs are used.
3171: the parsing syntax has been fixed.
3172:
3173: - added a patch by Gerald Richter which tolerates multiple occurrences
3174: of the ipsec0 interface when using KLIPS.
3175:
3176:
3177: strongswan-2.5.3
3178: ----------------
3179:
3180: - with gawk-3.1.4 the word "default2 has become a protected
3181: keyword for use in switch statements and cannot be used any
3182: more in the strongSwan scripts. This problem has been
3183: solved by renaming "default" to "defaults" and "setdefault"
3184: in the scripts _confread and auto, respectively.
3185:
3186: - introduced the parameter leftsendcert with the values
3187:
3188: always|yes (the default, always send a cert)
3189: ifasked (send the cert only upon a cert request)
3190: never|no (never send a cert, used for raw RSA keys and
3191: self-signed certs)
3192:
3193: - fixed the initialization of the ESP key length to a default of
3194: 128 bits in the case that the peer does not send a key length
3195: attribute for AES encryption.
3196:
3197: - applied Herbert Xu's uniqueIDs patch
3198:
3199: - applied Herbert Xu's CLOEXEC patches
3200:
3201:
3202: strongswan-2.5.2
3203: ----------------
3204:
3205: - CRLs can now be cached also in the case when the issuer's
3206: certificate does not contain a subjectKeyIdentifier field.
3207: In that case the subjectKeyIdentifier is computed by pluto as the
3208: 160 bit SHA-1 hash of the issuer's public key in compliance
3209: with section 4.2.1.2 of RFC 3280.
3210:
3211: - Fixed a bug introduced by strongswan-2.5.1 which eliminated
3212: not only multiple Quick Modes of a given connection but also
3213: multiple connections between two security gateways.
3214:
3215:
3216: strongswan-2.5.1
3217: ----------------
3218:
3219: - Under the native IPsec of the Linux 2.6 kernel, a %trap eroute
3220: installed either by setting auto=route in ipsec.conf or by
3221: a connection put into hold, generates an XFRM_ACQUIRE event
3222: for each packet that wants to use the not-yet existing
3223: tunnel. Up to now each XFRM_ACQUIRE event led to an entry in
3224: the Quick Mode queue, causing multiple IPsec SA to be
3225: established in rapid succession. Starting with strongswan-2.5.1
3226: only a single IPsec SA is established per host-pair connection.
3227:
3228: - Right after loading the PKCS#11 module, all smartcard slots are
3229: searched for certificates. The result can be viewed using
3230: the command
3231:
3232: ipsec auto --listcards
3233:
3234: The certificate objects found in the slots are numbered
3235: starting with #1, #2, etc. This position number can be used to address
3236: certificates (leftcert=%smartcard) and keys (: PIN %smartcard)
3237: in ipsec.conf and ipsec.secrets, respectively:
3238:
3239: %smartcard (selects object #1)
3240: %smartcard#1 (selects object #1)
3241: %smartcard#3 (selects object #3)
3242:
3243: As an alternative the existing retrieval scheme can be used:
3244:
3245: %smartcard:45 (selects object with id=45)
3246: %smartcard0 (selects first object in slot 0)
3247: %smartcard4:45 (selects object in slot 4 with id=45)
3248:
3249: - Depending on the settings of CKA_SIGN and CKA_DECRYPT
3250: private key flags either C_Sign() or C_Decrypt() is used
3251: to generate a signature.
3252:
3253: - The output buffer length parameter siglen in C_Sign()
3254: is now initialized to the actual size of the output
3255: buffer prior to the function call. This fixes the
3256: CKR_BUFFER_TOO_SMALL error that could occur when using
3257: the OpenSC PKCS#11 module.
3258:
3259: - Changed the initialization of the PKCS#11 CK_MECHANISM in
3260: C_SignInit() to mech = { CKM_RSA_PKCS, NULL_PTR, 0 }.
3261:
3262: - Refactored the RSA public/private key code and transferred it
3263: from keys.c to the new pkcs1.c file as a preparatory step
3264: towards the release of the SCEP client.
3265:
3266:
3267: strongswan-2.5.0
3268: ----------------
3269:
3270: - The loading of a PKCS#11 smartcard library module during
3271: runtime does not require OpenSC library functions any more
3272: because the corresponding code has been integrated into
3273: smartcard.c. Also the RSAREF pkcs11 header files have been
3274: included in a newly created pluto/rsaref directory so that
3275: no external include path has to be defined any longer.
3276:
3277: - A long-awaited feature has been implemented at last:
3278: The local caching of CRLs fetched via HTTP or LDAP, activated
3279: by the parameter cachecrls=yes in the config setup section
3280: of ipsec.conf. The dynamically fetched CRLs are stored under
3281: a unique file name containing the issuer's subjectKeyID
3282: in /etc/ipsec.d/crls.
3283:
3284: - Applied a one-line patch courtesy of Michael Richardson
3285: from the Openswan project which fixes the kernel-oops
3286: in KLIPS when an snmp daemon is running on the same box.
3287:
3288:
3289: strongswan-2.4.4
3290: ----------------
3291:
3292: - Eliminated null length CRL distribution point strings.
3293:
3294: - Fixed a trust path evaluation bug introduced with 2.4.3
3295:
3296:
3297: strongswan-2.4.3
3298: ----------------
3299:
3300: - Improved the joint OCSP / CRL revocation policy.
3301: OCSP responses have precedence over CRL entries.
3302:
3303: - Introduced support of CRLv2 reason codes.
3304:
3305: - Fixed a bug with key-pad equipped readers which caused
3306: pluto to prompt for the pin via the console when the first
3307: occasion to enter the pin via the key-pad was missed.
3308:
3309: - When pluto is built with LDAP_V3 enabled, the library
3310: liblber required by newer versions of openldap is now
3311: included.
3312:
3313:
3314: strongswan-2.4.2
3315: ----------------
3316:
3317: - Added the _updown_espmark template which requires all
3318: incoming ESP traffic to be marked with a default mark
3319: value of 50.
3320:
3321: - Introduced the pkcs11keepstate parameter in the config setup
3322: section of ipsec.conf. With pkcs11keepstate=yes the PKCS#11
3323: session and login states are kept as long as possible during
3324: the lifetime of pluto. This means that a PIN entry via a key
3325: pad has to be done only once.
3326:
3327: - Introduced the pkcs11module parameter in the config setup
3328: section of ipsec.conf which specifies the PKCS#11 module
3329: to be used with smart cards. Example:
3330:
3331: pkcs11module=/usr/lib/pkcs11/opensc-pkcs11.lo
3332:
3333: - Added support of smartcard readers equipped with a PIN pad.
3334:
3335: - Added patch by Jay Pfeifer which detects when netkey
3336: modules have been statically built into the Linux 2.6 kernel.
3337:
3338: - Added two patches by Herbert Xu. The first uses ip xfrm
3339: instead of setkey to flush the IPsec policy database. The
3340: second sets the optional flag in inbound IPComp SAs only.
3341:
3342: - Applied Ulrich Weber's patch which fixes an interoperability
3343: problem between native IPsec and KLIPS systems caused by
3344: setting the replay window to 32 instead of 0 for ipcomp.
3345:
3346:
3347: strongswan-2.4.1
3348: ----------------
3349:
3350: - Fixed a bug which caused an unwanted Mode Config request
3351: to be initiated in the case where "right" was used to denote
3352: the local side in ipsec.conf and "left" the remote side,
3353: contrary to the recommendation that "right" be remote and
3354: "left" be"local".
3355:
3356:
3357: strongswan-2.4.0a
3358: -----------------
3359:
3360: - updated Vendor ID to strongSwan-2.4.0
3361:
3362: - updated copyright statement to include David Buechi and
3363: Michael Meier
3364:
3365:
3366: strongswan-2.4.0
3367: ----------------
3368:
3369: - strongSwan now communicates with attached smartcards and
3370: USB crypto tokens via the standardized PKCS #11 interface.
3371: By default the OpenSC library from www.opensc.org is used
3372: but any other PKCS#11 library could be dynamically linked.
3373: strongSwan's PKCS#11 API was implemented by David Buechi
3374: and Michael Meier, both graduates of the Zurich University
3375: of Applied Sciences in Winterthur, Switzerland.
3376:
3377: - When a %trap eroute is triggered by an outgoing IP packet
3378: then the native IPsec stack of the Linux 2.6 kernel [often/
3379: always?] returns an XFRM_ACQUIRE message with an undefined
3380: protocol family field and the connection setup fails.
3381: As a workaround IPv4 (AF_INET) is now assumed.
3382:
3383: - the results of the UML test scenarios are now enhanced
3384: with block diagrams of the virtual network topology used
3385: in a particular test.
3386:
3387:
3388: strongswan-2.3.2
3389: ----------------
3390:
3391: - fixed IV used to decrypt informational messages.
3392: This bug was introduced with Mode Config functionality.
3393:
3394: - fixed NCP Vendor ID.
3395:
3396: - undid one of Ulrich Weber's maximum udp size patches
3397: because it caused a segmentation fault with NAT-ed
3398: Delete SA messages.
3399:
3400: - added UML scenarios wildcards and attr-cert which
3401: demonstrate the implementation of IPsec policies based
3402: on wildcard parameters contained in Distinguished Names and
3403: on X.509 attribute certificates, respectively.
3404:
3405:
3406: strongswan-2.3.1
3407: ----------------
3408:
3409: - Added basic Mode Config functionality
3410:
3411: - Added Mathieu Lafon's patch which upgrades the status of
3412: the NAT-Traversal implementation to RFC 3947.
3413:
3414: - The _startklips script now also loads the xfrm4_tunnel
3415: module.
3416:
3417: - Added Ulrich Weber's netlink replay window size and
3418: maximum udp size patches.
3419:
3420: - UML testing now uses the Linux 2.6.10 UML kernel by default.
3421:
3422:
3423: strongswan-2.3.0
3424: ----------------
3425:
3426: - Eric Marchionni and Patrik Rayo, both recent graduates from
3427: the Zuercher Hochschule Winterthur in Switzerland, created a
3428: User-Mode-Linux test setup for strongSwan. For more details
3429: please read the INSTALL and README documents in the testing
3430: subdirectory.
3431:
3432: - Full support of group attributes based on X.509 attribute
3433: certificates. Attribute certificates can be generated
3434: using the openac facility. For more details see
3435:
3436: man ipsec_openac.
3437:
3438: The group attributes can be used in connection definitions
3439: in order to give IPsec access to specific user groups.
3440: This is done with the new parameter left|rightgroups as in
3441:
3442: rightgroups="Research, Sales"
3443:
3444: giving access to users possessing the group attributes
3445: Research or Sales, only.
3446:
3447: - In Quick Mode clients with subnet mask /32 are now
3448: coded as IP_V4_ADDRESS or IP_V6_ADDRESS. This should
3449: fix rekeying problems with the SafeNet/SoftRemote and NCP
3450: Secure Entry Clients.
3451:
3452: - Changed the defaults of the ikelifetime and keylife parameters
3453: to 3h and 1h, respectively. The maximum allowable values are
3454: now both set to 24 h.
3455:
3456: - Suppressed notification wars between two IPsec peers that
3457: could e.g. be triggered by incorrect ISAKMP encryption.
3458:
3459: - Public RSA keys can now have identical IDs if either the
3460: issuing CA or the serial number is different. The serial
3461: number of a certificate is now shown by the command
3462:
3463: ipsec auto --listpubkeys
3464:
3465:
3466: strongswan-2.2.2
3467: ----------------
3468:
3469: - Added Tuomo Soini's sourceip feature which allows a strongSwan
3470: roadwarrior to use a fixed Virtual IP (see README section 2.6)
3471: and reduces the well-known four tunnel case on VPN gateways to
3472: a single tunnel definition (see README section 2.4).
3473:
3474: - Fixed a bug occurring with NAT-Traversal enabled when the responder
3475: suddenly turns initiator and the initiator cannot find a matching
3476: connection because of the floated IKE port 4500.
3477:
3478: - Removed misleading ipsec verify command from barf.
3479:
3480: - Running under the native IP stack, ipsec --version now shows
3481: the Linux kernel version (courtesy to the Openswan project).
3482:
3483:
3484: strongswan-2.2.1
3485: ----------------
3486:
3487: - Introduced the ipsec auto --listalgs monitoring command which lists
3488: all currently registered IKE and ESP algorithms.
3489:
3490: - Fixed a bug in the ESP algorithm selection occurring when the strict flag
3491: is set and the first proposed transform does not match.
3492:
3493: - Fixed another deadlock in the use of the lock_certs_and_keys() mutex,
3494: occurring when a smartcard is present.
3495:
3496: - Prevented that a superseded Phase1 state can trigger a DPD_TIMEOUT event.
3497:
3498: - Fixed the printing of the notification names (null)
3499:
3500: - Applied another of Herbert Xu's Netlink patches.
3501:
3502:
3503: strongswan-2.2.0
3504: ----------------
3505:
3506: - Support of Dead Peer Detection. The connection parameter
3507:
3508: dpdaction=clear|hold
3509:
3510: activates DPD for the given connection.
3511:
3512: - The default Opportunistic Encryption (OE) policy groups are not
3513: automatically included anymore. Those wishing to activate OE can include
3514: the policy group with the following statement in ipsec.conf:
3515:
3516: include /etc/ipsec.d/examples/oe.conf
3517:
3518: The default for [right|left]rsasigkey is now set to %cert.
3519:
3520: - strongSwan now has a Vendor ID of its own which can be activated
3521: using the compile option VENDORID
3522:
3523: - Applied Herbert Xu's patch which sets the compression algorithm correctly.
3524:
3525: - Applied Herbert Xu's patch fixing an ESPINUDP problem
3526:
3527: - Applied Herbert Xu's patch setting source/destination port numbers.
3528:
3529: - Reapplied one of Herbert Xu's NAT-Traversal patches which got
3530: lost during the migration from SuperFreeS/WAN.
3531:
3532: - Fixed a deadlock in the use of the lock_certs_and_keys() mutex.
3533:
3534: - Fixed the unsharing of alg parameters when instantiating group
3535: connection.
3536:
3537:
3538: strongswan-2.1.5
3539: ----------------
3540:
3541: - Thomas Walpuski made me aware of a potential DoS attack via
3542: a PKCS#7-wrapped certificate bundle which could overwrite valid CA
3543: certificates in Pluto's authority certificate store. This vulnerability
3544: was fixed by establishing trust in CA candidate certificates up to a
3545: trusted root CA prior to insertion into Pluto's chained list.
3546:
3547: - replaced the --assign option by the -v option in the auto awk script
3548: in order to make it run with mawk under debian/woody.
3549:
3550:
3551: strongswan-2.1.4
3552: ----------------
3553:
3554: - Split of the status information between ipsec auto --status (concise)
3555: and ipsec auto --statusall (verbose). Both commands can be used with
3556: an optional connection selector:
3557:
3558: ipsec auto --status[all] <connection_name>
3559:
3560: - Added the description of X.509 related features to the ipsec_auto(8)
3561: man page.
3562:
3563: - Hardened the ASN.1 parser in debug mode, especially the printing
3564: of malformed distinguished names.
3565:
3566: - The size of an RSA public key received in a certificate is now restricted to
3567:
3568: 512 bits <= modulus length <= 8192 bits.
3569:
3570: - Fixed the debug mode enumeration.
3571:
3572:
3573: strongswan-2.1.3
3574: ----------------
3575:
3576: - Fixed another PKCS#7 vulnerability which could lead to an
3577: endless loop while following the X.509 trust chain.
3578:
3579:
3580: strongswan-2.1.2
3581: ----------------
3582:
3583: - Fixed the PKCS#7 vulnerability discovered by Thomas Walpuski
3584: that accepted end certificates having identical issuer and subject
3585: distinguished names in a multi-tier X.509 trust chain.
3586:
3587:
3588: strongswan-2.1.1
3589: ----------------
3590:
3591: - Removed all remaining references to ipsec_netlink.h in KLIPS.
3592:
3593:
3594: strongswan-2.1.0
3595: ----------------
3596:
3597: - The new "ca" section allows to define the following parameters:
3598:
3599: ca kool
3600: cacert=koolCA.pem # cacert of kool CA
3601: ocspuri=http://ocsp.kool.net:8001 # ocsp server
3602: ldapserver=ldap.kool.net # default ldap server
3603: crluri=http://www.kool.net/kool.crl # crl distribution point
3604: crluri2="ldap:///O=Kool, C= .." # crl distribution point #2
3605: auto=add # add, ignore
3606:
3607: The ca definitions can be monitored via the command
3608:
3609: ipsec auto --listcainfos
3610:
3611: - Fixed cosmetic corruption of /proc filesystem by integrating
3612: D. Hugh Redelmeier's freeswan-2.06 kernel fixes.
3613:
3614:
3615: strongswan-2.0.2
3616: ----------------
3617:
3618: - Added support for the 818043 NAT-Traversal update of Microsoft's
3619: Windows 2000/XP IPsec client which sends an ID_FQDN during Quick Mode.
3620:
3621: - A symbolic link to libcrypto is now added in the kernel sources
3622: during kernel compilation
3623:
3624: - Fixed a couple of 64 bit issues (mostly casts to int).
3625: Thanks to Ken Bantoft who checked my sources on a 64 bit platform.
3626:
3627: - Replaced s[n]printf() statements in the kernel by ipsec_snprintf().
3628: Credits go to D. Hugh Redelmeier, Michael Richardson, and Sam Sgro
3629: of the FreeS/WAN team who solved this problem with the 2.4.25 kernel.
3630:
3631:
3632: strongswan-2.0.1
3633: ----------------
3634:
3635: - an empty ASN.1 SEQUENCE OF or SET OF object (e.g. a subjectAltName
3636: certificate extension which contains no generalName item) can cause
3637: a pluto crash. This bug has been fixed. Additionally the ASN.1 parser has
3638: been hardened to make it more robust against malformed ASN.1 objects.
3639:
3640: - applied Herbert Xu's NAT-T patches which fixes NAT-T under the native
3641: Linux 2.6 IPsec stack.
3642:
3643:
3644: strongswan-2.0.0
3645: ----------------
3646:
3647: - based on freeswan-2.04, x509-1.5.3, nat-0.6c, alg-0.8.1rc12
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to NEWS CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan