Version 5.9.2¶

• Together with a Linux 5.8 kernel supporting the IMA measurement of the GRUB bootloader and the
  Linux kernel, the strongSwan Attestation IMC allows to do remote attestation of the complete boot
  phase. A recent TPM 2.0 device with a SHA-256 PCR bank is required, so that both BIOS and IMA file
  measurements are based on SHA-256 hashes.

• Our own TLS library (source:src/libtls) that we use for EAP-TLS, EAP-TTLS, EAP-PEAP and PT-TLS
  gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and Pascal Knecht (client
  and server) for their work on this.
  Because the use of TLS 1.3 with the above EAP methods is not yet standardized (see 121ac4b9e3),
  the default maximum version is currently set to TLS 1.2, which is now also the default minimum
  version (both are configurable via strongswan.conf). However, the TNC test scenarios using PT-TLS
  transport already use TLS 1.3.

• Several improvements for libtls also affect older TLS versions. For instance, we added support for
  ECDH with Curve25519/448 (DH groups may also be configured now), for EdDSA keys and certificates
  and for RSA-PSS signatures. Support for old and weak cipher suites has been removed (e.g. with 3DES
  and MD5) as well as signature schemes with SHA-1.

• The listener_t::ike_update event is now also called for MOBIKE updates. Its signature has changed
  so we only have to call it once if both addresses (and/or ports) have changed (e.g. for an address family
  switch).

• The ike-update event is exposed via vici.

• The farp plugin has been ported to macOS and FreeBSD. Thanks to Dan James for working on this (95a0d800c9).

• To fix DNS server installation with systemd-resolved, charon-nm now creates a dummy TUN device
  again (was removed with 5.5.1, #3615).

• The botan plugin can use rng_t implementations provided by other plugins when generating keys etc.
  if the Botan library supports it (requires the upcoming Botan 3).

• charon-tkm now supports multiple CAs and is configured via vici/swanctl.

• Simple glob patterns (e.g. include conf.d/*.conf) now also work on Windows. Handling of forward
  slashes in paths on Windows has also been improved.

• The abbreviations for the surname and serial number RDNs in ASN.1 distinguished names have been
  changed to align with RFC 4519: The abbreviation for surname is now SN (was S before), which was
  previously used for serial number that can now be specified as serialNumber only (d8e4a2a777).

• The serial numbers in certificates generated by the load-tester plugin are now encoded as proper
  ASN.1 integers (#3667).

• An issue with Windows clients requesting IPv6 but not IPv4 virtual IP addresses from previous sessions
  has been fixed (#3541).

• Changes to ike_sa_manager_t: Checking out IKE_SAs by config is now atomic (e.g. when acquires for
  different children of the same connection are handled concurrently). The checkout_new() method has
  been renamed to create_new(). A new checkout_new() method allows registering a new IKE_SA with
  the manager shortly before checking it in, so jobs can be queued without losing them as they can block
  on checking out the new SA once it's checked in).

• The build-strongswan script for the testing environment can now also build the software installed
  in the root image (helpful if strongSwan changes depend on changes in dependencies) or recreate the
  complete root image (check --help for details).

Version 5.9.1¶

• Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI measurements introduced
  with the Linux 5.4 kernel. This includes support for the BIOS/EFI event log and variable sized PCR banks.

• The tpm plugin supports SHA-3 and CMAC with TPM 2.0.

• Nonces in OCSP responses are not enforced anymore (added with 5.8.2) and only validated if a nonce
  is actually contained (#3557).

• Fixed an issue when only some fragments of a retransmitted IKEv2 message were received, which prevented
  processing a following fragmented message (non-fragmented messages were correctly processed, 6586f07162).

• All remaining queued vici messages are now sent to subscribed clients during shutdown, which includes
  ike/child-updown events triggered when all established SAs are deleted (ef636316d2).

• CHILD_SA IP addresses are now updated before installation of the IPsec SAs and policies to allow MOBIKE
  updates happening while retransmitting a CREATE_CHILD_SA request (#3164).

• When looking for a route to the peer, the kernel-netlink plugin now ignores the current source address if it's
  deprecated. It also updates the flags associated with cached IP addresses and triggers a roam event if they
  change. So a MOBIKE update now switches to a new address if the current one gets deprecated (#3511).

• The file and syslog loggers support logging the log level of each message after the subsystem (e.g.
  [IKE2], #3509).

• charon-nm is now properly terminated during system shutdown (#3579).

• Improved support for EdDSA keys in vici/swanctl, in particular, encrypted keys are now supported (#3586).

• A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID to prevent Cisco
  devices from narrowing a 0.0.0.0/0 traffic selectors (GH#180).

• The openssl plugin accepts CRLs issued by non-CA certificates if they contain the cRLSign keyUsage
  flag (the x509 plugin already does this since 4.5.1).

• Attributes in PKCS#7 containers, as used in SCEP, are now properly DER-encoded, i.e. sorted (#3589).

• Failures during restarts of IKEv1 CHILD_SAs are now properly handled (12a3f3ca52).

• Virtual IPv6 addresses and IPv6 source address pools are now supported in the load-tester plugin (#3595).

• The Android client optionally supports IPv6 transport addresses for IKE and ESP (requires UDP encapsulation
  for IPv6 on the server, which Linux only supports since 5.8).

• The testing environment is now based on Debian 10 (buster) by default.

• /dev/random on guest hosts in the testing environment is now mapped to the host's /dev/urandom
  via VirtIO RNG, which requires support in the guest kernel (CONFIG_HW_RANDOM_VIRTIO).

Version 5.9.0¶

• We prefer AEAD algorithms for ESP and therefore put AES-GCM in a default AEAD proposal in front
  of the previous default proposal.

• Changes related to the NM frontend and backend (charon-nm):
  • Password entry for private keys in the frontend has been fixed, in the backend, cached credentials
    are now also cleared when the connection is terminated (#3428).
  • The AppStream metadata installed by the frontend has been migrated from appdata to
    metainfo (73b60338dc).
  • The height of the frontend has been reduced by using tabs for options/proposals (#3448).
  • DPD and close action are now set to restart in the backend (#3300).
  • The backend supports custom remote traffic selectors via remote-ts option (separated by ;).
    There is currently no GUI support, so configuration has to be done manually via nmcli or
    config file.

• If a connection fails after getting redirected, we now restart connecting to the original host, not the
  one redirected to.

• The pkcs11 plugin falls back to hashing data for PKCS#1 v1.5 RSA signatures in software if the
  smartcard/library doesn't support signature mechanisms with hashing (e.g. CKM_SHA256_RSA_PKCS).

• The owner/group of the log file opened by the file logger (e.g. via charon.filelog) is now set so the
  daemon can reopen it if the config is reloaded and it doesn't run as root.

• The wolfssl plugin (when used with wolfSSL 4.4.0+) supports x448 Diffie-Hellman and Ed448 keys.

• Support for high numbers of retransmits has been fixed (72b282cf20).

• For peers that don't send the EAP_ONLY_AUTHENTICATION notify but still expect to use EAP-only
  authentication, the charon.force_eap_only_authentication option can be enabled to force this type
  of authentication even on non-compliant peers.

• DH groups are properly handled during migration of CHILD_SA-creating tasks when reestablishing (may
  have caused DH groups in the proposal sent during IKE_AUTH).

• The vici plugin stores all CA certificates in one location, which avoids issues with unloading authority
  sections or clearing all credentials (GH#172).

• When unloading a vici connection with start_action=start, any related IKE_SAs without children are now
  terminated (including those in CONNECTING state).

• The hashtable implementation has been changed so it maintains insertion order (the old implementation,
  including the get_match() method and a new feature to sort keys, has been migrated to the hashlist_t
  class). This was mainly done so the vici plugin can store its connections in a hashtable, which makes
  managing high numbers of connections faster.

• The default maximum size for vici messages (512 KiB) can now be changed via VICI_MESSAGE_SIZE_MAX
  compile option.

• IPv6 virtual IPs are now always enumerated, ignoring the charon.prefer_temporary_addrs setting, which
  should fix route installation if the latter is enabled.

• The version as obtained from the Git repository (via git describe) on which a build is based can now be
  used in executables (--enable-git-version). Tarballs include a text file with that information cached.

• Connectivity with the Android client got a lot more stable on Android 6+ where the system aggressively
  suspends apps when the device is idle (Doze mode). We now use a custom scheduler that uses Android's
  AlarmManager, which allows waking up the app even if the system put it to sleep. It does require adding
  the app to the system's battery optimization whitelist, which is requested from the user automatically if
  necessary. With this, NAT keepalives and rekeyings are now scheduled accurately, with little changes to the
  battery usage (#3364).
  There are some related changes that could be useful outside of the Android client:
  • It's possible to use other clocks than CLOCK_MONOTONIC (e.g. CLOCK_BOOTTIME) via TIME_CLOCK_ID
    compile option if clock_gettime() is available and pthread_condattr_setclock() supports that
    clock (Android's bionic C library e.g. only supports CLOCK_MONOTONIC and CLOCK_REALTIME while the
    kernel would support CLOCK_BOOTTIME via clock_gettime()).
  • When using a clock that includes time spent suspended, the new charon.keep_alive_dpd_margin option
    may be used to trigger a DPD instead of a NAT keepalive if too much time has passed.
  • Another option (charon.check_current_path) allows forcing a DPD exchange to check if the current path
    still works whenever changes to interfaces/addresses are detected.

• Test cases and functions can now be filtered when running the unit tests (see DeveloperDocumentation).

Version 5.8.4¶

• In IKEv1 Quick Mode make sure that a proposal exists before determining lifetimes (fixes a crash
  due to a null-pointer dereference in 5.8.3, cb26c5547c).

• OpenSSL currently doesn't support squeezing bytes out of a SHAKE128/256 XOF (support was added
  with 5.8.3) multiple times. Unfortunately, EVP_DigestFinalXOF() completely resets the context and
  later calls not simply fail, they cause a null-pointer dereference in libcrypto. c5c1898d73 fixes the
  crash at the cost of repeating initializing the whole state and allocating too much data for subsequent
  calls (hopefully, once the OpenSSL issue 7894 is resolved we can implement this more efficiently).

• On 32-bit platforms, reading arbitrary 32-bit integers from config files (e.g. for charon.spi_min/max)
  has been fixed (99bef7b686).

• charon-nm now allows using fixed source ports (6c98164f60).

Version 5.8.3¶

• Updates for the NM plugin (and backend, which has to be updated to be compatible):
  • EAP-TLS authentication (#2097)
  • Certificate source (file, agent, smartcard) is selectable independently
  • Add support to configure local and remote identities (#2581)
  • Support configuring a custom server port (#625)
  • Show hint regarding password storage policy
  • Replaced the term "gateway" with "server"
  • Fixes build issues due to use of deprecated GLib macros/functions
  • Updated Glade file to GTK 3.2

• The NM backend now supports reauthentication and redirection (#852).

• Previously used reqids are now reallocated, which works around an issue on FreeBSD where the kernel
  doesn't allow the daemon to use reqids > 16383 (#2315).

• On Linux, throw type routes are installed in table 220 for passthrough policies. The kernel will then fall
  back on routes in routing tables with lower priorities for matching traffic. This way, they require less
  information (e.g. no interface or source IP) and can be installed earlier and are not affected by updates.

• For IKEv1, the lifetimes of the actually selected transform are returned to the initiator, which is an issue
  if the peer uses different lifetimes for different transforms (#3329). We now also return the correct
  transform and proposal IDs (proposal ID was always 0, transform ID 1).

• IKE_SAs are now not re-established anymore (e.g. after several retransmits) if a deletion has been
  queued (#3335).

• Added support for Ed448 keys and certificates via openssl plugin and pki tool.

• Added support for SHA-3 and SHAKE128/256 in the openssl plugin.

• The use of algorithm IDs from the private use range can now be enabled globally, to use them even if no
  strongSwan vendor ID was exchanged (05e373aeb0).

• Fixed a compiler issue that may have caused invalid keyUsage extensions in certificates (#3249).

• A lot of spelling fixes courtesy of Josh Soref (https://github.com/jsoref/spelling).

• CI builds on LGTM and via Travis CI on new platforms (ARM64, IBM Power and IBM Z - the latter is big-endian).
  Fixed several reported issues.

Version 5.8.2¶

• Identity-based CA constraints, which enforce that the certificate chain of the remote peer contains a CA certificate
  with a specific identity, are supported via vici/swanctl.conf. This is similar to the existing CA constraints but
  doesn't require that the CA certificate is locally installed, for instance, intermediate CA certificates received from
  the peers. Wildcard identity matching (e.g. ..., OU=Research, CN=*) could also be used for the latter but requires
  trust in the intermediate CAs to only issue certificates with legitimate subject DNs (e.g. the "Sales" CA must not
  issue certificates with OU=Research). With the new constraint that's not necessary as long as a path length basic
  constraint (--pathlen for pki --issue) prevents intermediate CAs from issuing further intermediate CAs.

• Intermediate CA certificates may now be sent in hash-and-URL encoding by configuring a base URL for the
  parent CA (#3234, swanctl/rw-hash-and-url-multi-level).

• Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG) based on AES-CTR and SHA2-HMAC
  modes. Currently used by the gmp and ntru plugins.

• Random nonces sent in an OCSP requests are now expected in the corresponding OCSP responses.

• The kernel-netlink plugin now ignores deprecated IPv6 addresses for MOBIKE. Whether temporary or
  permanent IPv6 addresses are included now depends on the charon.prefer_temporary_addrs setting (#3192).

• Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the kernel.

• The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now cleared before sending requests, as many
  of the messages sent by the kernel are sent as broadcasts to all PF_KEY sockets. This is an issue if an external
  tool is used to manage SAs/policies unrelated to IPsec (#3225).

• The vici plugin now uses unique section names for CHILD_SAs in child-updown events (7c74ce9190).

• For individually deleted CHILD_SAs (in particular for IKEv1) the vici child-updown event now includes more
  information about the CHILD_SAs such as traffic statistics (#3198).

• Custom loggers are correctly re-registered if log levels are changed via stroke loglevel (#3182).

• Avoid lockups during startup on low entropy systems when using OpenSSL 1.1.1 (095a2c2eac).

• Instead of failing later when setting a key, creating HMACs via openssl plugin now fails instantly if the underlying
  hash algorithm isn't supported (e.g. MD5 in FIPS-mode) so fallbacks to other plugins work properly (#3284).

• Exponents of RSA keys read from TPM 2.0 via SAPI are correctly converted (8ee1242f1438).

• Routing table IDs > 255 are supported for custom routes on Linux.

• To avoid races, the check for hardware offloading support in the kernel-netlink plugin is performed during
  initialization of the plugin (a605452c03).

• The D-Bus config file for charon-nm is now installed in $(datadir)/dbus-1/system.d instead of
  $(sysconfdir)/dbus-1/system.d, which is intended for sysadmin overrides.

• INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same exchange type and with the same
  message ID as the request.

• IKEv2 SAs are now immediately destroyed when sending or receiving INVALID_SYNTAX notifies in authenticated
  messages.

• For developers working from the repository the configure script now aborts if GNU gperf is not found.

Version 5.8.1¶

• RDNs in DNs of X.509 certificates can now optionally be matched less strict. The global strongswan.conf option
  charon.rdn_matching takes two alternative values that cause the matching algorithm to either ignore the order of
  matched RDNs (reordered) or additionally (relaxed) accept DNs that contain more RDNs than configured (unmatched
  RDNs are treated like wildcard matches).

• The updown plugin now passes the same interface to the script that is also used for the automatically
  installed routes, that is, the interface over which the peer is reached instead of the interface on which the
  local address is found (#3095).

• TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple IKE_SAs use the same private
  key concurrently (4b25885025).

• Do a rekey check after the third QM message was received (#3060).

• If available, explicit_bzero() is now used as memwipe() instead of our own implementation.

• An .editorconfig file has been added, mainly so Github shows files with proper indentation (68346b6962).

• The internal certificate of the load-tester plugin has been modified so it can again be used as end-entity
  cert with 5.6.3 and later (#3139).

• The maximum data length of received COOKIE notifies (64 bytes) is now enforced (#3160).

Version 5.8.0¶

• The systemd service units have been renamed. The modern unit, which was called strongswan-swanctl,
  is now called strongswan (the previous name is configured as alias in the unit, for which a symlink is
  created when the unit is enabled). The legacy unit is now called strongswan-starter.

• Support for XFRM interfaces (available since Linux 4.19) has been added, which are intended to
  replace VTI devices (they are similar but offer several advantages, for instance, they are not bound
  to an address or address family).
  IPsec SAs and policies are associated with such interfaces via interface IDs that can be configured in
  swanctl.conf (dynamic IDs may optionally be allocated for each SA and even direction). It's possible to
  use separate interfaces for in- and outbound traffic (or only use an interface in one direction and regular
  policies in the other).
  Interfaces may be created dynamically via updown/vici scripts, or statically before or after establishing
  the SAs. Routes must be added manually as needed (the daemon will not install any routes for outbound
  policies with an interface ID).
  When moving XFRM interfaces to other network namespaces they retain access to the SAs and policies
  installed in the original namespace, which allows providing IPsec tunnels for processes in other network
  namespaces without giving them access to the IPsec keys or IKE credentials.
  More information can be found on the page about route-based VPNs.

• Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and supported by the responder,
  no CHILD_SA is established during IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA
  exchanges. This allows using a separate DH exchange even for the first CHILD_SA, which is otherwise
  created during IKE_AUTH with keys derived from the IKE_SA's key material.
  The swanctl --initiate command may be used to initiate only the IKE_SA via --ike option if --child is
  omitted and the peer supports this extension.

• The NetworkManager backend and plugin support IPv6.

• The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks to Sean Parkinson of
  wolfSSL Inc. for the initial patch.

• IKE SPIs may optionally be labeled via the charon.spi_mask|label options in strongswan.conf. This feature
  was extracted from charon-tkm, however, now applies the mask/label in network order.

• The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.

• The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not correctly implemented
  when sending either a CRETRY or SRETRY batch. These batches can only be sent in the "Decided" state
  and a CRETRY batch can immediately carry all messages usually transported by a CDATA batch. It is
  currently not possible to send a SRETRY batch since full-duplex mode for PT-TLS transport is not supported.

• Instead of marking IPv6 virtual IPs as deprecated, the kernel-netlink plugin now uses address labels to
  avoid that such addresses are used for non-VPN traffic (00a953d090).

• The agent plugin now creates sockets to the ssh/gpg-agent dynamically and does not keep them open,
  which otherwise might prevent the agent from getting terminated.

• To avoid broadcast loops the forecast plugin now only reinjects packets that are marked or received from
  the configured interface.

• UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses an UTF-16LE
  encoding to calculate the NT hash (#3014).

• Properly delete temporary drop policies (used when updating IP addresses of SAs) if manual priorities are
  used, which was broken since 5.6.2 (8e31d65730).

• Avoid overwriting start_action when parsing the inactivity timeout in the vici plugin (#2954).

• Fixed the automatic termination of reloaded vici connections with start_action=start, which was broken
  since 5.6.3 (71b22c250f).

• The lookup for shared secrets for IKEv1 SAs via sql plugin should now work better (6ec9f68f32).

• Fixed a race condition in the trap manager between installation and removal of a policy (69cbe2ca3f).

• Compilation of the kernel-netlink plugin has been fixed on old kernels (< 2.6.39), which was caused
  by the HW offload changes (c7f579fa17).

• The IPsec stack detection and module loading in starter has been removed (it wasn't enforced anyway
  and loading modules doesn't seem necessary, also KLIPS hasn't been supported for a long time and
  PF_KEY will eventually be removed from the Linux kernel, ba817d2917).

• Several IKEv2 protocol details are now handled more strictly: Unrequested virtual IPs are ignored,
  CFG_REPLY payloads are ignored if no CFG_REQUEST payloads were sent, a USE_TRANSPORT_MODE notify
  received from the responder is checked against the local configuration.

• The keys and certificates used by the scenarios in the testing environment are now generated
  dynamically. Running the testing/scripts/build-certs script after creating the base and root images
  uses the pki utility installed in the latter to create the keys and certificates for all the CAs and in some
  cases for individual scenarios. These credentials are stored in the source tree, not the image, so this has
  to be called only once even if the images are later rebuilt. The script automatically (re-)rebuilds the guest
  images as that generates fresh CRLs and signs the DNS zones. The only keys/certificates currently not
  generated are the very large ones used by the ikev2/rw-eap-tls-fragments scenario.

Version 5.7.2¶

• For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt length
  (as defined by the length of the key and hash). However, if the TPM is FIPS-168-4 compliant,
  the salt length equals the hash length. This is assumed for FIPS-140-2 compliant TPMs, but
  if that's not the case, it might be necessary to manually enable charon.plugins.tpm.fips_186_4
  if the TPM doesn't use the maximum salt length.

• Directories for credentials loaded by swanctl are now accessed relative to the loaded
  swanctl.conf file, in particular, when loading it from a custom location via --file argument.
  The base directory, which is used if no custom location for swanctl.conf is specified, is now
  also configurable at runtime via SWANCTL_DIR environment variable.

• If RADIUS Accounting is enabled, the eap-radius plugin will add the session ID (Acct-Session-Id)
  to Access-Request messages, which e.g. simplifies associating database entries for IP leases and
  accounting with sessions (the session ID does not change when IKE_SAs are rekeyed, #2853).

• All IP addresses assigned by a RADIUS server are included in Accounting-Stop messages even if
  the client did not claim them, allowing to release them early in case of connection errors (#2856).

• Selectors installed on transport mode SAs by the kernel-netlink plugin are now updated if an
  IP address changes (e.g. via MOBIKE) and it was part of the selectors.

• No deletes are sent anymore when a rekeyed CHILD_SA expires (#2815).

• The bypass-lan plugin now tracks interfaces to handle subnets that move from one interface
  to another and properly update associated routes (#2820).

• Only valid and expected inbound IKEv2 messages are used to update the timestamp of the
  last received message (previously, retransmits also triggered an update).

• IKEv2 requests from responders are now ignored until the IKE_SA is fully established (e.g. if a
  DPD request from the peer arrives before the IKE_AUTH response does, 46bea1add9).

• Delayed IKE_SA_INIT responses with COOKIE notifies we already recevied are ignored, they caused
  another reset of the IKE_SA previously (#2837).

• Active and queued Quick Mode tasks are now adopted if the peer reauthenticates an IKEv1 SA
  while creating lots of CHILD_SAs.

• Newer versions of the FreeBSD kernel add an SADB_X_EXT_SA2 extension to SADB_ACQUIRE
  messages, which allows the kernel-pfkey plugin to determine the reqid of the policy even if it
  wasn't installed by the daemon previously (e.g. when using FreeBSD's if_ipsec(4) VTIs, which
  install policies themselves, 872b9b3e8d).

• Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin. For older
  versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature authentication has to be
  disabled via charon.signature_authentication.

• The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.

• The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys and
  signatures when built against OpenSSL 1.1.1.

• Support for Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.

• The mysql plugin now properly handles database connections with transactions
  under heavy load (#2779).

• IP addresses in ha pools are now distributed evenly among all segments (#2828).

• Private key implementations may optionally provide a list of supported signature schemes,
  which, as described above, is used by the tpm plugin because for each key on a TPM 2.0 the
  hash algorithm and for RSA also the padding scheme is predefined.

• The testing environment is now based on Debian 9 (stretch) by default. This required
  some changes, in particular, updating to FreeRADIUS 3.x (which forced us to abandon the
  TNC@FHH patches and scenarios, 2fbe44bef3) and removing FIPS-enabled versions of
  OpenSSL (the FIPS module only supports OpenSSL 1.0.2).

• Most test scenarios were migrated to swanctl.

Version 5.7.1¶

• Fixes a vulnerability in the gmp plugin triggered by crafted certificates with RSA keys with
  very small moduli. When verifying signatures with such keys, the code patched with the fix
  for CVE-2018-16151/2 caused an integer underflow and subsequent heap buffer overflow
  that results in a crash of the daemon.
  The vulnerability has been registered as CVE-2018-17540.
  Please refer to our blog for details.

• This release contains no other changes, please refer to 5.7.0 for other features and fixes.

Version 5.7.0¶

• Fixes a potential authorization bypass vulnerability in the gmp plugin that was caused by a too lenient
  verification of PKCS#1 v1.5 signatures. Several flaws could be exploited by a Bleichenbacher-style attack
  to forge signatures for low-exponent keys (i.e. with e=3).
  CVE-2018-16151 has been assigned to the problem of accepting random bytes after the OID of the
  hash function in such signatures, and CVE-2018-16152 has been assigned to the issue of not verifying
  that the parameters in the ASN.1 algorithmIdentitifer structure is empty. Other flaws that don't lead
  to a vulnerability directly (e.g. not checking for at least 8 bytes of padding) have no separate CVE assigned.
  Please refer to our blog for details.

• Dots are not allowed anymore in section names in swanctl.conf and strongswan.conf.
  This mainly affects the configuration of file loggers. If the path for such a log file contains dots
  it now has to be configured in the new path setting within the arbitrarily renamed subsection in the
  filelog section.

• Sections in swanctl.conf and strongswan.conf may now reference other sections. All settings and
  subsections from such a section are inherited. This allows to simplify configs as redundant information
  has only to be specified once and may then be included in other sections (see strongswan.conf for
  an example).

• The originally selected IKE config (based on the IPs and IKE version) can now change if no matching
  algorithm proposal is found. This way the order of the configs doesn't matter that much anymore and
  it's easily possible to specify separate configs for clients that require weaker algorithms (instead
  of having to also add them in other configs that might be selected).

• Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2) has been added.
  For an example refer to the swanctl/rw-cert-ppk scenario (or with EAP, or PSK authentication).

• The new botan plugin is a wrapper around the Botan C++ crypto library.
  It requires a fairly recent build from Botan's master branch (or the upcoming 2.8.0 release).
  Thanks to René Korthaus and his team from Rohde & Schwarz Cybersecurity for the initial patch and to
  Jack Lloyd for quickly adding missing functions to Botan's FFI (C89) interface.

• Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA) for PA-TNC".
  SWIMA subscription option sets CLOSE_WRITE trigger on apt history.log file resulting in a ClientRetry
  PB-TNC batch to initialize a new measurement cycle. The new imv/imc-swima plugins replace the previous
  imv/imc-swid plugins, which were removed.

• Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA protocols
  on Google's OSS-Fuzz infrastructure.

• Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of the in-kernel /dev/tpmrm0
  resource manager is automatically detected.

• The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using the
  syntax --san xmppaddr:<jid>.

• swanctl.conf supports the configuration of marks the in- and/or outbound SA should apply to packets after
  processing on Linux. Configuring such a mark for outbound SAs requires at least a 4.14 kernel. The ability
  to set a mask and configuring a mark/mask for inbound SAs will be added with the upcoming 4.19 kernel.

• New options in swanctl.conf allow configuring how/whether DF, ECN and DS fields in the IP headers are
  copied during IPsec processing. Controlling this is currently only possible on Linux.

• The handling of sequence numbers in IKEv1 DPDs has been improved (#2714).

• To avoid conflicts, the dhcp plugin now only uses the DHCP server port if explicitly configured.

Version 5.6.3¶

• Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is used in FIPS
  mode and HMAC-MD5 is negotiated as PRF.
  This vulnerability has been registered as CVE-2018-10811.
  Please refer to our blog for details.

• Fixed a vulnerability in the stroke plugin, which did not check the received length before
  reading a message from the socket. Unless a group is configured, root privileges are
  required to access that socket, so in the default configuration this shouldn't be an issue.
  This vulnerability has been registered as CVE-2018-5388.
  Please refer to our blog for details.

• CRLs that are not yet valid are now ignored to avoid problems in scenarios where expired
  certificates are removed from new CRLs and the clock on the host doing the revocation
  check is trailing behind that of the host issuing CRLs. Not doing this could result in accepting
  a revoked and expired certificate, if it's still valid according to the trailing clock but not
  contained anymore in not yet valid CRLs.

• The issuer of fetched CRLs is now compared to the issuer of the checked certificate (#2608).

• CRL validation results other than revocation (e.g. a skipped check because the CRL couldn't
  be fetched) are now stored also for intermediate CA certificates and not only for end-entity
  certificates, so a strict CRL policy can be enforced in such cases.

• In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must now either
  not contain a keyUsage extension (like the ones generated by pki), or have at least one of the
  digitalSignature or nonRepudiation bits set.

• New options for vici/swanctl allow forcing the local termination of an IKE_SA. This might be
  useful in situations where it's known the other end is not reachable anymore, or that it already
  removed the IKE_SA, so retransmitting a DELETE and waiting for a response would be pointless.
  Waiting only a certain amount of time for a response (i.e. shorter than all retransmits would be)
  before destroying the IKE_SA is also possible by additionally specifying a timeout in the forced
  termination request.

• When removing routes, the kernel-netlink plugin now checks if it tracks other routes for the same
  destination and replaces the installed route instead of just removing it. Same during installation,
  where existing routes previously weren't replaced. This should allow using traps with virtual IPs
  on Linux (#2162).

• The dhcp plugin now only sends the client identifier DHCP option if the identity_lease setting is
  enabled (7b660944b6). It can also send identities of up to 255 bytes length, instead of the
  previous 64 bytes (30e886fe3b, 0e5b94d038). If a server address is configured, DHCP requests
  are now sent from port 67 instead of 68 to avoid ICMP port unreachables (becf027cd9).

• The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one containing a DH group that wasn't
  proposed) during CREATE_CHILD_SA exchanges has been improved (#2536).

• Roam events are now completely ignored for IKEv1 SAs (there is no MOBIKE to handle such
  changes properly).

• ChaCha20/Poly1305 is now correctly proposed without key length (#2614). For compatibility with
  older releases the chacha20poly1305compat keyword may be included in proposals to also propose
  the algorithm with a key length (c58434aeff).

• Configuration of hardware offload of IPsec SAs is now more flexible and allows a new setting (auto),
  which automatically uses it if the kernel and device both support it. If hw_offload is set to yes and
  offloading is not supported, the CHILD_SA installation now fails.

• The kernel-pfkey plugin optionally installs routes via internal interface (one with an IP in the local
  traffic selector). On FreeBSD, enabling this selects the correct source IP when sending packets
  from the gateway itself (e811659323).

• SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1 (#2574).

• The pki --verify tool may load CA certificates and CRLs from directories.

• The IKE daemon now also switches to port 4500 if the remote port is not 500 (e.g. because the
  remote maps the response to a different port, as might happen on Azure), as long as the local port
  is 500 (85bfab621d).

• Fixed an issue with DNS servers passed to NetworkManager in charon-nm (ee8c25516a).

• Logged traffic selectors now always contain the protocol if either protocol or port are set (a36d8097ed).

• Only the inbound SA/policy will be updated as reaction to IP address changes for rekeyed CHILD_SAs
  that are kept around.

• The parser for strongswan.conf/swanctl.conf now accepts = characters in values without having to
  put the value in quotes (e.g. for Base64 encoded shared secrets).

• Notes for developers:
  • trap_manager_t: Trap policies are now unistalled by peer/child name and not the reqid.
    No reqid is returned anymore when installing trap policies.
  • child_sa_t: A new state (CHILD_DELETED) is used for CHILD_SAs that have been deleted but not yet
    destroyed (after a rekeying CHILD_SAs are kept around for a while to process delayed packets).
    This way child_updown events are not triggered anymore for such SAs when an IKE_SA that has such
    CHILD_SAs assigned is deleted.

Version 5.6.2¶

• Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient
  input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS
  signatures is the mask generation function (MGF). Only MGF1 is currently specified for this purpose.
  However, this in turn takes itself a parameter that specifies the underlying hash function. strongSwan's
  parser did not correctly handle the case of this parameter being absent, causing an undefined data read.
  This vulnerability has been registered as CVE-2018-6459.
  Please refer to our blog for details.

• When rekeying IKEv2 IKE_SAs the previously negotiated DH group will be reused, instead of using
  the first configured group, which avoids an additional exchange if the peer previously selected a
  different DH group via INVALID_KE_PAYLOAD notify. The same is also done when rekeying CHILD_SAs
  except for the first rekeying of the CHILD_SA that was created with the IKE_SA, where no DH group
  was negotiated yet.
  Also, the selected DH group is moved to the front in all sent proposals that contain it and all proposals
  that don't are moved to the back in order to convey the preference for this group to the peer.

• Handling of MOBIKE task queuing has been improved. In particular, the response to an address update
  (with NAT-D payloads) is not ignored anymore if only an address list update or DPD is queued as that
  could prevent updating the UDP encapsulation in the kernel.

• On Linux, roam events may optionally be triggered by changes to the routing rules, which can be
  useful if routing rules (instead of e.g. route metrics) are used to switch from one to another
  interface (i.e. from one to another routing table). Since routing rules are currently not evaluated
  when doing route lookups this is only useful if the kernel-based route lookup is used (4664992f7d).

• The fallback drop policies installed to avoid traffic leaks when replacing addresses in installed policies
  are now replaced by temporary drop policies, which also prevent acquires because we currently delete and
  reinstall IPsec SAs to update their addresses (35ef1b032d).

• Access X.509 certificates held in non-volatile storage of a TPM 2.0 referenced via the NV index.

• Adding the --keyid parameter to pki --print allows to print private keys or certificates stored in a
  smartcard or a TPM 2.0.

• Fixed proposal selection if a peer incorrectly sends DH groups in the ESP proposal during IKE_AUTH and
  also if a DH group is configured in the local ESP proposal and charon.prefer_configured_proposals is
  disabled (d058fd3c32).

• The lookup for PSK secrets for IKEv1 has been improved for certain scenarios (see #2497 for details).

• MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility issues with EAP-MSCHAPv2
  and PRFs that have a block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).

• The tpm_extendpcr command line tool extends a digest into a TPM PCR.

• Ported the NetworkManager backend from the deprecated libnm-glib to libnm.

• The save-keys debugging/development plugin saves IKE and/or ESP keys to files compatible with Wireshark.

Version 5.6.1¶

• Several algorithms were removed from the default ESP/AH and IKE proposals in compliance with
  RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH proposal were the
  3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKE default
  proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the
  latter is significant for Windows clients in their default configuration).
  These algorithms may still be used in custom proposals.

• Support for RSASSA-PSS signatures has been added. For compatibility with previous releases they are
  currently not used automatically, by default, to change that charon.rsa_pss may be enabled. To explicitly use
  or require such signatures during IKEv2 signature authentication (RFC 7427) ike:rsa/pss... authentication
  constraints may be used for specific connections (regardless of whether the strongswan.conf option above is
  enabled). Only the hash algorithm can be specified in such constraints, the MGF1 will be based on that hash
  and the salt length will equal the hash length (when verifying the salt length is not enforced).

  To enforce such signatures during PKI verification use rsa/pss... authentication constraints.

  All pki commands that create certificates/CRLs can be made to sign with RSASSA-PSS instead of the
  classing PKCS#1 scheme with the --rsa-padding pss option. As with signatures during authentication, only
  the hash algorithm is configurable (via --digest option), the MGF1 will be based on that and the salt length
  will equal the hash length.

  These signatures are supported by all RSA backends except pkcs11 (i.e. gmp, gcrypt, openssl). The gmp
  plugin requires the mgf1 plugin.

  Note that RSASSA-PSS algorithm identifiers and parameters in keys (public keys in certificates or private keys
  in PKCS#8 files) are currently not used as constraints.

• The sec-updater tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu)
  and sets the security flags in the IMV policy database accordingly. Additionally for each new package
  version a SWID tag for the given OS and HW architecture is created and stored in the database.
  Using the sec-updater.sh script template the lookup can be automated (e.g. via an hourly cron job).

• When restarting an IKEv2 negotiation after receiving an INVALID_KE_PAYLOAD notify (or due to other reasons
  like too many retransmits) a new initiator SPI is allocated. This prevents issues caused by retransmits for
  IKE_SA_INIT messages.

  Because the initiator SPI was previously reused when restarting the connection delayed responses for previous
  connection attempts were processed and might have caused fatal errors due to a failed DH negotiation or because
  of the internal retry counter in the ike-init task. For instance, if we proposed a DH group the responder rejected we
  might have later received delayed responses that either contained INVALID_KE_PAYLOAD notifies with the DH group
  we already switched to, or, if we retransmitted an IKE_SA_INIT with the requested group but then had to restart again,
  a KE payload with a group different from the one we proposed.

• The introduction of file versions in the IMV database scheme broke file reference hash measurements.
  This has been fixed by creating generic product versions having an empty package name.

• A new timeout option for the systime-fix plugin stops periodic system time checks after a while and enforces
  a certificate verification, closing or reauthenticating all SAs with invalid certificates.

• The IKE event counters, previously only available via ipsec listcounters command, may now also be queried and
  reset via vici and the new swanctl --counters command. They are collected and provided by the optional
  counters plugin (enabled by default for backwards compatibility if the stroke plugin is built).

• Class attributes received in RADIUS Access-Accept messages may optionally be added to RADIUS accounting
  messages (655924074b).

• Basic support for systemd sockets has been added, which may be used for privilege separation (59db98fb94).

• Inbound marks may optionally be installed in the SA again (was removed with 5.5.2) by enabling the mark_in_sa
  option in swanctl.conf.

• The timeout of leases in pools configured via pool utility may be configured in other units than hours.

• INITIAL_CONTACT notifies are now only omitted if never is configured as uniqueness policy.

• Outbound FWD policies for shunts are not installed anymore, by default (as is the case for other policies since 5.5.1).

• Don't consider a DH group mismatch during CHILD_SA rekeying as failure as responder (e7276f78aa).

• Handling of fragmented IPv4 and IPv6 packets in libipsec has been improved (e138003de9).

• Trigger expire events for the correct IPsec SA in libipsec (6e861947a0).

• A crash in CRL verification via openssl plugin using OpenSSL 1.1 has been fixed (78acaba6a1).

• No hard-coded default proposals are passed from starter to the stroke plugin anymore (the IKE proposal used
  curve25519 since 5.5.2, which is an optional plugin).

• A workaround for an issue with virtual IPs on macOS 10.13 (High Sierra) has been added (039b85dd43).

• Handling of IKE_SA rekey collisions in charon-tkm has been fixed.

• Instead of failing or just silently doing nothing unit tests may now warn about certain conditions (e.g. if a test
  was not executed due to external dependencies).

Version 5.6.0¶

• Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
  when verifying RSA signatures, which requires decryption with the operation m^e mod n,
  where m is the signature, and e and n are the exponent and modulus of the public key.
  The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
  So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
  This result wasn't handled properly causing a null-pointer dereference.
  This vulnerability has been registered as CVE-2017-11185.
  Please refer to our blog for details.

• New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
  Draft and has been demonstrated at the IETF 99 Prague Hackathon.

• The IMV database template has been adapted to achieve full compliance with the
  ISO 19770-2:2015 SWID tag standard.

• The sw-collector tool extracts software events from apt history logs and stores them
  in an SQLite database to be used by the SWIMA IMC. The tool can also generate SWID tags both
  for installed and removed package versions.

• The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.

• libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).

• Adds the eap-aka-3gpp plugin, which implements the 3GPP MILENAGE algorithms in software.
  K (optionally concatenated with OPc) may be configured as binary EAP secret in ipsec.secrets
  or swanctl.conf.

• The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3:
  • On Linux the outbound policy now has the SPI of the corresponding SA set and the responder
    of a rekeying will install both IPsec SAs (in/out) immediately, but delay the update of the
    outbound policy until it received the delete for the replaced CHILD_SA.
  • The previous code temporarily installed an outbound IPsec SA/policy that was deleted
    immediately afterwards when a rekey collision was lost, which caused a slight chance for traffic loss.

• The remote address must not be resolvable anymore when installing trap policies (at least not if the
  remote traffic selector is not %dynamic, 1a8226429a).

• The new %unique-dir value for the mark* settings in swanctl.conf or ipsec.conf will allocate separate
  unique marks for each CHILD_SA direction (32e5c49234).

• By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
  swanctl.conf file.

• The curl plugin now follows HTTP redirects (configurable via strongswan.conf).

• The error-notify plugin correctly handles disconnected listeners (ed926a73df).

• The sha2 plugin was changed so that the last output is not stored in an internal buffer anymore (1a75514b76, #2388).

• The encoding of nonces in OCSP requests was fixed in the x509 plugin (d7dc677ee5).

• The handling of keyUsage extensions in X.509 certificates was fixed in the openssl plugin (e793d65acd).

• pki loads the pubkey plugin to fix printing public keys (ef6b710f19).

• Some changes were added to the TestingEnvironment:
  • do-tests supports running multiple tests via wildcards (e.g. do-tests ikev2/ocsp-*)
  • With the -v option do-tests will prefix each executed command with a timestamp in console.log
  • Tests in evaltest.dat can now easily match a specific number of lines (instead of [YES] or [NO]
    use e.g. [2] if exactly two matching lines - or packets for tcpdump matches - are expected)
  • Failed matches are now clearly marked in console.log

Version 5.5.3¶

• Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
  validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
  requirements regarding the passed exponent and modulus that the plugin did not
  enforce, if these are not met the calculation will result in a floating point exception
  that crashes the whole process.
  This vulnerability has been registered as CVE-2017-9022.
  Please refer to our blog for details.

• Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser
  didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when
  parsing X.509 extensions that use such types.
  This vulnerability has been registered as CVE-2017-9023.
  Please refer to our blog for details.

• The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
  traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA
  the responder already has everything available to install and use the new CHILD_SA.
  However, this could lead to lost traffic as the initiator won't be able to process
  inbound packets until it processed the CREATE_CHILD_SA response and updated the
  inbound SA. To avoid this the responder now only installs the new inbound SA and
  delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.

  The messages transporting these DELETEs could reach the peer before packets sent
  with the deleted outbound SAs reach it. To reduce the chance of traffic loss due
  to this the inbound SA of the replaced CHILD_SA is not removed for a configurable
  amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed.

• The code base has been ported to Apple's ARM64 iOS platform, which required several
  changes regarding the use of variadic functions. This was necessary because the calling
  conventions for variadic and regular functions are different there.
  This means that assigning a non-variadic function to a variadic function pointer, as we
  did with our enumerator_t::enumerate() implementations and several callbacks, will
  result in crashes as the called function accesses the arguments differently than the
  caller provided them. To avoid this issue the enumerator_t interface has been changed
  and the signature of the callback functions for enumerator_create_filter() and two
  methods on linked_list_t have been changed. Refer to the developer notes below
  for details.

• Adds support for fuzzing the certificate parser provided by the default plugins
  (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with
  libFuzzer). Several issues found while fuzzing these plugins were fixed.

• Two new options have been added to charon's retransmission settings:
  retransmit_limit and retransmit_jitter. The former adds an upper limit to the
  calculated retransmission timeout, the latter randomly reduces it.
  Refer to Retransmission for details.

• A bug in swanctl's --load-creds command was fixed that caused unencrypted
  private keys to get unloaded if the command was called multiple times.
  The load-key VICI command now returns the key ID of the loaded key on success.

• The credential manager now enumerates local credential sets before global ones.
  This means certificates supplied by the peer will now be preferred over certificates
  with the same identity that may be locally stored (e.g. in the certificate cache).

• Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for
  specific hardware that supports this.

• To announce support for IKE fragmentation but not actively fragment IKE messages
  the new accept option for the fragmentation setting may be used.

• If charon.plugins.socket-default.set_sourceif is enabled the socket-default plugin
  sets the outbound interface via IP_PKTINFO/IN6_PKTINFO. This is usually not required
  but could be used in special scenarios, e.g. to use IPv6 link-local addresses as
  tunnel endpoints.

• Add support for SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for PF_KEYv2's
  SADB_UPDATE message, which upcoming FreeBSD kernels will support for updating
  IP addresses of existing SAs.

• The value of charon.plugins.kernel-netlink.xfrm_acq_expires is now determined
  automatically based on the configured retransmission settings.

• If updating the inbound SA fails the kernel-netlink plugin now tries to add it, which
  could be useful if the SPI already expired after lots of retransmits of several exchanges.

• charon-nm and the NetworkManager plugin now support customizing the IKE and
  ESP proposals.

• With the sha256_96 compatibility option it's possible to locally configure 96-bit truncation
  for HMAC_SHA256 (the correct truncation is 128 bit) when negotiated using the official
  algorithm identifier (12). This is only useful for compatibility with peers that incorrectly
  use this shorter truncation as the actual truncation length is not negotiated.

• The removal of all online leases by the attr-sql plugin at startup may now be disabled
  to share the database between multiple instances.

• The pki tool loads the curve25519 plugin by default.

• When building the libraries monolithically and statically the plugin constructors are now
  hard-coded in each library so the plugin code is not removed by the linker because it
  thinks none of their symbols are ever referenced. This allows building an almost stand-alone
  static version of e.g. charon when building with --enable-monolithic --enable-static
--disable-shared (without --disable-shared libtool will build a version that still links
  the libraries dynamically, which might save some disk space if it's not necessary to link
  them statically, however, using --enable-monolithic might be enough in that case).
  External libraries (e.g. gmp or openssl) are not linked statically this way, though.

• Notes for developers:
  • child_sa_t: The API used for installing policies and SAs has been changed (traffic
    selectors are now only set once, outbound SAs and policies may be installed/uninstalled
    separately).
  • enumerator_t: A new mandatory method, venumerate(), has been added that takes
    a va_list with the arguments provided while enumerating. enumerate() is replaced
    with a generic implementation that prepares a va_list and calls the enumerator's
    venumerate() implementation. As this allows passing the arguments of one enumerator
    to another it avoids the five pointer hack previously used by enumerator_create_nested()
    and enumerator_create_cleaner(). To simplify the implementation of venumerate() a
    helper macro is provided that assigns values from a given va_list to local variables.
  • enumerator_create_filter(): The signature of the callback has changed significantly.
    It's now required to enumerate over the original enumerator in the callback itself, as
    this avoids the previous in/out pointer hack. The arguments to the outer enumerator are
    provided in a va_list.
  • linked_list_t: To avoid the five pointer hack previously used the signatures of the
    callbacks for linked_list_t's invoke_function() and find_first() methods have been
    changed to take a va_list as second argument. For the latter method the return type also
    changed from status_t to bool, which is important as SUCCESS is defined as 0, so checks
    for == SUCCESS will now fail.

Version 5.5.2¶

• Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined by RFC 8031
  is provided by the new curve25519 plugin.

• Support of Ed25519 digital signature algorithm for IKEv2 as defined by draft-ietf-ipsecme-eddsa
  is provided by the new curve25519 plugin. Ed25519-based public key pairs, X.509 certificates and CRLs
  can be generated and printed by the pki tool.

• The new tpm libtpmtss plugin allows to use persistent private RSA and ECDSA keys bound
  to a TPM 2.0 for both IKE and TLS authentication. Using the TPM 2.0 object handle as keyid
  parameter, the pki --pub tool can extract the public key from the TPM thereby replacing the
  aikpub2 tool. In a similar fashion pki --req can generate a PKCS#10 certificate request signed
  with the TPM private key. Optionally the tpm plugin may be used as RNG.

• The pki tool gained support for generating certificates with RFC 3779 addrblock extensions.
  The charon addrblock plugin now dynamically narrows traffic selectors based on the certificate's
  addrblocks instead of rejecting non-matching selectors completely. This allows generic connections,
  where the allowed selectors are defined by the used certificates only.

• The optional bypass-lan plugin automatically installs and updates passthrough/bypass
  policies for locally attached subnets. This is useful for mobile hosts that are used in different
  networks that want to access local devices in these networks (e.g. printers or NAS) while
  connected to a VPN.

• A command injection vulnerability in the ipsec script was fixed, which was exploitable if unprivileged
  users were allowed to run the script via sudo (2ec6372f5a).
  Thanks to Andrea Barisani for reporting this.

• Several new features for the VICI interface and the swanctl utility were added:
  • Enumerating and unloading private keys and shared secrets (swanctl --load-creds now
    automatically unloads removed secrets)
  • Loading keys and certificates from PKCS#11 tokens or a TPM (refer to the documentation of
    cert<suffix> and token<suffix> sections in swanctl.conf)
  • The ability to initiate, install and uninstall connections and policies by their exact
    name (if multiple child sections in different connections share the same name)
  • Querying a specific pool
  • A command to initiate the rekeying of IKE and IPsec SAs
  • Public keys may be configured directly in swanctl.conf via 0x/0s prefix (actually works for
    certificates too)
  • The overhead of the VICI logger has been reduced as it now only does something if listeners
    are registered
  • Support for settings previously only supported by the old config files: DSCP, certificate
    policies, IPv6 Transport Proxy Mode, NT hash secrets, mediation extension

• In-place update of cached base and delta CRLs does not leave dozens of stale copies in cache memory.

• Support for handling IKEV2_MESSAGE_ID_SYNC notifies as responder (usually the original initiator
  of an IKE_SA) as defined in RFC 6311 was added. Some HA solutions use these notifies to set
  the new IKEv2 message IDs after a failover event (currently not our HA solution, though).

• By default, the IKE daemon keeps SAs on the routing path with addresses it previously used if that
  path is still usable. Enabling charon.prefer_best_path changes that and it will try more aggressively
  to update SAs with MOBIKE on routing changes using the cheapest path. This adds more noise, but
  allows to dynamically adapt SAs to routing priority changes, for instance, if some paths actually
  generate more costs than others (597e8c9e00).

• If MOBIKE is disabled and the local address is statically configured the daemon will now ignore any
  roaming events that might, otherwise, cause it to attempt to recreate the IKE_SA (be27e76869).

• Trap policies now use priorities from the same range as regular policies, which allows installing
  overlapping trap policies (#1243).

• When proposing transport mode the IKE daemon now always applies the hosts to the traffic selectors.
  It previously only did so if %dynamic was used as TS. However, that's not the case if wildcard trap
  policies are configured (no single remote address specified). Once traffic matched, the daemon proposed
  the configured remote TS as-as, which the responder then had to narrow down to its own local address.
  Some third-party implementations, however, reject such non-host TS for transport mode SAs (da82786b2d).

• For AH the kernel-netlink plugin now enables the correct 4 byte alignment (by default, the kernel
  uses an 8 byte alignment, which is mandatory for IPv6 but prohibited for IPv4, 965daa1df3).

• The kernel-netlink plugin now considers labels when selecting IPv6 addresses (#2138) and sets the
  NODAD flag for virtual IPv6 addresses to avoid issues with failing DAD (#2183).

• The receive buffer size used by the kernel-netlink plugin is now configurable (8a91729dfe).

• Large responses to Netlink requests are now concatenated more efficiently by the kernel-netlink
  plugin (6fe1d78a0d).

• If route installation is disabled (charon.install_routes) the kernel-netlink plugin now uses a more
  efficient route lookup to determine source and next-hop addresses (558691b3b0).

• No mark is installed anymore on inbound IPsec SAs. So explicitly marking inbound traffic before
  decryption is not necessary anymore (067fd2c69c).

• The range from which SPIs for IPsec SAs are allocated by the kernel is now configurable.

• PSKs for IKEv1 connections are now first looked up based on configured identities of connections
  that match the IPs, before falling back to searching for PSKs for the IPs (#2223).

• The daemon now responds to DPDs for rekeyed IKEv1 SAs (#2090).

• charon-systemd now reloads strongswan.conf, the loggers and the plugins (that support it)
  when it receives a SIGHUP. The same may be achieved via VICI's reload-settings command, which
  previously did not reload the loggers.

• The forecast plugin used the incorrect port in UDP NAT-T rules (094a4d15cf).

• Validation via OCSP and CRLs can be disabled individually in the revocation plugin.

• RFC 5114 DH groups were removed from the default proposal (649537ee8d), they may be used if
  configured explicitly.

• A memory leak was fixed when CHILD_SA configs were updated via VICI (da1d5cd2e6).

• The plugin loader now correctly hashes registered plugin features (ac4942c3c3).

• Notes for developers:
  • Due to issues with VICI bindings that map sub-sections to dictionaries (e.g. Python)
    the CHILD_SA sections returned via list-sas now have a unique name. The original name
    of a CHILD_SA is returned in the name key of its section.
  • To simplify loading certificates via VICI when running on the same host as the daemon
    absolute paths to certificates (instead of their binary encoding) may be passed via
    cert<suffix> sections (file key).
  • The load-testconfig script now loads the configs from the source directory and pre-processes
    them properly (previously it was required to run do-tests once for the target scenario).

Version 5.5.1¶

• The newhope plugin implements the post-quantum NewHope key exchange algorithm
  proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
  Peter Schwabe.

• The libstrongswan crypto factory now offers the registration of Extended
  Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
  implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin
  and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
  SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.

• By default, the "outbound" FWD policies, introduced with 5.5.0, are not installed anymore.
  They may be enabled via the policies_fwd_out setting in swanctl.conf/vici for a specific
  CHILD_SA if its traffic would otherwise get blocked by a drop policy.
  A bug in regards to updating reqids in the kernel-netlink plugin, that was particularly a problem
  with duplicate "outbound" FWD policies, has also been fixed (175d78df60).

• XFRM policy hashing thresholds may be configured via strongswan.conf. This can significantly
  improve the performance on hosts where the number of flows exceeds the flow cache size of the
  Linux kernel. Policies covering more than a single address don't get hash-indexed by default,
  which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and the called
  xfrm_policy_match(). Since Linux 3.18 the kernel can hash the first n-bit of a policy subnet to
  perform indexed lookups. With correctly chosen thresholds this can completely eliminate the
  performance impact of policy lookups.
  Note: Due to a bug in Linux 3.19 through 4.7, the kernel crashes with a NULL pointer dereference
  if a socket policy (used by strongSwan to exempt IKE traffic from IPsec tunnels) is installed while
  hash thresholds are changed. See ac9759a532 for details and a workaround.

• The NetworkManager integration has been updated to support NM 1.2.
  The directory from which CA certificates are loaded if no certificate is configured in the GUI can
  now be configured via strongswan.conf using the new charon-nm.ca_dir setting.

• IKE fragmentation is now enabled by default with the default fragment size set to 1280 bytes
  for both IP address families.

• A DELETE is sent when a rekeyed IKEv1 SA is deleted. This fixes issues with peers that continue
  to send DPDs on the old SA and then delete all SAs if no response is received (see #2090).
  Also, when terminating IKEv1 SAs, DELETEs for all CHILD_SAs are now sent before sending one for
  the IKE_SA and destroying it.

• The pki tool, with help of the pkcs1 or openssl plugins, can parse private keys in any of the
  supported formats without having to know the exact type. So instead of having to specify rsa or
  ecdsa explicitly the keyword priv may be used to indicate a private key of any type.
  Similarly, swanctl can load any type of private key from the swanctl/private directory.

• The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
  sha3 and gmp plugins.

• The VICI flush-certs command flushes certificates from the volatile certificate cache.
  Optionally the type of the certificates to be flushed (e.g. type = x509_crl) can be specified.

• When setting charon.cache_crls = yes in strongswan.conf the vici plugin saves regular,
  base and delta CRLs to disk.
  Fetched CRLs are now also cached if the checked certificate has been revoked.

• The serial number for delta CRLs generated by pki --signcrl is now based on
  the given base CRL again (was broken since 4.6.3).

• Delta CRLs are now properly cached in-memory (and on disk) together with their base. Before this
  the presence of a delta CRL might have required that the base be refetched every time.

• When verifying trust chains with pki --verify local CRLs may now be specified with the
  new --crl argument.

• IKE and ESP/AH proposals configured as strings in ipsec.conf and swanctl.conf (or VICI) are now
  checked to avoid invalid proposals. For instance, the presence of DH, PRF and encryption algorithms
  for IKE proposal are now enforced and AEAD and regular encryption algorithms are not allowed in
  the same proposal anymore. Also fixed is the mapping of the aes*gmac keywords to an integrity
  algorithm in AH proposals.

• Unmarked packets may now be matched by setting 0/0xffffffff as XFRM mark (33d3ffde25).

• The maximum registered log level is now determined correctly if loggers implementing only
  log or vlog are mixed (dac15e03c8).

• In addition to the existing ike_keys and child_keys hooks on listener_t two new hooks
  allow listeners to receive the derived IKE and CHILD_SA keys (ike|child_derived_keys).

• The check for libatomic has been improved (6e19a1f5f2).

• The use of AES-GCM with BoringSSL has been fixed (c72c6e9225).

• libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
  tss2_tcti_finalize().

• The results of leak-detective are now evaluated in our testing environment, which
  lead to the fixing of several memory leaks.

• No key and self-signed certificate is generated by starter anymore if ipsec.secrets does not exist.

• The long unmaintained Maemo plugin and frontend have been removed.

Version 5.5.0¶

• The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.
  This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.

• The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases
  and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies, as defined by RFC 7296,
  has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.

• IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound
  policies may be restricted to a network interface. These options are only configurable via swanctl.conf.
  An example is provided in the swanctl/manual-prio scenario.

• The scheme for the automatically calculated default priorities has been changed and now also
  considers port masks, which were added with 5.4.0 (for details see d3af3b799f).

• FWD policies are now installed in both directions in regards to the traffic selectors (9c12635252).
  Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for
  example, in the swanctl/net2net-gw or the ikev2/ip-two-pools-db scenarios) they are installed
  with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the
  two and prefer those with a reqid.

• How the interface for routes installed with policies is determined has changed (96b1fab53c). In most
  cases the interface over which the other peer is reached is now used, not the interface on which the local
  address (or the source IP) is installed. However, that might be the same interface depending on the
  configuration (i.e. in practice there will often not be a change).

• No routes are installed anymore for drop policies and policies with port/protocol selector (e7369a9dc5).

• For outbound IPsec SAs no replay window is configured anymore.

• When using unique marks (mark=%unique) the allocated mark is now correctly passed to the
  updown script (b210369314).

• Enhanced the functionality of the swanctl --list-conns command by listing IKE_SA and CHILD_SA
  reauthentication and rekeying settings and EAP/XAuth identities and EAP types.

• Fixed an interoperability issue with Windows Server 2012 R2 gateways after modifying the default IKE
  proposal with 5.4.0 (fae18fd201, also explained in the changelog of the Android app).

• DNS servers installed by the resolve plugin are now refcounted, which should fix its use with
  make-before-break reauthentication. Any output written to stderr/stdout by resolvconf is now logged.

• Negotiation of ESN with IKEv1 is supported (40bb4677f7).

• The default plugin load list may now be modified by specifying the individual load setting of a plugin.

• Fixed how mappings are stored in the eap-simaka-pseudonym plugin (5005325020).

• Support for BoringSSL and OpenSSL 1.1.0 has been added.

• Notes for developers:
  • The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.
  • Similarly the constructors for peer_cfg_t and child_cfg_t now take structs.
  • We now use the standard unsigned integer types (e.g. uint64_t instead of u_int64_t).
  • The testing environment now uses images based on Debian jessie (stable).

Version 5.4.0¶

• Support for IKEv2 redirection (RFC 5685) has been added. Plugins may
  implement the redirect_provider_t interface (source:src/libcharon/sa/redirect_provider.h)
  to decide if and when to redirect connecting clients. It is also possible to
  redirect established IKE_SAs based on different selectors via vici/swanctl.
  Unless disabled in strongswan.conf the charon daemon will follow redirect
  requests received from servers.

• The ike: prefix enables the explicit configuration of signature scheme
  constraints against IKEv2 authentication in rightauth, which allows the use
  of different signature schemes for trustchain verification and authentication.
  Configuration of such constraints via vici/swanctl is now also possible.

• The initiator of an IKEv2 make-before-break reauthentication now suspends
  online certificate revocation checks (OCSP, CRLs) until the new IKE_SA and all
  CHILD_SAs are established. This is required if the checks are done over the
  CHILD_SA established with the new IKE_SA. This is not possible until the
  initiator installs this SA and that only happens after the authentication is
  completed successfully. So we suspend the checks during the reauthentication
  and do them afterwards, if they fail the IKE_SA is closed. This change has no
  effect on the behavior during the authentication of the initial IKE_SA.

• For the vici plugin a Vici:Session Perl CPAN module has been added to allow
  Perl applications to control and/or monitor the IKE daemon using the VICI
  interface, similar to the existing Python egg or Ruby gem.

• Traffic selectors with port ranges can now be configured in the Linux kernel:
  e.g. remote_ts = 10.1.0.0/16[tcp/20-23] and local_ts = dynamic[tcp/32768-65535].
  The port range must map to a port mask, though, since the kernel does not
  support arbitrary ranges.

• The vici plugin allows the configuration of IPv4 and IPv6 address ranges
  in local and remote traffic selectors. Since both the Linux kernel and
  iptables cannot handle arbitrary ranges, address ranges are mapped to the
  next larger CIDR subnet by the kernel-netlink and updown plugins, respectively.

• Implemented IKEv1 IPv4/IPv6 address subnet and range identities that can be
  used as owners of shared secrets.

• The new p-cscf plugin can request P-CSCF server addresses from an ePDG via
  IKEv2 (RFC 7651). Addresses of the same families as that of requested virtual
  IPs are requested if enabled in strongswan.conf for a particular connection.
  The plugin currently writes received addresses to the log.

• The default proposals now use a security strength of 128 bit. The default DH group
  for IKE is now either ecp256 or modp3072, depending on whether the openssl plugin
  is loaded or not. The default ESP proposal is aes128-sha256, which requires HMAC-SHA2-256
  support with 128 bit truncation, which the Linux kernel correctly implements since 2.6.33.
  But there are reports that other implementations might still not do so (#1353).

• DH groups are now listed for CHILD_SAs in ipsec statusall. Note that for IKEv2 the
  first CHILD_SA is created without a separate DH exchange (the key material is derived
  from the IKE keys). Therefore any DH group will only be listed after the first rekeying
  of such a CHILD_SA. For CHILD_SAs created with a separate CREATE_CHILD_SA exchange
  and for IKEv1 a DH group will always be listed if PFS is used.

• IKE SPIs are now printed in network byte order in log messages and status output.

• Start actions configured via vici are reversed when configs are unloaded, unchanged
  child configs are not affected by this anymore. Any IKE_SA that ends up without CHILD_SAs
  after that is now closed.

• Asynchronous initiation and termination is supported via vici by specifying a timeout of -1.

• To distinguish child configs with the same name associated with different
  connection entries the name of the connection may be sent in the initiate/install
  vici commands using the ike parameter.

• The vici plugin and swanctl now support authentication with raw public keys. Also,
  the commands used to manage and list certificates/keys have been extended.

• Multiple authentication rounds sent via vici may now be ordered by the optional round
  parameter instead of by the order of the local/remote* sections in the request (required for
  the Perl bindings that don't use ordered dictionaries).

• The vici plugin and swanctl are now enabled by default.

• CHILD_SAs of IKEv1 SAs might now optionally (charon.delete_rekeyed in strongswan.conf)
  be deleted immediately after they got successfully rekeyed instead of waiting for the hard
  timeout, which could be problematic if traffic based limits are used.

• The charon.reuse_ikesa option is now always enabled for IKEv1 (24ab8530e5).

• IPv6 virtual IPs are now correctly sent for IKEv1 (91d80298f9). The incorrect encoding is
  still accepted but the new encoding might cause problems for older strongSwan clients.

• No NAT keepalives are sent if a host has lost connectivity (i.e. no local address is found to
  reach the peer).

• In the log threads may optionally be identified by their actual thread ID instead of a simple
  incremented value starting from 1 (--enable-log-thread-ids).

• libhydra has been removed, all plugins and the kernel interface have been integrated
  into libcharon.

Version 5.3.5¶

• Properly handle potential EINTR errors in sigwaitinfo(2) calls that replaced
  sigwait(3) calls with 5.3.4 (#1213).

• RADIUS retransmission timeouts are now configurable via strongswan.conf,
  courtesy of Thom Troy.

Version 5.3.4¶

• Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
  was caused by insufficient verification of the internal state when handling
  EAP-MSCHAPv2 Success messages received by the client.
  This vulnerability has been registered as CVE-2015-8023.
  Please refer to our blog for details.

• The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
  Within the strongSwan framework SHA3 is currently used for BLISS signatures
  only because the OIDs for other signature algorithms haven't been defined
  yet. Also the use of SHA3 for IKEv2 has not been standardized yet.

• The EAP-MSCHAPv2 username now replaces the identity of any previous EAP-Identity
  exchange (#1182).

• Fixed several issues with IKEv1 Phase 2 message handling (#1076, #1128, #1130, #1198).

• A bug with setting the source IP for IKE packets was fixed that caused problems with
  newer compilers (#1171).

• The ipsec stroke down-nb command is now actually non-blocking (#1191).

• Some VICI commands received updates: NAT information and virtual IPs are listed for
  IKE_SAs (04f22cdabc, bdb8b76515), IP address leases are optionally listed
  for pools defined via VICI (f4641f9e45).

• The file-logger now optionally logs the milliseconds within the current second (548b993488).

• Fetching CRLs in PEM format is now supported and using the curl plugin to fetch CRLs
  from file:// URIs has also been fixed (#1203).

• CRLs added via VICI are now properly added to the credential set (e5e352e631).

• IKEv2 NAT-D payloads are now created in a more static way, which ensures they stay the
  same when retrying to establish an IKE_SA (e.g. due to INVALID_KEY_PAYLOAD notifies, #1131).

• Fixed compress=yes (IPComp) with IPv6 and leftfirewall=yes (382f8a334a).

• Fixed a deadlock in duplicate checking for IKEv1 SAs (758b1caa0e, 1d528cfb8d).

• The del_policy method of kernel_ipsec_t now receives the same information originally
  passed to add_policy (a6e0f14fd2).

• The kernel-netlink plugin allows IPsec policies to replace shunt policies, which allows
  configuring matching type=drop policies along side auto=add connections.

• To debug custom plugins they can now optionally be loaded with RTLD_NOW so missing
  symbols are revealed immediately (via charon.dlopen_use_rtld_now). The same applies
  for custom IMVs/IMCs.

• The runtime for our regression tests has been reduced significantly (by about 75%).

• The Android app has been updated to use the Gradle build system.

Version 5.3.3¶

• Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and
  RFC 7634 using the chacha20poly1305 ike/esp proposal keyword.
  The new chapoly plugin implements the cipher, if possible SSE-accelerated on x86/x64
  architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP backend.
  On Linux 4.2 or newer the kernel-netlink plugin can configure the cipher for ESP SAs.

• The vici/swanctl interface now supports the configuration of auxiliary certification
  authority information as CRL and OCSP URIs.

• In the bliss plugin the c_indices derivation using a SHA-512 based random oracle
  has been fixed, generalized and standardized by employing the MGF1 mask generation
  function with SHA-512. As a consequence BLISS signatures unsing the improved oracle
  are not compatible with the earlier implementation.

• Support for auto=route with right=%any for transport mode connections has been
  added (refer to #196-6 for details and some examples).

• The starter daemon does not flush IPsec policies and SAs anymore when it is stopped.
  Already existing duplicate policies are now overwritten by the IKE daemon when it
  installs its policies (695112d7b8, dc2fa791e4). Usually, there shouldn't be any
  leftovers after the IKE daemon has been properly terminated, but if it crashes the kernel
  state won't be cleaned up. Because earlier releases couldn't handle already existing
  duplicate policies in the kernel, the starter daemon flushed them during shutdown so
  the daemon would find a clean slate when was restarted. Since existing policies are not
  a problem anymore this is no longer necessary. And in situations where installpolicies=no
  is used policies shouldn't be flushed blindly anyway.

• Init limits can now optionally be enforced when initiating SAs via VICI. For this IKE_SAs
  initiated by the daemon are now also counted as half-open SAs, which, as a side-effect,
  fixes the status output while connecting (e.g. in ipsec status).

• Symmetric configuration of EAP methods in left|rightauth is now possible when mutual
  EAP-only authentication is used (previously, the client had to configure rightauth=eap
  or rightauth=any, which prevented it from using this same config as responder).

• The initiator flag in the IKEv2 header is compared again (wasn't the case since 5.0.0) and
  packets that have the flag set incorrectly are again ignored (47a340e1f7, 5fee79d854).

• Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy Device Health
  Assessment Trusted Network Connect Binding" (HCD-TNC) document drafted by the IEEE
  Printer Working Group (PWG), see HCD-IMC and HCD-IMV.

• Fixed IF-M segmentation which failed in the presence of multiple small attributes in front
  of a huge attribute to be segmented (10f25a3dd9).

• Refcounting for allocated reqids has been fixed for situations where make-before-break
  reauthentication is used and CHILD_SAs have already been rekeyed (3665adef19).

• Fixed a crash when retrying CHILD_SA rekeying due to a DH group mismatch (1729df9275).

• If multiple CA certificates are set in swanctl.conf (connections.<conn>.remote<suffix>.cacerts)
  it is now enough if the certificate chain contains at least one of them, not all (774c8c3847).

• Referring to a CA certificate in ipsec.d/cacerts in a ca section does not cause duplicate
  certificate requests anymore (was the case since 5.3.0, #842-10). CA certificates are
  now atomically reloaded by ipsec rereadcacerts so unchanged certificates are always
  available. The command now also reloads certificates referenced in CA sections.

• Inbound IKEv1 messages are now handled with different job priorities (a5c07be058).

• When strongSwan creates ASN.1 DN identities from strings, it now uses UTF8String
  instead of T61String to encode RDNs that contain characters outside the character set
  of PrintableString.

• The new pki --dn command extracts subject DistinguishedNames from certificates,
  which is useful if the automatic identity parsing is unable to produce the correct
  binary ASN.1 encoding of the DN from its string representation.

• To implement IPv6 NDP proxying via updown script (e.g. via ip -6 neigh add proxy)
  the virtual IPs assigned to a client are now passed to the script (#1008).

• RADIUS Accounting Start messages are now correctly triggered for IKEv1 SAs when clients
  don't do any Mode Config or XAuth exchanges during reauthentication (#937).

• Support for the Framed-IPv6-Address and DNS-Server-IPv6-Address RADIUS attributes has
  been added. Virtual IPv6 addresses are now sent in Framed-IPv6-Address attributes in
  RADIUS Accounting messages (#1001).

• Some fixes went into the HA plugin and related code: The jhash() function was updated
  for Linux 4.1+ (93caf23e1b), NAT keepalives (edaba56ec7) and CHILD_SA rekeying
  (e095d87bb6) are now disabled for passive SAs, and the remote address is synced
  when an SA is first added (3434709460). Also, the use of AEAD algorithms in CHILD_SAs
  has been fixed (#1051) and the control FIFO is recreated if it is no FIFO (fffee7c759).

• The buffer size for the Netlink receive buffer has been changed, the default is now the same
  as in the kernel (a6896b6149, 197de6e66b).

• In particular for hosts with lots of routes an alternative faster source address lookup may be
  used by setting charon.plugins.kernel-netlink.fwmark=!<mark> (6bd1216e7a).

• The kernel-pfkey plugin now can configure AES-GCM, which is supported on FreeBSD 11.

• Fixed some potential race conditions during shutdown of the daemon (#1014).

• Address resolution has been improved: If a local address is configured we use the same
  address family when resolving the remote address (#993). If the remote address resolves
  to %any during reauthentication or when reestablishing an SA we keep the current
  address (#1027).

• A new option allows disabling the side-swapping based on the addresses/hostnames in
  left|right, when the stroke plugin loads a config from ipsec.conf.

Version 5.3.2¶

• Fixed a vulnerability that allowed rogue servers with a valid certificate
  accepted by the client to trick it into disclosing its username and even
  password (if the client accepts EAP-GTC). This was caused because constraints
  against the responder's authentication were enforced too late.
  This vulnerability has been registered as CVE-2015-4171.
  Please refer to our blog for details.

Version 5.3.1¶

• Fixed a denial-of-service and potential remote code execution vulnerability
  triggered by IKEv1/IKEv2 messages that contain payloads for the respective
  other IKE version. Such payload are treated specially since 5.2.2 but because
  they were still identified by their original payload type they were used as
  such in some places causing invalid function pointer dereferences.
  The vulnerability has been registered as CVE-2015-3991.
  Please refer to our blog for details.

• The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto
  primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ
  instructions and works on both x86 and x64 architectures. It provides
  superior crypto performance in userland without any external libraries.

• Fixed an issue with IKEv2 fragmentation (introduced with 5.2.1) and encryption
  algorithms that use sequential IVs (e.g. AES-GCM). Previously the IKE message ID was
  used as IV, but with IKEv2 fragmentation this ID is not unique anymore, causing the
  same IV to get used for fragments of the same message. This was fixed by including
  the fragment identifier in the IV (62e0abe759).

• The TLS client in libtls now rejects Diffie-Hellman groups with primes < 1024 bit (47e96391f2).

• The accuracy of usage statistics reported via RADIUS Accounting has been
  increased in several situations (e.g. if interim updates occur while rekeying a CHILD_SA).

• A constant time memory comparison utility function (chunk_equals_const) was
  added for cryptographic purposes (aa9b74931f).

• The interface for DH implementations was extended to enable unit tests (44136bec94).

• Fixed initialization of HMAC primitives in the openssl plugin for newer
  OpenSSL releases (c2906c8f21).

• ike-updown and child-updown events are now relayed via VICI (a7e4a2d6c2).

• The Ruby Gems and Python Eggs built with --enable-ruby-gems|--enable-python-eggs are
  not installed anymore during make install. To do so the options --enable-ruby-gems-install
  and/or --enable-python-eggs-install may be passed to ./configure (f16f792e17).

• The source:src/libcharon/plugins/vici/libvici.h header is now licensed under the
  MIT license (f17861dca9).

Version 5.3.0¶

• Added support for IKEv2 make-before-break reauthentication. By using a global
  CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
  This allows the use of make-before-break instead of the previously supported
  break-before-make reauthentication, avoiding connectivity gaps during that
  procedure. As the new mechanism may fail with peers not supporting it (such
  as any previous strongSwan release) it must be explicitly enabled using
  the charon.make_before_break strongswan.conf option.

• Support for Signature Authentication in IKEv2 (RFC 7427) has been added.
  This allows the use of stronger hash algorithms for public key authentication.
  By default, signature schemes are chosen based on the strength of the
  signature key, but specific hash algorithms may be configured in leftauth.

• Key types and hash algorithms specified in rightauth are now also checked
  against IKEv2 signature schemes. If such constraints are used for certificate
  chain validation in existing configurations, in particular with peers that
  don't support RFC 7427, it may be necessary to disable this feature with the
  charon.signature_authentication_constraints setting, because the signature
  scheme used in classic IKEv2 public key authentication may not be strong
  enough.

• The new connmark plugin allows a host to bind conntrack flows to a specific
  CHILD_SA by applying and restoring the SA mark to conntrack entries. This
  allows a peer to handle multiple transport mode connections coming over the
  same NAT device for client-initiated flows (a common use case is to protect
  L2TP/IPsec). See ikev2/host2host-transport-connmark for an example.

• The forecast plugin can forward broadcast and multicast messages between
  connected clients and a LAN. For CHILD_SA using unique marks, it sets up
  the required Netfilter rules and uses a multicast/broadcast listener that
  forwards such messages to all connected clients. This plugin is designed for
  Windows 7 IKEv2 clients, which announce their services over the tunnel if the
  negotiated IPsec policy allows it. See ikev2/forecast for an example.

• For the vici plugin a Python Egg has been added to allow Python applications
  to control or monitor the IKE daemon using the VICI interface, similar to the
  existing ruby gem. The Python library has been contributed by Björn Schuberg.

• EAP server methods now can fulfill public key constraints, such as rightcert
  or rightca. Additionally, public key and signature constraints can be
  specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and
  EAP-TTLS methods provide verification details to constraints checking.

• Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B
  variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
  algorithms with SHA512 being the default.

• The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
  as seen by the TNC server available to all IMVs. This information can be
  forwarded to policy enforcement points (e.g. firewalls or routers).

• The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
  in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
  PT-TLS transport medium.

• SPIs in IKEv1 DELETE payloads are now compared to those of the current IKE SA.
  This is required for interoperability with OpenBSD's isakmpd, which always uses the
  latest IKE SA to delete other expired SAs.

• The files plugin provides a simple fetcher for file:// URIs (1735d80f38).

• Fixed CRL verification for PKIs that don't use SHA-1 hashes of the public key
  as subjectKeyIdentifier or authorityKeyIdentifier (6133770db4).

• Route priorities are now considered when doing manual route lookups (6b57790270).

• Policies are now removed from the kernel before IPsec SAs, to avoid acquires
  for untrapped policies (46188b0eb0).

Version 5.2.2¶

• Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
  payload that contains the Diffie-Hellman group 1025. This identifier was
  used internally for DH groups with custom generator and prime. Because
  these arguments are missing when creating DH objects based on the KE payload
  an invalid pointer dereference occurred. This allowed an attacker to crash
  the IKE daemon with a single IKE_SA_INIT message containing such a KE
  payload. The vulnerability has been registered as CVE-2014-9221.
  Please refer to our blog for details.

• The left/rightid options in ipsec.conf, or any other identity in strongSwan,
  now accept prefixes to enforce an explicit type, such as email: or fqdn:.
  Note that no conversion is done for the remaining string, refer to the
  conn section reference (or the ipsec.conf(5) man page) for details.

• The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
  an IKEv2 public key authentication method. The pki tool offers full support
  for the generation of BLISS key pairs and certificates.

• Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
  cause interoperability issues when connecting to older versions of charon (#771).

• Support to configure IP address pools as ranges (<from IP>-<to IP>) in
  ipsec.conf and swanctl.conf has been added.

• The first and last addresses in subnet based pools are now skipped properly and
  the pools' sizes are adjusted accordingly. Which is also the case if pools are
  configured with an offset, e.g. 192.168.0.100/24, which reduces the number of
  available addresses from 254 to 155 and assignment now starts at .100 not .101,
  that is, .100-.254 are assignable to clients.

• Many uses of select(2) have been replaced by call to poll(2), which avoids problems
  with more than 1024 open file descriptors (see #757).

• Only payloads with payload types defined for the currently handled IKE version are now parsed,
  all other payloads are ignored (see mailing list).

• Send and handle INITIAL_CONTACT notifies in IKEv1 Main Mode (11b42933bf, 1201ddcbc5).

• On Windows ALE layer WFP rules are introduced to accept tunnel mode packets in
  stateful packet filtering if default-drop policies are used (e61841a211).

• The new --pkcs12 command for pki provides basic support for PKCS#12
  containers, namely listing and exporting credentials.

• Correctly configure replay window size on FreeBSD and Mac OS X (d21b01462e).

• Accept IPComp proposals with 4 octet long CPI values (4141f01671).

• The source code for the user interface of the native Mac OS X application is now
  open source and part of our repository (55e7a0cafb).

Version 5.2.1¶

• The new charon-systemd IKE daemon implements an IKE daemon tailored
  for use with systemd. It avoids the dependency on ipsec starter and
  uses swanctl as configuration backend, building a simple and
  lightweight solution. Native systemd journal logging is supported.

• Support for the new IKEv2 Fragmentation mechanism as defined by
  RFC 7383 has been added, which avoids IP fragmentation of
  IKEv2 UDP datagrams exceeding the network's MTU size. This feature is
  activated by setting fragmentation=yes in ipsec.conf and optionally
  setting the maximum IP packet size with the charon.fragment_size
  parameter in strongswan.conf.

• Support of the TCG TNC IF-M Attribute Segmentation specification proposal,
  which allows to transfer potentially huge attributes amounting to several
  megabytes of measurement data like the TCG/SWID Tag [ID] Inventory
  or IETF/Installed Packages attributes via the PA-TNC, PB-TNC and
  either PT-EAP or PT-TLS NEA protocol stack. By default segmented attributes
  are just reconstructed on the receiving side from the individual segments
  with the exeception of the three attribute types mentioned above which can
  be parsed and processed incrementally as the segments arrive one-by-one.
  A commented example can be found under PT-EAP-SWID.

• For the vici plugin a ruby gem has been added to allow ruby applications
  to control or monitor the IKE daemon. The vici documentation has been
  updated to include a description of the available operations and some simple
  examples using both the libvici C interface and the ruby gem (see README.md).

• The new ext-auth plugin calls an external script to implement custom IKE_SA
  authorization logic, courtesy of Vyronas Tsingaras.

• Paths to the ipsec.conf and ipsec.conf configuration files may be configured
  via strongswan.conf. The path to strongswan.conf may be passed via the
  STRONGSWAN_CONF environment variable. Patches courtesy of Shea Levy.

• Support for IKEv1 fragmentation has been extended to Windows XP/7 clients,
  courtesy of Volker Rümelin.

• A static interval for interim RADIUS accounting updates can be configured for
  the eap-radius plugin. It's overridden by any interval the RADIUS server returns
  in the Access-Accept message, but it can be useful if RADIUS is only used for accounting.

• Fixed re-authentication when using IKEv1 Mode Config in push mode (cb98380fe9e4).

• Handle Quick Mode DELETES during a Quick Mode rekeying (cd9bba508bba).

• Fixed some Cisco Unity corner cases (rekeying and situations where no split-include attributes
  are received), one fix didn't made it into this release though (#737).

• Fixed some IKEv1 interoperability issues (e.g. with proposal numbering and IPComp), see #661.

• Fixed a crash during reauthentication with multiple authentication rounds caused by the
  incorrect use of array_remove_at() in auth_cfg_t (8ca9a67fac59).
  Also added a comment regarding the used of that function (see c641974de001).

• The kernel-pfkey plugin now reports packet counts (25fcbab6789c).

• If available the kernel-pfroute plugin uses RTM_IFANNOUNCE/IFAN_DEPARTURE events to
  delete cached interfaces (see f80093e2ee65).

• The kernel-netlink plugin can set MTU and MSS on installed routes via settings in
  strongswan.conf (these are global and affect all SAs).

• The kernel-netlink plugin optionally installs protocol and ports on transport mode
  SAs (90e6675a657c) to enforce policies for inbound traffic. Enabling this prevents the use
  of a single IPsec SA by more than one traffic selectors though.

• IPv6 transport via libipsec has been fixed (15dee933de7d).

• TESTS_SUITES_EXCLUDE option added to unit test runner.

• Added the source:testing/scripts/build-strongswan script to (relatively) quickly (re-)build
  strongSwan in the testing environment.

• Don't wait for charon if ipsec start --attach-gdb is used (f51c923f69f9, 508f90131a32).

Version 5.2.0¶

• strongSwan has been ported to the Windows platform. Using a MinGW toolchain,
  many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 and
  newer releases.

  charon-svc implements a Windows IKE service based on libcharon, the kernel-iph
  and kernel-wfp plugins act as networking and IPsec backend on the Windows platform.
  socket-win provides a native IKE socket implementation, while winhttp fetches
  CRL and OCSP information using the WinHTTP API.

• The new vici plugin provides a Versatile IKE Configuration Interface for
  charon. Using the stable IPC interface, external applications can configure,
  control and monitor the IKE daemon. Instead of scripting the ipsec tool
  and generating ipsec.conf, third party applications can use the new interface
  for more control and better reliability.

• Built upon the libvici client library, swanctl implements the first user of
  the VICI interface. Together with a swanctl.conf configuration file,
  connections can be defined, loaded and managed. swanctl provides a portable,
  complete IKE configuration and control interface for the command line.
  Examples: http://www.strongswan.org/uml/testresults/swanctl/

• The SWID IMV implements a JSON-based REST API which allows the exchange
  of SWID tags and Software IDs with the strongTNC policy manager.

• The SWID IMC can extract all installed packages from the dpkg (Debian,
  Ubuntu, etc.), rpm (Fedora, RedHat, etc.), or pacman (Arch Linux, Manjaro, etc.)
  package managers, respectively, using the swidGenerator which generates
  SWID tags according to the new ISO/IEC 19770-2:2014 standard.

• All IMVs now share the access requestor ID, device ID and product info
  of an access requestor via a common imv_session object.

• The Attestation IMC/IMV pair supports the IMA-NG measurement format
  introduced with the Linux 3.13 kernel.

• The aikgen tool generates an Attestation Identity Key bound to a TPM.

• Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
  Connect.

• The ipsec.conf replay_window option defines connection specific IPsec replay
  windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from 6Wind.

• The custom parser for strongswan.conf has been replaced with one based on flex/bison.
  It adds support for quoted strings (with escape sequences), unlimited includes, more
  relaxed newline handling, better syntax error reporting, and a distinction between
  empty and unset values (key="" vs. key=).

• The parser for ipsec.conf in starter has been rewritten. It allows overriding options
  in all included sections (also=) not only in %default, options defined in included sections
  can also be cleared again. Other improvements, like quoted strings, unlimited includes,
  and better whitespace/comment handling have been implemented as well.

• Support for late IKEv1 connection switching based on the XAuth username has been added.

• Added support to parse SSH public keys from files configured in left|rightsigkey.

• RDNs in Distinguished Names parsed from strings must now either be separated by a comma
  or a slash, not both. If the DN starts with a slash (or whitespace and a slash) slashes
  will be assumed as separator, commas otherwise.

• The algorithm order in the default IKE proposal is again like it was before 5.1.1 (a4844dbc8f15).

• Scalability of half-open IKE_SA and log level checks have been improved (502eeb7f76d2).

• Added a workaround for Sonicwall boxes that send ID/HASH payloads unencrypted during
  IKEv1 Main Mode (c4c9d291d2aa).

• If private algorithm identifiers are used, rekeying is fixed by migrating extensions/conditions
  to the new IKE_SA during rekeying (094963d1b160).

• Support for IPComp was added to the kernel-pfkey plugin (FreeBSD, Mac OS X, Linux),
  patch courtesy of Francois ten Krooden (6afa7761a540).

• Passthrough policies are installed with strictly higher priorities than IPsec policies, which
  was not always the case previously, depending on the traffic selectors.

• The kernel-netlink plugin now follows RFC 6724 when selecting IPv6 source addresses (#543).

• stroke and starter now use the <daemon>.plugins.stroke.socket option to determine the socket
  to communicate with the daemon. A --daemon option has been added to stroke.

• The --disable-tools ./configure option has been replaced with the --disable-pki and
  --disable-scepclient options.

• A handle_vips() hook has been added similar to assign_vips(), but for clients
  handling virtual IPs and other configuration attributes (31f26960761c).

Version 5.1.3¶

• Fixed an authentication bypass vulnerability triggered by rekeying an
  unestablished IKE_SA while it gets actively initiated. This allowed an
  attacker to trick a peer's IKE_SA state to established, without the need to
  provide any valid authentication credentials. The vulnerability has been
  registered as CVE-2014-2338.
  Refer to our blog for details.

• The acert plugin evaluates X.509 Attribute Certificates. Group membership
  information encoded as strings can be used to fulfill authorization checks
  defined with the rightgroups ipsec.conf option. Attribute Certificates can be
  loaded locally or get exchanged in IKEv2 certificate payloads.

• The pki command gained support to generate X.509 Attribute Certificates
  using the --acert subcommand, while the --print command supports the ac type.
  The openac utility has been removed in favor of the new pki functionality.

• The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
  has been extended by AEAD mode support, currently limited to AES-GCM.

• Fixed an issue where CRL/OCSP trustchain validation broke enforcing CA constraints (a844b6589034).

• Limited OCSP signing to specific certificates to improve performance (91d71abb16a9).

• authKeyIdentifier is not added to self-signed certificates anymore (f7d04ba6c462).

• Fixed the comparison of IKE configs if only the cipher suites were different (23f34f6ed504).

• Added a Travis CI config, a test script, and some unit test improvements (e.g. the
  TESTS_SUITES option), see DeveloperDocumentation.

Version 5.1.2¶

• A new default configuration file layout is introduced (with full backward compatibility).
  The new default strongswan.conf file mainly includes config snippets from the
  strongswan.d and strongswan.d/charon directories (the latter containing snippets
  for all plugins). The snippets, with commented defaults, are automatically generated
  and installed, if they don't exist yet. They are also installed in
  $prefix/share/strongswan/templates so existing files can be compared to
  the current defaults.

• As an alternative to the non-extensible charon.load setting, the plugins
  to load in charon (and optionally other applications) can now be determined
  via the charon.plugins.<name>.load setting for each plugin (enabled in the
  new default strongswan.conf file via the charon.load_modular option).
  The load setting optionally takes a numeric priority value that allows
  reordering the plugins (otherwise the default plugin order is preserved).

• All strongswan.conf settings that were formerly defined in library specific
  "global" sections are now application specific (e.g. settings for plugins in
  libstrongswan.plugins can now be set only for charon in charon.plugins).
  The old options are still supported, which now allows to define defaults for
  all applications in the libstrongswan section.

• The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
  computer IKE key exchange mechanism. The implementation is based on the
  ntru-crypto library from the NTRUOpenSourceProject. The supported security
  strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH
  group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be
  sent (charon.send_vendor_id = yes) in order to use NTRU.

• Defined a TPMRA remote attestation workitem and added support for it to the
  Attestation IMV.

• Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as
  well as multiple subnets in left|rightsubnet have been fixed.

• When enabling its session strongswan.conf option, the xauth-pam plugin opens
  and closes a PAM session for each established IKE_SA. Patch courtesy of Andrea Bonomi.

• The strongSwan unit testing framework has been rewritten without the check
  dependency for improved flexibility and portability. It now properly supports
  multi-threaded and memory leak testing and brings a bunch of new test cases.

• The NetworkManager frontend gained support for PSK authentication.

• The interface option of the dhcp plugin allows binding to a specific interface (3711f66e54).

• If charon.plugins.stroke.prevent_loglevel_changes is enabled, the stroke plugin prevents
  log level changes via ipsec stroke.

• The inactivity counter is reset with every rekeying, which means that the inactivity timeout
  must be smaller than the rekeying interval to have any effect (d048a319df).

• SQL schemas and example data (IMV) are now distributed and installed in $prefix/share/strongswan.

• A method to register custom proposal keyword parsers has been added (568e302260).

• A deadlock was fixed when installing trap policies (bb492d80b5).

Version 5.1.1¶

• Fixed a denial-of-service vulnerability and potential authorization bypass
  triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an insufficient
  length check when comparing such identities. The vulnerability has been
  registered as CVE-2013-6075.
  Refer to our blog for details.

• Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
  fragmentation payload. The cause is a NULL pointer dereference. The
  vulnerability has been registered as CVE-2013-6076.
  Refer to our blog for details.

• The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session
  with a strongSwan policy enforcement point which uses the tnc-pdp charon
  plugin.

• The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either
  full SWID Tag or concise SWID Tag ID inventories.

• The XAuth backend in eap-radius now supports multiple XAuth exchanges for
  different credential types and display messages. All user input gets
  concatenated and verified with a single User-Password RADIUS attribute on
  the AAA. With an AAA supporting it, one for example can implement
  Password+Token authentication with proper dialogs on iOS and OS X clients.

• charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf
  modeconfig=push option enables it for both client and server, the same way
  as pluto used it.

• Using the ah ipsec.conf keyword on both IKEv1 and IKEv2 connections,
  charon can negotiate and install Security Associations integrity-protected by
  the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only,
  but not the deprecated RFC 2401 style ESP+AH bundles.

• The generation of initialization vectors for IKE and ESP (when using libipsec)
  is now modularized and IVs for e.g. AES-GCM are now correctly allocated
  sequentially, while other algorithms like AES-CBC still use random IVs.

• The left and right options in ipsec.conf can take multiple address ranges
  and subnets. This allows connection matching against a larger set of
  addresses, for example to use a different connection for clients connecting
  from an internal network.

• For all those who have a queasy feeling about the NIST elliptic curve set,
  the Brainpool curves introduced for use with IKE by RFC 6932 might be a
  more trustworthy alternative.

• The kernel-libipsec userland IPsec backend now supports usage statistics,
  volume based rekeying and accepts ESPv3 style TFC padded packets.

• With two new strongswan.conf options fwmarks can be used to implement
  host-to-host tunnels with kernel-libipsec.

• libipsec now properly calculates padding length especially for AES-GCM.

• load-tester supports transport mode connections and more complex traffic
  selectors, including such using unique ports for each tunnel.

• The new dnscert plugin provides support for authentication via CERT RRs that
  are protected via DNSSEC. The plugin was created by Ruslan N. Marchenko.

• The eap-radius plugin supports forwarding of several Cisco Unity specific
  RADIUS attributes in corresponding configuration payloads.

• The ipsec pki utility and its subcommands all received man pages.
  The command itself is now installed in $prefix/bin by default. So the ipsec
  prefix is now optional.

• pki --pub is able to convert public keys to other formats (e.g. DNSKEY or SSH).

• Database transactions are now abstracted and implemented by the two backends.
  If you use MySQL make sure all tables use the InnoDB engine.

• libstrongswan now can provide an experimental custom implementation of the
  printf family functions based on klibc if neither Vstr nor glibc style printf
  hooks are available. This can avoid the Vstr dependency on some systems at
  the cost of slower and less complete printf functions.

• Handling of ICMP[v6] has been improved. For instance, traffic selectors with
  specific ICMP message type and code can now be configured in ipsec.conf
  and are properly installed in the kernel.

• IKEv1 reauthentication should be more stable with third-party peers (ee99f37e, d2e4dd75).

• Fixes a regression in 5.1.0 that caused a segmentation fault when reestablishing
  CHILD_SAs due to closeaction=restart|hold (e42ab08a).

• Fixes a regression in 5.1.0 that caused IP addresses on ignored, down or loopback
  interfaces to get ignored when searching for an address contained in the local traffic
  selector (d7ae0b254).

• The calculation of the ESN bitmap length in the kernel-netlink plugin was fixed (e001cc2b).

• When removing configs via stroke plugin (e.g. with ipsec update/reload) matching
  peer configs are not removed anymore, if they are still used by other child configs (791fde16).

• reqids of established CHILD_SAs are reused when routing connections via stroke plugin (32fef0c6).

• The value for xfrm_acq_expires can now be configured via strongswan.conf (255b9dac).

Version 5.1.0¶

• Fixed a denial-of-service vulnerability triggered by specific XAuth usernames
  and EAP identities (since 5.0.3), and PEM files (since 4.1.11). The crash
  was caused by insufficient error handling in the is_asn1() function.
  The vulnerability has been registered as CVE-2013-5018.
  Refer to our blog for details.

• The new charon-cmd command line IKE client can establish road warrior
  connections using IKEv1 or IKEv2 with different authentication profiles.
  It does not depend on any configuration files (no ipsec.conf nor ipsec.secrets
  but may use strongswan.conf options) and can be configured using a few
  simple command line options.

• The kernel-pfroute networking backend has been greatly improved. It now
  can install virtual IPs on TUN devices on Mac OS X and FreeBSD, allowing these
  systems to act as a client in common road warrior scenarios.

• The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec
  processing in userland on Linux, FreeBSD and Mac OS X.

• The eap-radius plugin can now serve as an XAuth backend called xauth-radius,
  directly verifying XAuth credentials using RADIUS User-Name/User-Password
  attributes. This is more efficient than the existing xauth-eap + eap-radius
  combination, and allows RADIUS servers without EAP support to act as AAA
  backend for IKEv1.

• The new osx-attr plugin installs configuration attributes (currently DNS
  servers) via SystemConfiguration on Mac OS X. The keychain plugin provides
  certificates from the OS X keychain service.

• The sshkey plugin parses SSH public keys, which, together with the --agent
  option for charon-cmd, allows the use of ssh-agent for authentication.
  To configure SSH keys in ipsec.conf the left|rightrsasigkey options are
  replaced with left|rightsigkey, which now take public keys in one of three
  formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and
  PKCS#1 (the default, no prefix).

• Extraction of certificates and private keys from PKCS#12 files is now provided
  by the new pkcs12 plugin or the openssl plugin. charon-cmd (--p12) as well
  as charon (via P12 token in ipsec.secrets) can make use of this.

• IKEv2 can now negotiate transport mode and IPComp in NAT situations.

• IKEv2 exchange initiators now properly close an established IKE or CHILD_SA
  on error conditions using an additional exchange, keeping state in sync
  between peers.

• Using a SQL database interface a Trusted Network Connect (TNC) Policy Manager
  can generate specific measurement workitems for an arbitrary number of
  Integrity Measurement Verifiers (IMVs) based on the history of the VPN user
  and/or device.

  The new strongTNC web application provides a frontend to manage such databases.
  This project was started by Stefan Rohner and Marco Tanner as part of their Bachelor Thesis.

• Several core classes in libstrongswan are now tested with unit tests. These
  can be enabled with --enable-unit-tests and run with make check. Coverage
  reports can be generated with --enable-coverage and make coverage (this
  disables any optimization, so it should not be enabled when building
  production releases).

• The leak-detective developer tool has been greatly improved. It works much
  faster/stabler with multiple threads, does not use deprecated malloc hooks
  anymore and has been ported to OS X.

• chunk_hash() is now based on SipHash-2-4 with a random key. This provides
  better distribution and prevents hash flooding attacks when used with
  hashtables. To generate reproducible hashes the chunk_hash_static() function
  can be used.

• All default plugins implement the get_features() method to define features
  and their dependencies. The plugin loader has been improved, so that plugins
  in a custom load statement can be ordered freely or to express preferences
  without being affected by dependencies between plugin features.

• A centralized thread can take care for watching multiple file descriptors
  concurrently. This removes the need for a dedicated listener threads in
  various plugins. The number of "reserved" threads for such tasks has been
  reduced to about five, depending on the plugin configuration.

• Plugins that can be controlled by a UNIX socket IPC mechanism gained network
  transparency. Third party applications querying these plugins now can use
  TCP connections from a different host.
  See the respective socket options in strongswan.conf.

• Protocol and port can be specified for each individual subnet specified with
  the left|rightsubnet ipsec.conf options.

• The closeaction ipsec.conf option is now also supported for IKEv1 (thanks to
  Oliver Smith for the initial patch).

• libipsec now supports AES-GCM.

• By replacing several linked lists that exist during the full lifetime of an SA with a
  simple array implementation the memory usage per tunnel is reduced by 5 KB or more.

• Responders reuse reqids of trapped policies, making auto=route on both sides more reliable.

• Instead of silently replacing a policy if the reqid changes, the kernel-netlink
  plugin now rejects such requests. This has consequences e.g. if two clients behind the
  same NAT use transport mode (see #365).

• Capability dropping has been improved. Every plugin verifies that the capabilities
  it requires are actually held and requests to keep only those that are really required at runtime.

• Support for silent rules was added to the build system, they can be enabled
  with --enable-silent-rules. make V=0 or V=1 can be used to build with a different
  verbosity than configured.

• The unique identifier of an IKE_SA is passed as PLUTO_UNIQUEID to the updown script.

• Whether the socket-default plugin uses IPv4 and/or IPv6 can be configured via strongswan.conf.

• Fixed a race-condition if the DELETE for a redundant CHILD_SA created by a responder during a
  CHILD_SA rekey collision arrives before the responder's answer to the initiator's winning
  CREATE_CHILD_SA request.

• The X.509 certificate decoder provided by the openssl plugin supports IP address blocks (patch by Michael Rossberg).

• scepclient can use a specific source address configured with the new --bind option.

• Negotiation of IKEv1 DPD with Cisco IOS devices has been fixed, if they do not send the
  DPD vendor ID in the first message.

• The ipsec stroke exportconncert and exportconnchain commands can be used to export
  either a single end entity certificate or the full trust chain for a specific connection.

• The ipsec stroke up-nb and down-nb commands do the same as up and down, respectively,
  but they do not block until the command has finished.

Version 5.0.4¶

• Fixed a security vulnerability in the openssl plugin which was reported by
  Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944.
  Before the fix, if the openssl plugin's ECDSA signature verification was used,
  due to a misinterpretation of the error code returned by the OpenSSL
  ECDSA_verify() function, an empty or zeroed signature was accepted as a
  legitimate one.
  Refer to our blog for details.

• The handling of a couple of other non-security relevant OpenSSL return codes
  was fixed as well.

• The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its
  TCG TNC IF-MAP 2.1 interface.

• The charon.initiator_only strongswan.conf option causes charon to ignore
  IKE initiation requests.

• The openssl plugin can now use the openssl-fips library.

Version 5.0.3¶

• The new ipseckey plugin enables authentication based on trustworthy public
  keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
  To do so it uses a DNSSEC enabled resolver, like the one provided by the new
  unbound plugin, which is based on libldns and libunbound. Both plugins were
  created by Reto Guadagnini. Examples: ikev2/net2net-dnssec ikev2/rw-dnssec

• Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
  available to an IMV. The OS IMV stores the AR identity together with the
  device ID in the attest database.

• The openssl plugin now uses the AES-NI accelerated version of AES-GCM
  if the hardware supports it.

• The eap-radius plugin can now assign virtual IPs to IKE clients using the
  Framed-IP-Address attribute by using the %radius named pool in the
  rightsourceip ipsec.conf option. Cisco Banner attributes are forwarded to
  Unity-capable IKEv1 clients during mode config. charon now sends Interim
  Accounting updates if requested by the RADIUS server, reports
  sent/received packets in Accounting messages, and adds a Terminate-Cause
  to Accounting-Stops.

• The recently introduced ipsec listcounters command can report connection
  specific counters by passing a connection name, and global or connection
  counters can be reset by the ipsec resetcounters command.

• The tnc-ifmap plugin has been reimplemented without any dependency to
  the Apache Axis2/C library. Several configuration options have been changed.

• The strongSwan libpttls library provides an experimental implementation of
  PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.

• The charon systime-fix plugin can disable certificate lifetime checks on
  embedded systems if the system time is obviously out of sync after bootup.
  Certificates lifetimes get checked once the system time gets sane, closing
  or reauthenticating connections using expired certificates.

• The ikedscp ipsec.conf option can set DiffServ code points on outgoing
  IKE packets.

• The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
  clients that cannot be configured without XAuth authentication. The plugin
  simply concludes the XAuth exchange successfully without actually performing
  any authentication. Therefore, to use this backend it has to be selected
  explicitly with rightauth2=xauth-noauth.

• The new charon-tkm IKEv2 daemon delegates security critical operations to a
  separate process. This has the benefit that the network facing daemon has no
  knowledge of keying material used to protect child SAs. Thus subverting
  charon-tkm does not result in the compromise of cryptographic keys.
  The extracted functionality has been implemented from scratch in a minimal TCB
  (trusted computing base) in the Ada programming language. Further information
  can be found at http://www.codelabs.ch/tkm/.

• Multiple certificates can be configured for left|rightcert in ipsec.conf. The daemon
  chooses the certificate based on the received certificate requests, if possible,
  before enforcing the first.

• Mutual EAP authentication has been fixed when it is not used as first authentication
  round.

• The NetworkManager backend (charon-nm) uses a TUN device to satisfy NM's need
  for a network device. This fixes LP:872824.

• A route is installed for shunt policies (passthrough/drop). This fixes some combinations
  of shunt policies and virtual IP addresses as locally generated traffic wouldn't match
  the shunt policy anymore due to the route installed with the VIP. Also, the unity plugin
  includes the local address in split-exclude shunt policies.

• Added an option (charon.plugins.ha.autobalance) to balance a HA cluster automatically.

• Most parts of the android plugin (the backend for the Android VPN applet patch) have
  been removed and the remaining DNS handler has been moved to the new android-dns plugin.

• Several IKEv1 corner cases have been fixed (e2857be8, f836d433, 3dc9d427, 9d9042d6,
  0235914d, 8a0a1ae8, ac48d9e4).

• Alignment issues in the kernel-netlink plugin have been fixed and the Netlink XFRM message
  attribute handling has been refactored.

• The duplicheck plugin tracks multiple IKE_SAs when checking state to avoid any
  race conditions (9c84bbcb).

• The --disable-defaults configure option allows to disable all features
  that are enabled by default.

• The charon.plugins.stroke.timeout strongswan.conf option allows to define a timeout in ms
  for any stroke command.

• ipsec statusall reports the number of processed IPsec packets.

• Reloading secrets from ipsec.secrets with ipsec rereadsecrets is now done atomically.

• Supplementary groups are initialized using initgroups(3) when running as unprivileged user.

• Fixed handling of IPv6 SQL address pools if multiple pools are assigned to rightsourceip.

• Fixed stroke loglevel any (96a2d207).

Version 5.0.2¶

• Implemented all IETF Standard PA-TNC attributes and an OS IMC/IMV
  pair using them to transfer operating system information.

• The new ipsec listcounters command prints a list of global counter values
  about received and sent IKE messages and rekeyings.

• A new lookip plugin can perform fast lookup of tunnel information using a
  clients virtual IP and can send notifications about established or deleted
  tunnels. The "ipsec lookip" command can be used to query such information
  or receive notifications.

• The new error-notify plugin catches some common error conditions and allows
  an external application to receive notifications for them over a UNIX socket.

• IKE proposals can now use a PRF algorithm different to that defined for
  integrity protection. If an algorithm with a "prf" prefix is defined
  explicitly (such as prfsha1 or prfsha256), no implicit PRF algorithm based on
  the integrity algorithm is added to the proposal.

• The pkcs11 plugin can now load leftcert certificates from a smartcard for a
  specific ipsec.conf conn section and cacert CA certificates for a specific ca
  section.

• The load-tester plugin gained additional options for certificate generation
  and can load keys and multiple CA certificates from external files. It can
  install a dedicated outer IP address for each tunnel and tunnel initiation
  batches can be triggered and monitored externally using the
  ipsec load-tester tool.

• PKCS#7 container parsing has been modularized, and the openssl plugin
  gained an alternative implementation to decrypt and verify such files.
  In contrast to our own DER parser, OpenSSL can handle BER files, which is
  required for interoperability of our scepclient with EJBCA.

• Support for the proprietary IKEv1 fragmentation extension has been added.
  Fragments are always handled on receipt but only sent if supported by the peer
  and if enabled with the new fragmentation ipsec.conf option.

• IKEv1 in charon can now parse certificates received in PKCS#7 containers and
  supports NAT traversal as used by Windows clients. Patches courtesy of
  Volker Rümelin.

• The new rdrand plugin provides a high quality / high performance random
  source using the Intel rdrand instruction found on Ivy Bridge processors.

• The integration test environment (see source:testing/README) was updated and
  now uses KVM and reproducible guest images based on Debian.

• The charon.ikesa_limit strongswan.conf option allows responders to limit
  the number of concurrently established IKE_SAs.

• The charon daemon reloads the logger configuration from strongswan.conf
  if it receives a SIGHUP. Besides changing the configuration this allows to easily rotate
  log files created by file loggers without having to restart the daemon.

• Resolving hosts by DNS name is now done in separate threads, which allows us
  to cancel these lookups (if getaddrinfo(3) is a cancellation point, anyway).
  The maximum number of threads can be configured in strongswan.conf.

• Changed connections with auto=route are properly updated during ipsec update|reload.

• Added missing XFRM marks for several functions in the kernel-netlink plugin.

• The encoding of TLS extensions (elliptic_curves and signature_algorithms) was fixed.

Version 5.0.1¶

• Introduced the sending of the standard IETF Assessment Result
  PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.

• Extended PTS Attestation IMC/IMV pair to provide full evidence of
  the Linux IMA measurement process. All pertinent file information
  of a Linux OS can be collected and stored in an SQL database.

• The PA-TNC and PB-TNC protocols can now process huge data payloads
  >64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
  and these messages over several PB-TNC batches. As long as no
  consolidated recommandation from all IMVs can be obtained, the TNC
  server requests more client data by sending an empty SDATA batch.

• The rightgroups2 ipsec.conf option can require group membership during
  a second authentication round, for example during XAuth authentication
  against a RADIUS server.

• The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
  clients against any PAM service. The IKEv2 eap-gtc plugin does not use
  PAM directly anymore, but can use any XAuth backend to verify credentials,
  including xauth-pam.

• The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
  Extensions. As client, charon narrows traffic selectors to the received
  Split-Include attributes and automatically installs IPsec bypass policies
  for received Local-LAN attributes. As server, charon sends Split-Include
  attributes for leftsubnet definitions containing multiple subnets to Unity-
  aware clients.

• An EAP-Nak payload is returned by clients if the gateway requests an EAP
  method that the client does not support. Clients can also request a specific
  EAP method by configuring that method with leftauth in ipsec.conf.

• The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
  these to select a different EAP method supported/requested by the client.
  The plugin initially requests the first registered method or the first method
  configured with charon.plugins.eap-dynamic.preferred in strongswan.conf.

• The new left|rightdns ipsec.conf options specify connection specific DNS servers to
  request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
  can be any (comma separated) combination of %config4 and %config6 to request
  multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server
  IP addresses to return.

• The left|rightsourceip options now accept multiple addresses or pools.
  leftsourceip can be any (comma separated) combination of %config4, %config6
  or fixed IP addresses to request. rightsourceip accepts multiple explicitly
  specified or referenced named pools.

• Multiple connections can now share a single address pool when they use the
  same definition in one of the rightsourceip pools.

• The strongswan.conf options charon.interfaces_ignore and charon.interfaces_use
  allow one to configure the network interfaces used by the daemon.

• The kernel-netlink plugin supports the new strongswan.conf option
  charon.install_virtual_ip_on, which specifies the interface on which
  virtual IP addresses will be installed. If it is not specified the current behavior
  of using the outbound interface is preserved.

• The kernel-netlink plugin tries to keep the current source address when
  looking for valid routes to reach other hosts.

• The autotools build has been migrated to use a config.h header. strongSwan
  development headers will get installed during "make install" if
  --with-dev-headers has been passed to ./configure.

• All crypto primitives gained return values for most operations, allowing
  crypto backends to fail, for example when using hardware accelerators.

• The UDP ports used by charon can be configured via ./configure or the
  charon.port and charon.port_nat_t options in strongswan.conf,
  if ports are configure to 0 they will be allocated randomly.

• The NetworkManager backend (charon-nm) uses random source ports
  to avoid conflicts with regular charon.

• With uniqueids=never configured in ipsec.conf INITIAL_CONTACT notifies are ignored.
  Even with uniqueids=no configured the daemon will delete existing IKE_SAs with the same
  peer upon receipt of an INITIAL_CONTACT notify. This new option allows to ignore these notifies.

• Prefixing the identity configured with rightid with a % character prevents initiators
  from sending an IDr payload in the IKE_AUTH exchange. Later the configured identity will
  not only be checked against the returned IDr, but also against other identities contained
  in the responder's certificate.

• Non-"/0" subnet sizes are accepted for traffic selectors starting at 0.0.0.0.

• Job handling in controller_t was fixed, which occasionally caused crashes on ipsec up/down.

• Caching of relations in validated certificate chains can be disabled with the
  libstrongswan.cert_cache strongswan.conf option.

• Logging of multi-line log messages was fixed in situations where more than one logger
  was registered.

• Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part.

• Added an option to enforce the configured destination address for DHCP packets.

Version 5.0.0¶

• The charon IKE daemon gained experimental support for the IKEv1 protocol.
  Pluto has been removed from the 5.x series, and unless strongSwan is
  configured with --disable-ikev1 or --disable-ikev2, charon handles
  both keying protocols. The feature-set of IKEv1 in charon is almost on par with
  pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
  RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
  mode. Information for interoperability and migration is available on
  our wiki. More details about the history and context of these changes
  can be found in our related blog post.

• Charon's bus_t has been refactored so that loggers and other listeners are
  now handled separately. The single lock was previously cause for deadlocks
  if extensive listeners, such as the one provided by the updown plugin, wanted
  to acquire locks that were held by other threads which in turn tried to log
  messages, and thus were waiting to acquire the same lock currently held by
  the thread calling the listener.
  The implemented changes also allow the use of a read/write-lock for the
  loggers which increases performance if multiple loggers are registered.
  Besides several interface changes this last bit also changes the semantics
  for loggers as these may now be called by multiple threads concurrently.

• Source routes are reinstalled if interfaces are reactivated or IP addresses
  reappear.

• The thread pool (processor_t) now has more control over the lifecycle of
  a job (see source:src/libstrongswan/processing/jobs/job.h for details).
  In particular, it now controls the destruction of jobs after execution and
  the cancellation of jobs during shutdown. Due to these changes the requeueing
  feature, previously available to callback_job_t only, is now available to all
  jobs (in addition to a new rescheduling feature).

• In addition to trustchain key strength definitions for different public key
  systems, the rightauth ipsec.conf option now takes a list of signature
  hash algorithms considered save for trustchain validation. For example,
  the setting rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512
  requires a trustchain that uses at least RSA-2048 or ECDSA-256 keys and
  certificate signatures using SHA-256 or better.

• The NetworkManager charon plugin of previous releases is now provided by a
  separate executable (charon-nm) and it should work again with NM 0.9.

• scepclient was updated and it now works fine with Windows Server 2008 R2.
  Among other things, support for multiple CA/RA certificates and configurable
  digest/signature algorithms was added.

• Thanks to initial patches by Aleksandr Grinberg the openssl plugin now provides
  PRFs and signers based on HMACs, and can also be used as RNG.

• The left|rightallowany ipsec.conf option previously available only for
  IKEv1 is now also supported for IKEv2 connections.

• A strongswan.conf option to retry the initiation of an IKE_SA, if it failed due to a
  failed DNS lookup, was added (charon.retry_initiate_interval, disabled by default).

• The source address lookup for IPv6 addresses was fixed (this fixes MOBIKE with IPv6,
  which was broken in some scenarios since 4.6.2).

• Installing IPsec policies with ports (left|rightprotoport) was fixed in the
  PF_KEY kernel interface.

Version 4.6.4¶

• Fixed a security vulnerability in the gmp plugin. If this plugin was used
  for RSA signature verification an empty or zeroed signature was handled as
  a legitimate one.
  Refer to our blog for details.

• Fixed several issues with reauthentication and address updates.

Version 4.6.3¶

• The tnc-pdp plugin implements a RADIUS server interface allowing
  a strongSwan TNC server to act as a Policy Decision Point.

• The eap-radius authentication backend enforces Session-Timeout attributes
  using RFC4478 repeated authentication and acts upon RADIUS Dynamic
  Authorization extensions, RFC 5176. Currently supported are disconnect
  requests and CoA messages containing a Session-Timeout.

• The eap-radius plugin can forward arbitrary RADIUS attributes from and to
  clients using custom IKEv2 notify payloads. The new radattr plugin reads
  attributes to include from files and prints received attributes to the
  console.

• Added support for untruncated MD5 and SHA1 HMACs in ESP as used in
  RFC 4595.

• The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms
  as defined in RFC 4494 and RFC 4615, respectively.

• The resolve plugin automatically installs nameservers via resolvconf(8),
  if it is installed, instead of modifying /etc/resolv.conf directly.

• The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110
  DNSKEY and PKCS#1 file format.

• The farp plugin sends ARP responses for any tunneled address, not only virtual IPs.

• Charon resolves hosts again during additional keying tries.

• Fixed switching back to original address pair during MOBIKE.

• When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value,
  as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t,
  see source:src/libcharon/sa/keymat.h#39 for details.

• COOKIEs are now kept enabled a bit longer to avoid certain race conditions the commit
  message to 1b7debcc has some details.

• The new stroke user-creds command allows to set username/password for a connection.

• strongswan.conf option added to set identifier for syslog(3) logging.

• Added a workaround for null-terminated XAuth secrets (as sent by Android 4).

Version 4.6.2¶

• Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M"
  standard (TLV-based messages only). TPM-based remote attestation of
  Linux IMA (Integrity Measurement Architecture) or Intel TBOOT possible.
  Measurement reference values are automatically stored in an SQLite database that
  can be managed using the new ipsec attest command line tool.
  • PTS Integrity Measurement Collector
  • PTS Integrity Measurement Verifier

• Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3
  which supports IF-TNCCS 2.0 long message types, the exclusive flags
  and multiple IMC/IMV IDs. Both the TNC Client and Server as well as
  the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated.
  • Overview on strongSwan's support of the TCG TNC/IETF NEA Framework

• The EAP-RADIUS authentication backend supports RADIUS accounting. It sends
  start/stop messages containing Username, Framed-IP and Input/Output-Octets
  attributes and has been tested against FreeRADIUS and Microsoft NPS.

  Radius Accounting Example

• Added support for PKCS#8 encoded private keys via the libstrongswan
  pkcs8 plugin. This is the default format used by some OpenSSL tools since
  version 1.0.0 (e.g. openssl req with -keyout).

• Added session resumption support to the strongSwan TLS stack.

• The maximum number of stroke messages concurrently handled by the charon
  daemon is now limited to avoid clogging the thread pool with potentially
  blocking jobs. How many messages are handled concurrently can be configured
  with the charon.plugins.stroke.max_concurrent option in strongswan.conf.

• For Android builds the binaries to be installed on the final system have to be
  added to PRODUCT_PACKAGES in build/target/product/core.mk. Dependencies such as
  libraries are automatically installed. See the comments in the top-level Android.mk.

• Debug output for low-level encoding/decoding (X.509, ASN.1 etc.) are now logged
  in a new ASN log group.

• The native thread ID is logged in the LIB log group with log level 2 when a thread is created.

Version 4.6.1¶

• Because of changing checksums before and after installation which caused
  the integrity tests to fail we avoided directly linking libsimaka, libtls and
  libtnccs to those libcharon plugins which make use of these dynamic libraries.
  Instead we linked the libraries to the charon daemon. Unfortunately Ubuntu
  11.10 activated the --as-needed ld option which discards explicit links
  to dynamic libraries that are not actually used by the charon daemon itself,
  thus causing failures during the loading of the plugins which depend on these
  libraries for resolving external symbols.

• Therefore our approach of computing integrity checksums for plugins had to be
  changed radically by moving the hash generation from the compilation to the
  post-installation phase.

Version 4.6.0¶

• The new libstrongswan certexpire plugin collects expiration information of
  all used certificates and exports them to CSV files. It either directly
  exports them or uses cron style scheduling for batch exports.

• starter passes unresolved hostnames to charon, allowing it to do name
  resolution not before the connection attempt. This is especially useful with
  connections between hosts using dynamic IP addresses. Thanks to Mirko Parthey
  for the initial patch.

• The android plugin can now be used without the Android frontend patch and
  provides DNS server registration and logging to logcat.

• Pluto and starter (plus stroke and whack) have been ported to Android. With starter and
  stroke the IKEv2 daemon charon can now be configured via ipsec.conf on Android.

• Support for ECDSA private and public key operations has been added to the
  pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 and can
  use tokens as random number generators (RNG). By default only private key
  operations are enabled, more advanced features have to be enabled by their
  option in strongswan.conf. This also applies to public key operations (even
  for keys not stored on the token) which were enabled by default before.

• The libstrongswan plugin system now supports detailed plugin dependencies.
  Many plugins have been extended to export their capabilities and requirements.
  This allows the plugin loader to resolve plugin loading order automatically,
  and in future releases, to dynamically load the required features on demand.
  Existing third party plugins are source (but not binary) compatible if they
  properly initialize the new get_features() plugin function to NULL.

• The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can deliver
  metadata about IKE_SAs via a SOAP interface to a MAP server. The tnc-ifmap
  plugin requires the Apache Axis2/C library.

• Remote attestation effected by the TCG Platform Trust Service (PTS)
  can be transferred via the TNC IF-M 1.0 protocol (RFC 5792 PA-TNC)
  to a strongSwan TNC server. Currently remote file measurements are
  supported with full TPM support expected for the 4.6.1 release.
  For details consult the following link: http://www.strongswan.org/uml/pts/

Version 4.5.3¶

• Our private libraries (e.g. libstrongswan) are not installed directly in
  prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by
  default). The plugins directory is also moved from libexec/ipsec/ to that
  directory.

• The dynamic IMC/IMV libraries were moved from the plugins directory to
  a new imcvs directory in the prefix/lib/ipsec/ subdirectory.

• Job priorities were introduced to prevent thread starvation caused by too
  many threads handling blocking operations (such as CRL fetching).

• Two new strongswan.conf options allow to fine-tune performance on IKEv2
  gateways by dropping IKE_SA_INIT requests on high load.

• IKEv2 charon daemon supports PASS and DROP shunt policies
  preventing traffic to go through IPsec connections. Installation of the
  shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel
  interfaces.

• The history of policies installed in the kernel is now tracked so that e.g.
  trap policies are correctly updated when reauthenticated SAs are terminated.

• IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
  Using "netstat -l" the IMC scans open listening ports on the TNC client
  and sends a port list to the IMV which based on a port policy decides if
  the client is admitted to the network.
  (--enable-imc-scanner/--enable-imv-scanner).

• IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
  (--enable-imc-test/--enable-imv-test).

• The IKEv2 close action does not use the same value as the ipsec.conf dpdaction
  setting, but the value defined by its own closeaction keyword. The action
  is triggered if the remote peer closes a CHILD_SA unexpectedly.

Version 4.5.2¶

• The whitelist plugin for the IKEv2 daemon maintains an in-memory identity
  whitelist. Any connection attempt of peers not whitelisted will get rejected.
  The 'ipsec whitelist' utility provides a simple command line frontend for
  whitelist administration.

• The duplicheck plugin provides a specialized form of duplicate checking,
  doing a liveness check on the old SA and optionally notify a third party
  application about detected duplicates.

• The coupling plugin permanently couples two or more devices by limiting
  authentication to previously used certificates.

• In the case that the peer config and child config don't have the same name
  (usually in SQL database defined connections), ipsec up|route <peer config>
  starts|routes all associated child configs and ipsec up|route <child config>
  only starts|routes the specific child config.

• fixed the encoding and parsing of X.509 certificate policy statements (CPS).

• Duncan Salerno contributed the eap-sim-pcsc plugin implementing a
  pcsc-lite based SIM card backend.

• The eap-peap plugin implements the EAP PEAP protocol. Interoperates
  successfully with a FreeRADIUS server and Windows 7 Agile VPN clients.

• The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs
  all plugins to reload. Currently only the eap-radius and the attr plugins
  support configuration reloading.

• Added userland support to the IKEv2 daemon for Extended Sequence Numbers
  support coming with Linux 2.6.39. To enable ESN on a connection, add
  the 'esn' keyword to the proposal. The default proposal uses 32-bit sequence
  numbers only ('noesn'), and the same value is used if no ESN mode is
  specified. To negotiate ESN support with the peer, include both, e.g.
  esp=aes128-sha1-esn-noesn.

• In addition to ESN, Linux 2.6.39 gained support for replay windows larger
  than 32 packets. The new global strongswan.conf option 'charon.replay_window'
  configures the size of the replay window, in packets.

Version 4.5.1¶

• Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (BP)
  compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol
  requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend
  on the libtnc library. Any available IMV/IMC pairs conforming to the
  Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification
  can be loaded via /etc/tnc_config.

• Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv
  in place of the external libtnc library.

• The tnccs_dynamic plugin loaded on a TNC server in addition to the
  tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS
  protocol version used by a TNC client and invokes an instance of
  the corresponding protocol stack.

• IKE and ESP proposals can now be stored in an SQL database using a
  new proposals table. The start_action field in the child_configs
  tables allows the automatic starting or routing of connections stored
  in an SQL database.

• The new certificate_authorities and certificate_distribution_points
  tables make it possible to store CRL and OCSP Certificate Distribution
  points in an SQL database.

• The new 'include' statement allows to recursively include other files in
  strongswan.conf. Existing sections and values are thereby extended and
  replaced, respectively.

• Due to the changes in the parser for strongswan.conf, the configuration
  syntax for the attr plugin has changed. Previously, it was possible to
  specify multiple values of a specific attribute type by adding multiple
  key/value pairs with the same key (e.g. dns) to the plugins.attr section.
  Because values with the same key now replace previously defined values
  this is not possible anymore. As an alternative, multiple values can be
  specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5).

• ipsec listalgs now appends (set in square brackets) to each crypto
  algorithm listed the plugin that registered the function.

• Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used
  by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given
  boundary, the special value '%mtu' pads all packets to the path MTU.

• The new af-alg plugin can use various crypto primitives of the Linux Crypto
  API using the AF_ALG interface introduced with 2.6.38. This removes the need
  for additional userland implementations of symmetric cipher, hash, hmac and
  xcbc algorithms.

• The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and
  responder. The notify is sent when initiating configurations with a unique
  policy, set in ipsec.conf via the global 'uniqueids' option.

• The conftest conformance testing framework enables the IKEv2 stack to perform
  many tests using a distinct tool and configuration frontend. Various hooks
  can alter reserved bits, flags, add custom notifies and proposals, reorder
  or drop messages and much more. It is enabled using the --enable-conftest
  ./configure switch.

• The new libstrongswan constraints plugin provides advanced X.509 constraint
  checking. In addition to X.509 pathLen constraints, the plugin checks for
  nameConstraints and certificatePolicies, including policyMappings and
  policyConstraints. The x509 certificate plugin and the pki tool have been
  enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf
  connection keywords take OIDs a peer certificate must have.

• The left/rightauth ipsec.conf keywords accept values with a minimum strength
  for trustchain public keys in bits, such as rsa-2048 or ecdsa-256.

• The revocation and x509 libstrongswan plugins and the pki tool gained basic
  support for delta CRLs.

Version 4.5.0¶

• IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
  from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
  IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
  come for IKEv1 to go into retirement and to cede its place to the much more
  robust, powerful and versatile IKEv2 protocol!
  If you still like to use the old IKEv1 protocol then you must explicitly
  define keyexchange=ikev1.

• Added new ctr, ccm and gcm plugins providing Counter, Counter with CBC-MAC
  and Galois/Counter Modes based on existing CBC implementations. These
  new plugins bring support for AES and Camellia Counter and CCM algorithms
  and the AES GCM algorithms for use in IKEv2. A list of all supported
  algorithms can be found here.

• The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and
  the ipsec pki utility using one or more PKCS#11 libraries. It currently supports
  RSA private and public key operations and loads X.509 certificates from
  tokens.

• Implemented a general purpose TLS stack based on crypto and credential
  primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2,
  ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based
  client authentication.

• Based on libtls, the eap-tls plugin brings certificate based EAP
  authentication for client and server. It is compatible to Windows 7 IKEv2
  Smartcard authentication and the OpenSSL based FreeRADIUS EAP-TLS backend.

  Example with FreeRADIUS AAA server, Example with a strongSwan gateway doing EAP-TLS only authentication

• EAP-TTLS uses strong EAP-TLS authentication for the server and
  potentially weak password-based client authentication (EAP-MD5, etc.)
  over a secure TLS tunnel.

  Example with FreeRADIUS AAA server, Example with a strongSwan gateway doing EAP-TLS only authentication

• Implemented the TNCCS 1.1 Trusted Network Connect protocol using the
  libtnc library on the strongSwan client and server side via the tnccs_11
  plugin and optionally connecting to a TNC@FHH-enhanced FreeRADIUS AAA server.
  Depending on the resulting TNC Recommendation, strongSwan clients are granted
  access to a network behind a strongSwan gateway (allow), are put into a
  remediation zone (isolate) or are blocked (none), respectively.

  Example with TNC@FHH-enhanced FreeRADIUS AAA server, Example with a strongSwan gateway doing EAP-TLS only authentication

  Group membership attributes are used to assign clients either to the
  'rw-allow' or 'rw-isolate' subnets, respectively. As an alternative
  non-complying clients can be blocked from access.

  Example with TNC@FHH-enhanced FreeRADIUS AAA server, Example with a strongSwan gateway doing EAP-TLS only authentication

  Any number of Integrity Measurement Collector/Verifier pairs can be
  attached via the tnc-imc and tnc-imv charon plugins.

• The RADIUS plugin eap-radius now supports multiple RADIUS servers for
  redundant setups. Servers are selected by a defined priority, server load and
  availability.

• Applets for Maemo 5 (Nokia) allow to easily configure and control IKEv2
  based VPN connections with EAP authentication on supported devices.

• The simple led plugin controls hardware LEDs through the Linux LED subsystem.
  It currently shows activity of the IKE daemon and is a good example how to
  implement a simple event listener.

• The IKEv1 daemon pluto now uses the same kernel interfaces as the IKEv2
  daemon charon. As a result of this, pluto now supports xfrm marks which
  were introduced in charon with 4.4.1.

• Improved MOBIKE behavior in several corner cases, for instance, if the
  initial responder moves to a different address.

• Fixed left-/rightnexthop option, which was broken since 4.4.0.

• Fixed a bug not releasing a virtual IP address to a pool if the XAUTH
  identity was different from the IKE identity.

• Fixed the alignment of ModeConfig messages on 4-byte boundaries in the
  case where the attributes are not a multiple of 4 bytes (e.g. Cisco's
  UNITY_BANNER).

• Fixed the interoperability of the socket_raw and socket_default
  charon plugins.

• Added man page for strongswan.conf.