strongSwan

h1. Version 5.3.3

* Added support for the ChaCha20/Poly1305 AEAD cipher specified in "RFC 7539":https://tools.ietf.org/html/rfc7539 and

  "RFC 7634":https://tools.ietf.org/html/rfc7634 using the _chacha20poly1305_ [[IKEv2CipherSuites|ike/esp proposal keyword]].

  The new _chapoly_ plugin implements the cipher, if possible SSE-accelerated on x86/x64

  architectures. It is usable both in IKEv2 and the strongSwan _libipsec_ ESP backend.

  On Linux 4.2 or newer the _kernel-netlink_ plugin can configure the cipher for ESP SAs.

* The [[vici]]/[[swanctl]] interface now supports the configuration of auxiliary certification

  authority information as CRL and OCSP URIs.

* In the [[bliss]] plugin the c_indices derivation using a SHA-512 based random oracle

  has been fixed, generalized and standardized by employing the MGF1 mask generation

  function with SHA-512. As a consequence BLISS signatures unsing the improved oracle

  are not compatible with the earlier implementation.

* Support for _auto=route_ with _right=%any_ for transport mode connections has been

  added (refer to #196-6 for details and some examples).

* The starter daemon does not flush IPsec policies and SAs anymore when it is stopped.

  Already existing duplicate policies are now overwritten by the IKE daemon when it

  installs its policies (commit:695112d7b8, commit:dc2fa791e4).  Usually, there shouldn't be any

  leftovers after the IKE daemon has been properly terminated, but if it crashes the kernel

  state won't be cleaned up.  Because earlier releases couldn't handle already existing

  duplicate policies in the kernel, the starter daemon flushed them during shutdown so

  the daemon would find a clean slate when was restarted.  Since existing policies are not

  a problem anymore this is no longer necessary.  And in situations where _installpolicies=no_

  is used policies shouldn't be flushed blindly anyway.

* [[JobPriority#IKE_SA_INIT-dropping|Init limits]] can now optionally be enforced when initiating SAs via [[VICI]]. For this IKE_SAs

  initiated by the daemon are now also counted as half-open SAs, which, as a side-effect,

  fixes the status output while connecting (e.g. in [[ipseccommand|ipsec status]]).

* Symmetric configuration of EAP methods in left|rightauth is now possible when mutual

  EAP-only authentication is used (previously, the client had to configure _rightauth=eap_

  or rightauth=any, which prevented it from using this same config as responder).

* The initiator flag in the IKEv2 header is compared again (wasn't the case since version:5.0.0) and

  packets that have the flag set incorrectly are again ignored (commit:47a340e1f7, commit:5fee79d854).

* Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy Device Health

  Assessment Trusted Network Connect Binding" (HCD-TNC) document drafted by the IEEE

  Printer Working Group (PWG), see [[HCD-IMC]] and [[HCD-IMV]].

* Fixed IF-M segmentation which failed in the presence of multiple small attributes in front

  of a huge attribute to be segmented (commit:10f25a3dd9).

* Refcounting for allocated reqids has been fixed for situations where make-before-break

  reauthentication is used and CHILD_SAs have already been rekeyed (commit:3665adef19).

* Fixed a crash when retrying CHILD_SA rekeying due to a DH group mismatch (commit:1729df9275).

* If multiple CA certificates are set in [[swanctl.conf]] (_connections.<conn>.remote<suffix>.cacerts_)

  it is now enough if the certificate chain contains at least one of them, not all (commit:774c8c3847).

* Referring to a CA certificate in [[ipsecdirectorycacerts|ipsec.d/cacerts]] in a [[CaSection|ca section]] does not cause duplicate

  certificate requests anymore (was the case since version:5.3.0, #842-10).  CA certificates are

  now atomically reloaded by [[Ipseccommand#Reread-Commands|ipsec rereadcacerts]] so unchanged certificates are always

  available. The command now also reloads certificates referenced in CA sections.

* Inbound IKEv1 messages are now handled with different job priorities (commit:a5c07be058).

* When strongSwan creates ASN.1 DN identities from strings, it now uses UTF8String

  instead of T61String to encode RDNs that contain characters outside the character set

  of PrintableString.

* The new [[ipsecpkidn|pki --dn]] command extracts subject DistinguishedNames from certificates,

  which is useful if the [[IdentityParsing|automatic identity parsing]] is unable to produce the correct

  binary ASN.1 encoding of the DN from its string representation.

* To implement IPv6 NDP proxying via [[updown]] script (e.g. via @ip -6 neigh add proxy@)

  the virtual IPs assigned to a client are now passed to the script (#1008).

* RADIUS Accounting Start messages are now correctly triggered for IKEv1 SAs when clients

  don't do any Mode Config or XAuth exchanges during reauthentication (#937).

* Support for the Framed-IPv6-Address and DNS-Server-IPv6-Address RADIUS attributes has

  been added. Virtual IPv6 addresses are now sent in Framed-IPv6-Address attributes in

  RADIUS Accounting messages (#1001).

* Some fixes went into the [[HighAvailability|HA plugin]] and related code: The jhash() function was updated

  for Linux 4.1+ (commit:93caf23e1b), NAT keepalives (commit:edaba56ec7) and CHILD_SA rekeying

  (commit:e095d87bb6) are now disabled for passive SAs, and the remote address is synced

  when an SA is first added (commit:3434709460).  Also, the use of AEAD  algorithms in CHILD_SAs

  has been fixed (#1051) and the control FIFO is recreated if it is no FIFO (commit:fffee7c759).

* The buffer size for the Netlink receive buffer has been changed, the default is now the same

  as in the kernel (commit:a6896b6149, commit:197de6e66b).

* In particular for hosts with lots of routes an alternative faster source address lookup may be

  used by setting _charon.plugins.kernel-netlink.fwmark=!<mark>_ (commit:6bd1216e7a).

* The _kernel-pfkey_ plugin now can configure AES-GCM, which is supported on FreeBSD 11.

* Fixed some potential race conditions during shutdown of the daemon (#1014).

* Address resolution has been improved: If a local address is configured we use the same

  address family when resolving the remote address (#993).  If the remote address resolves

  to %any during reauthentication or when reestablishing an SA we keep the current

  address (#1027).

* A new option allows disabling the side-swapping based on the addresses/hostnames in

  _left|right_, when the _stroke_ plugin loads a config from [[ipsec.conf]].