- Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
was caused by insufficient verification of the internal state when handling
EAP-MSCHAPv2 Success messages received by the client.
This vulnerability has been registered as CVE-2015-8023.
Please refer to our blog for details.
- The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
Within the strongSwan framework SHA3 is currently used for BLISS signatures
only because the OIDs for other signature algorithms haven't been defined
yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
- The EAP-MSCHAPv2 username now replaces the identity of any previous EAP-Identity
- A bug with setting the source IP for IKE packets was fixed that caused problems with
newer compilers (#1171).
- Some VICI commands received updates: NAT information and virtual IPs are listed for
IKE_SAs (04f22cdabc, bdb8b76515), IP address leases are optionally listed
for pools defined via VICI (f4641f9e45).
- Fetching CRLs in PEM format is now supported and using the curl plugin to fetch CRLs
file:// URIs has also been fixed (#1203).
- CRLs added via VICI are now properly added to the credential set (e5e352e631).
- IKEv2 NAT-D payloads are now created in a more static way, which ensures they stay the
same when retrying to establish an IKE_SA (e.g. due to INVALID_KEY_PAYLOAD notifies, #1131).
- Fixed compress=yes (IPComp) with IPv6 and leftfirewall=yes (382f8a334a).
del_policy method of
kernel_ipsec_t now receives the same information originally
- The kernel-netlink plugin allows IPsec policies to replace shunt policies, which allows
configuring matching type=drop policies along side auto=add connections.
- To debug custom plugins they can now optionally be loaded with
RTLD_NOW so missing
symbols are revealed immediately (via charon.dlopen_use_rtld_now). The same applies
for custom IMVs/IMCs.
- The Android app has been updated to use the Gradle build system.