strongSwan

h1. Version 5.5.2

* Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined by "RFC 8031":https://tools.ietf.org/html/rfc8031

  is provided by the new _curve25519_ plugin.

* Support of Ed25519 digital signature algorithm for IKEv2 as defined by "draft-ietf-ipsecme-eddsa":https://tools.ietf.org/html/draft-ietf-ipsecme-eddsa

  is provided by the new _curve25519_ plugin. Ed25519-based public key pairs, X.509 certificates and CRLs

  can be generated and printed by the [[IpsecPKI|pki]] tool.

* The new [[TpmPlugin|tpm libtpmtss plugin]] allows to use persistent private RSA and ECDSA keys bound

  to a TPM 2.0 for both IKE and TLS authentication. Using the TPM 2.0 object handle as keyid

  parameter, the [[IpsecPkiPub|pki --pub]] tool can extract the public key from the TPM thereby replacing the

  _aikpub2_ tool. In a similar fashion [[IpsecPkiReq|pki --req]] can generate a PKCS#10 certificate request signed

  with the TPM private key.  Optionally the _tpm_ plugin may be used as RNG.

* The [[IpsecPki|pki tool]] gained support for generating certificates with "RFC 3779":https://tools.ietf.org/html/rfc3779 addrblock extensions.

  The charon _addrblock_ plugin now dynamically narrows traffic selectors based on the certificate's

  addrblocks instead of rejecting non-matching selectors completely. This allows generic connections,

  where the allowed selectors are defined by the used certificates only.

* The optional [[bypass-lan]] plugin automatically installs and updates passthrough/bypass

  policies for locally attached subnets.  This is useful for mobile hosts that are used in different

  networks that want to access local devices in these networks (e.g. printers or NAS) while

  connected to a VPN.

* A command injection vulnerability in the [[IPsecCommand|ipsec script]] was fixed, which was exploitable if unprivileged

  users were allowed to run the script via @sudo@ (commit:2ec6372f5a).

  Thanks to Andrea Barisani for reporting this.

* Several new features for the [[VICI]] interface and the [[swanctl]] utility were added:

 * Enumerating and unloading private keys and shared secrets (@swanctl --load-creds@ now

   automatically unloads removed secrets)

 * Loading keys and certificates from PKCS#11 tokens or a TPM (refer to the documentation of

   _cert<suffix>_ and _token<suffix>_ sections in [[swanctl.conf]])

 * The ability to initiate, install and uninstall connections and policies by their exact

   name (if multiple child sections in different connections share the same name)

 * Querying a specific pool

 * A command to initiate the rekeying of IKE and IPsec SAs

 * Public keys may be configured directly in [[swanctl.conf]] via _0x/0s_ prefix (actually works for

   certificates too)

 * The overhead of the VICI logger has been reduced as it now only does something if listeners

   are registered

 * Support for [[swanctl.conf|settings]] previously only supported by the old config files: DSCP, certificate

   policies, IPv6 Transport Proxy Mode, NT hash secrets, mediation extension

* In-place update of cached base and delta CRLs does not leave dozens of stale copies in cache memory.

* Support for handling @IKEV2_MESSAGE_ID_SYNC@ notifies as responder (usually the original initiator

  of an IKE_SA) as defined in "RFC 6311":https://tools.ietf.org/html/rfc6311 was added. Some HA solutions use these notifies to set

  the new IKEv2 message IDs after a failover event (currently not our [[HighAvailability|HA]] solution, though).

* By default, the IKE daemon keeps SAs on the routing path with addresses it previously used if that

  path is still usable. Enabling _charon.prefer_best_path_ changes that and it will try more aggressively

  to update SAs with MOBIKE on routing changes using the cheapest path. This adds more noise, but

  allows to dynamically adapt SAs to routing priority changes, for instance, if some paths actually

  generate more costs than others (commit:597e8c9e00).

* If MOBIKE is disabled and the local address is statically configured the daemon will now ignore any

  roaming events that might, otherwise, cause it to attempt to recreate the IKE_SA (commit:be27e76869).

* Trap policies now use priorities from the same range as regular policies, which allows installing

  overlapping trap policies (#1243).

* When proposing transport mode the IKE daemon now always applies the hosts to the traffic selectors.

  It previously only did so if _%dynamic_ was used as TS. However, that's not the case if wildcard trap

  policies are configured (no single remote address specified).  Once traffic matched, the daemon proposed

  the configured remote TS as-as, which the responder then had to narrow down to its own local address.

  Some third-party implementations, however, reject such non-host TS for transport mode SAs (commit:da82786b2d).

* For AH the _kernel-netlink_ plugin now enables the correct 4 byte alignment (by default, the kernel

  uses an 8 byte alignment, which is mandatory for IPv6 but prohibited for IPv4, commit:965daa1df3).

* The _kernel-netlink_ plugin now considers labels when selecting IPv6 addresses (#2138) and sets the

  NODAD flag for virtual IPv6 addresses to avoid issues with failing DAD(Optimistic Duplicate Address Detection) (#2183).

* The receive buffer size used by the _kernel-netlink_ plugin is now configurable (commit:8a91729dfe).

* If route installation is disabled (_charon.install_routes_) the _kernel-netlink_ plugin now uses a more

  efficient route lookup to determine source and next-hop addresses (commit:558691b3b0).

* No mark is installed anymore on inbound IPsec SAs. So explicitly marking inbound traffic before

  decryption is not necessary anymore (commit:067fd2c69c).

* The range from which SPIs for IPsec SAs are allocated by the kernel is now configurable.

* PSKs for IKEv1 connections are now first looked up based on configured identities of connections

  that match the IPs, before falling back to searching for PSKs for the IPs (#2223).

* The daemon now responds to DPDs for rekeyed IKEv1 SAs (#2090).

* [[charon-systemd]] now reloads [[strongswan.conf]], the loggers and the plugins (that support it)

  when it receives a SIGHUP. The same may be achieved via VICI's _reload-settings_ command, which

  previously did not reload the loggers.

* The [[forecast]] plugin used the incorrect port in UDP NAT-T rules (commit:094a4d15cf).

* Validation via OCSP and CRLs can be disabled individually in the _revocation_ plugin.

* RFC 5114 DH groups were removed from the default proposal (commit:649537ee8d), they may be used if

  configured explicitly.

* A memory leak was fixed when CHILD_SA configs were updated via VICI (commit:da1d5cd2e6).

* The plugin loader now correctly hashes registered plugin features (commit:ac4942c3c3).

* Notes for developers:

 * Due to issues with [[VICI]] bindings that map sub-sections to dictionaries (e.g. Python)

   the CHILD_SA sections returned via _list-sas_ now have a unique name.  The original name

   of a CHILD_SA is returned in the _name_ key of its section.

 * To simplify loading certificates via [[VICI]] when running on the same host as the daemon

   absolute paths to certificates (instead of their binary encoding) may be passed via

   _cert<suffix>_ sections (_file_ key).

 * The @load-testconfig@ script now loads the configs from the source directory and pre-processes

   them properly (previously it was required to run do-tests once for the target scenario).