Identity-based CA constraints, which enforce that the certificate chain of the remote peer contains a CA certificate with a specific identity, are supported via vici/swanctl.conf. This is similar to the existing CA constraints but doesn't require that the CA certificate is locally installed, for instance, intermediate CA certificates received from the peers. Wildcard identity matching (e.g. ..., OU=Research, CN=*) could also be used for the latter but requires trust in the intermediate CAs to only issue certificates with legitimate subject DNs (e.g. the "Sales" CA must not issue certificates with OU=Research). With the new constraint that's not necessary as long as a path length basic constraint (--pathlen for pki --issue) prevents intermediate CAs from issuing further intermediate CAs.
Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG) based on AES-CTR and SHA2-HMAC modes. Currently used by the gmp and ntru plugins.
Random nonces sent in an OCSP requests are now expected in the corresponding OCSP responses.
The kernel-netlink plugin now ignores deprecated IPv6 addresses for MOBIKE. Whether temporary or permanent IPv6 addresses are included now depends on the charon.prefer_temporary_addrs setting (#3192).
Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the kernel.
The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now cleared before sending requests, as many of the messages sent by the kernel are sent as broadcasts to all PF_KEY sockets. This is an issue if an external tool is used to manage SAs/policies unrelated to IPsec (#3225).
The vici plugin now uses unique section names for CHILD_SAs in child-updown events (7c74ce9190).
For individually deleted CHILD_SAs (in particular for IKEv1) the vici child-updown event now includes more information about the CHILD_SAs such as traffic statistics (#3198).
Custom loggers are correctly re-registered if log levels are changed via stroke loglevel (#3182).
Avoid lockups during startup on low entropy systems when using OpenSSL 1.1.1 (095a2c2eac).
Instead of failing later when setting a key, creating HMACs via openssl plugin now fails instantly if the underlying hash algorithm isn't supported (e.g. MD5 in FIPS-mode) so fallbacks to other plugins work properly (#3284).
Exponents of RSA keys read from TPM 2.0 via SAPI are correctly converted (8ee1242f1438).
Routing table IDs > 255 are supported for custom routes on Linux.
To avoid races, the check for hardware offloading support in the kernel-netlink plugin is performed during initialization of the plugin (a605452c03).
The D-Bus config file for charon-nm is now installed in $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d, which is intended for sysadmin overrides.
INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same exchange type and with the same message ID as the request.
IKEv2 SAs are now immediately destroyed when sending or receiving INVALID_SYNTAX notifies in authenticated messages.
For developers working from the repository the configure script now aborts if GNU gperf is not found.