Changelog for 4.6.x

Version 4.6.4

  • Fixed a security vulnerability in the gmp plugin. If this plugin was used
    for RSA signature verification an empty or zeroed signature was handled as
    a legitimate one.
    Refer to our blog for details.
  • Fixed several issues with reauthentication and address updates.

Version 4.6.3

  • The tnc-pdp plugin implements a RADIUS server interface allowing
    a strongSwan TNC server to act as a Policy Decision Point.
  • The eap-radius authentication backend enforces Session-Timeout attributes
    using RFC4478 repeated authentication and acts upon RADIUS Dynamic
    Authorization extensions, RFC 5176. Currently supported are disconnect
    requests and CoA messages containing a Session-Timeout.
  • The eap-radius plugin can forward arbitrary RADIUS attributes from and to
    clients using custom IKEv2 notify payloads. The new radattr plugin reads
    attributes to include from files and prints received attributes to the
  • Added support for untruncated MD5 and SHA1 HMACs in ESP as used in
    RFC 4595.
  • The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms
    as defined in RFC 4494 and RFC 4615, respectively.
  • The resolve plugin automatically installs nameservers via resolvconf(8),
    if it is installed, instead of modifying /etc/resolv.conf directly.
  • The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110
    DNSKEY and PKCS#1 file format.
  • The farp plugin sends ARP responses for any tunneled address, not only virtual IPs.
  • Charon resolves hosts again during additional keying tries.
  • Fixed switching back to original address pair during MOBIKE.
  • When resending IKE_SA_INIT with a COOKIE charon reuses the previous DH value,
    as specified in RFC 5996. This has an effect on the lifecycle of diffie_hellman_t,
    see source:src/libcharon/sa/keymat.h#39 for details.
  • COOKIEs are now kept enabled a bit longer to avoid certain race conditions the commit
    message to 1b7debcc has some details.
  • The new stroke user-creds command allows to set username/password for a connection.
  • Added a workaround for null-terminated XAuth secrets (as sent by Android 4).

Version 4.6.2

  • Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3
    which supports IF-TNCCS 2.0 long message types, the exclusive flags
    and multiple IMC/IMV IDs. Both the TNC Client and Server as well as
    the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated.
  • The EAP-RADIUS authentication backend supports RADIUS accounting. It sends
    start/stop messages containing Username, Framed-IP and Input/Output-Octets
    attributes and has been tested against FreeRADIUS and Microsoft NPS.

    Radius Accounting Example

  • Added support for PKCS#8 encoded private keys via the libstrongswan
    pkcs8 plugin. This is the default format used by some OpenSSL tools since
    version 1.0.0 (e.g. openssl req with -keyout).
  • Added session resumption support to the strongSwan TLS stack.
  • The maximum number of stroke messages concurrently handled by the charon
    daemon is now limited to avoid clogging the thread pool with potentially
    blocking jobs. How many messages are handled concurrently can be configured
    with the charon.plugins.stroke.max_concurrent option in strongswan.conf.
  • For Android builds the binaries to be installed on the final system have to be
    added to PRODUCT_PACKAGES in build/target/product/ Dependencies such as
    libraries are automatically installed. See the comments in the top-level
  • Debug output for low-level encoding/decoding (X.509, ASN.1 etc.) are now logged
    in a new ASN log group.
  • The native thread ID is logged in the LIB log group with log level 2 when a thread is created.

Version 4.6.1

  • Because of changing checksums before and after installation which caused
    the integrity tests to fail we avoided directly linking libsimaka, libtls and
    libtnccs to those libcharon plugins which make use of these dynamic libraries.
    Instead we linked the libraries to the charon daemon. Unfortunately Ubuntu
    11.10 activated the --as-needed ld option which discards explicit links
    to dynamic libraries that are not actually used by the charon daemon itself,
    thus causing failures during the loading of the plugins which depend on these
    libraries for resolving external symbols.
  • Therefore our approach of computing integrity checksums for plugins had to be
    changed radically by moving the hash generation from the compilation to the
    post-installation phase.

Version 4.6.0

  • The new libstrongswan certexpire plugin collects expiration information of
    all used certificates and exports them to CSV files. It either directly
    exports them or uses cron style scheduling for batch exports.
  • starter passes unresolved hostnames to charon, allowing it to do name
    resolution not before the connection attempt. This is especially useful with
    connections between hosts using dynamic IP addresses. Thanks to Mirko Parthey
    for the initial patch.
  • The android plugin can now be used without the Android frontend patch and
    provides DNS server registration and logging to logcat.
  • Pluto and starter (plus stroke and whack) have been ported to Android. With starter and
    stroke the IKEv2 daemon charon can now be configured via ipsec.conf on Android.
  • Support for ECDSA private and public key operations has been added to the
    pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 and can
    use tokens as random number generators (RNG). By default only private key
    operations are enabled, more advanced features have to be enabled by their
    option in strongswan.conf. This also applies to public key operations (even
    for keys not stored on the token) which were enabled by default before.
  • The libstrongswan plugin system now supports detailed plugin dependencies.
    Many plugins have been extended to export their capabilities and requirements.
    This allows the plugin loader to resolve plugin loading order automatically,
    and in future releases, to dynamically load the required features on demand.
    Existing third party plugins are source (but not binary) compatible if they
    properly initialize the new get_features() plugin function to NULL.
  • The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can deliver
    metadata about IKE_SAs via a SOAP interface to a MAP server. The tnc-ifmap
    plugin requires the Apache Axis2/C library.
  • Remote attestation effected by the TCG Platform Trust Service (PTS)
    can be transferred via the TNC IF-M 1.0 protocol (RFC 5792 PA-TNC)
    to a strongSwan TNC server. Currently remote file measurements are
    supported with full TPM support expected for the 4.6.1 release.
    For details consult the following link: