Changelog for 5.5.x » History » Version 2

« Previous - Version 2/6 (diff) - Next » - Current version
Tobias Brunner, 13.07.2016 16:39

Changelog for 5.5.x

Version 5.5.1

  • The newhope plugin implements the post-quantum NewHope key exchange algorithm
    proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
    Peter Schwabe.
  • The libstrongswan crypto factory now offers the registration of Extended
    Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
    implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin
    and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
    SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.
  • By default, the "outbound" FWD policies, introduced with 5.5.0, are not installed anymore.
    They may be enabled via the policies_fwd_out setting in swanctl.conf/vici for a specific
    CHILD_SA if its traffic would otherwise get blocked by a drop policy.
    A bug in regards to updating reqids in the kernel-netlink plugin, that was particularly a problem
    with duplicate "outbound" FWD policies, has also been fixed (175d78df60).
  • XFRM policy hashing thresholds may be configured via strongswan.conf. This can significantly
    improve the performance on hosts where the number of flows exceeds the flow cache size of the
    Linux kernel. Policies covering more than a single address don't get hash-indexed by default,
    which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and the called
    xfrm_policy_match(). Since Linux 3.18 the kernel can hash the first n-bit of a policy subnet to
    perform indexed lookups. With correctly chosen thresholds this can completely eliminate the
    performance impact of policy lookups.
    Note: Due to a bug in Linux 3.19 through 4.7, the kernel crashes with a NULL pointer dereference
    if a socket policy (used by strongSwan to exempt IKE traffic from IPsec tunnels) is installed while
    hash thresholds are changed. See ac9759a532 for details and a workaround.
  • The NetworkManager integration has been updated to support NM 1.2.
    The directory from which CA certificates are loaded if no certificate is configured in the GUI can
    now be configured via strongswan.conf using the new charon-nm.ca_dir setting.
  • IKE fragmentation is now enabled by default with the default fragment size set to 1280 bytes
    for both IP address families.
  • A DELETE is sent when a rekeyed IKEv1 SA is deleted. This fixes issues with peers that continue
    to send DPDs on the old SA and then delete all SAs if no response is received (see #2090).
    Also, when terminating IKEv1 SAs, DELETEs for all CHILD_SAs are now sent before sending one for
    the IKE_SA and destroying it.
  • The pki tool, with help of the pkcs1 or openssl plugins, can parse private keys in any of the
    supported formats without having to know the exact type. So instead of having to specify rsa or
    ecdsa explicitly the keyword priv may be used to indicate a private key of any type.
    Similarly, swanctl can load any type of private key from the swanctl/private directory.
  • The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
    sha3 and gmp plugins.
  • The VICI flush-certs command flushes certificates from the volatile certificate cache.
    Optionally the type of the certificates to be flushed (e.g. type = x509_crl) can be specified.
  • When setting charon.cache_crls = yes in strongswan.conf the vici plugin saves regular,
    base and delta CRLs to disk.
    Fetched CRLs are now also cached if the checked certificate has been revoked.
  • The serial number for delta CRLs generated by pki --signcrl is now based on
    the given base CRL again (was broken since 4.6.3).
  • Delta CRLs are now properly cached in-memory (and on disk) together with their base. Before this
    the presence of a delta CRL might have required that the base be refetched every time.
  • When verifying trust chains with pki --verify local CRLs may now be specified with the
    new --crl argument.
  • IKE and ESP/AH proposals configured as strings in ipsec.conf and swanctl.conf (or VICI) are now
    checked to avoid invalid proposals. For instance, the presence of DH, PRF and encryption algorithms
    for IKE proposal are now enforced and AEAD and regular encryption algorithms are not allowed in
    the same proposal anymore. Also fixed is the mapping of the aes*gmac keywords to an integrity
    algorithm in AH proposals.
  • Unmarked packets may now be matched by setting 0/0xffffffff as XFRM mark (33d3ffde25).
  • The maximum registered log level is now determined correctly if loggers implementing only
    log or vlog are mixed (dac15e03c8).
  • In addition to the existing ike_keys and child_keys hooks on listener_t two new hooks
    allow listeners to receive the derived IKE and CHILD_SA keys (ike|child_derived_keys).
  • The check for libatomic has been improved (6e19a1f5f2).
  • The use of AES-GCM with BoringSSL has been fixed (c72c6e9225).
  • libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
  • The results of leak-detective are now evaluated in our testing environment, which
    lead to the fixing of several memory leaks.
  • No key and self-signed certificate is generated by starter anymore if ipsec.secrets does not exist.
  • The long unmaintained Maemo plugin and frontend have been removed.

Version 5.5.0

  • The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.
    This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.
  • The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases
    and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies, as defined by RFC 7296,
    has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.
  • IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound
    policies may be restricted to a network interface. These options are only configurable via swanctl.conf.
    An example is provided in the swanctl/manual-prio scenario.
  • The scheme for the automatically calculated default priorities has been changed and now also
    considers port masks, which were added with 5.4.0 (for details see d3af3b799f).
  • FWD policies are now installed in both directions in regards to the traffic selectors (9c12635252).
    Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for
    example, in the swanctl/net2net-gw or the ikev2/ip-two-pools-db scenarios) they are installed
    with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the
    two and prefer those with a reqid.
  • How the interface for routes installed with policies is determined has changed (96b1fab53c). In most
    cases the interface over which the other peer is reached is now used, not the interface on which the local
    address (or the source IP) is installed. However, that might be the same interface depending on the
    configuration (i.e. in practice there will often not be a change).
  • No routes are installed anymore for drop policies and policies with port/protocol selector (e7369a9dc5).
  • For outbound IPsec SAs no replay window is configured anymore.
  • When using unique marks (mark=%unique) the allocated mark is now correctly passed to the
    updown script (b210369314).
  • DNS servers installed by the resolve plugin are now refcounted, which should fix its use with
    make-before-break reauthentication. Any output written to stderr/stdout by resolvconf is now logged.
  • Negotiation of ESN with IKEv1 is supported (40bb4677f7).
  • The default plugin load list may now be modified by specifying the individual load setting of a plugin.
  • Fixed how mappings are stored in the eap-simaka-pseudonym plugin (5005325020).
  • Support for BoringSSL and OpenSSL 1.1.0 has been added.
  • Notes for developers:
    • The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.
    • Similarly the constructors for peer_cfg_t and child_cfg_t now take structs.
    • We now use the standard unsigned integer types (e.g. uint64_t instead of u_int64_t).
    • The testing environment now uses images based on Debian jessie (stable).