Changelog for 5.8.x¶

Version 5.8.4¶

• In IKEv1 Quick Mode make sure that a proposal exists before determining lifetimes (fixes a crash
  due to a null-pointer dereference in 5.8.3, commit:cb26c5547c).

• OpenSSL currently doesn't support squeezing bytes out of a SHAKE128/256 XOF (support was added
  with 5.8.3) multiple times. Unfortunately, EVP_DigestFinalXOF() completely resets the context and
  later calls not simply fail, they cause a null-pointer dereference in libcrypto. commit:c5c1898d73 fixes the
  crash at the cost of repeating initializing the whole state and allocating too much data for subsequent
  calls (hopefully, once the OpenSSL issue 7894 is resolved we can implement this more efficiently).

• On 32-bit platforms, reading arbitrary 32-bit integers from config files (e.g. for charon.spi_min/max)
  has been fixed (commit:99bef7b686).

• charon-nm now allows using fixed source ports (commit:6c98164f60).

Version 5.8.3¶

• Updates for the NM plugin (and backend, which has to be updated to be compatible):
  • EAP-TLS authentication (#2097)
  • Certificate source (file, agent, smartcard) is selectable independently
  • Add support to configure local and remote identities (#2581)
  • Support configuring a custom server port (#625)
  • Show hint regarding password storage policy
  • Replaced the term "gateway" with "server"
  • Fixes build issues due to use of deprecated GLib macros/functions
  • Updated Glade file to GTK 3.2

• The NM backend now supports reauthentication and redirection (#852).

• Previously used reqids are now reallocated, which works around an issue on FreeBSD where the kernel
  doesn't allow the daemon to use reqids > 16383 (#2315).

• On Linux, throw type routes are installed in table 220 for passthrough policies. The kernel will then fall
  back on routes in routing tables with lower priorities for matching traffic. This way, they require less
  information (e.g. no interface or source IP) and can be installed earlier and are not affected by updates.

• For IKEv1, the lifetimes of the actually selected transform are returned to the initiator, which is an issue
  if the peer uses different lifetimes for different transforms (#3329). We now also return the correct
  transform and proposal IDs (proposal ID was always 0, transform ID 1).

• IKE_SAs are now not re-established anymore (e.g. after several retransmits) if a deletion has been
  queued (#3335).

• Added support for Ed448 keys and certificates via openssl plugin and pki tool.

• Added support for SHA-3 and SHAKE128/256 in the openssl plugin.

• The use of algorithm IDs from the private use range can now be enabled globally, to use them even if no
  strongSwan vendor ID was exchanged (commit:05e373aeb0).

• Fixed a compiler issue that may have caused invalid keyUsage extensions in certificates (#3249).

• A lot of spelling fixes courtesy of Josh Soref (https://github.com/jsoref/spelling).

• CI builds on LGTM and via Travis CI on new platforms (ARM64, IBM Power and IBM Z - the latter is big-endian).
  Fixed several reported issues.

Version 5.8.2¶

• Identity-based CA constraints, which enforce that the certificate chain of the remote peer contains a CA certificate
  with a specific identity, are supported via vici/swanctl.conf. This is similar to the existing CA constraints but
  doesn't require that the CA certificate is locally installed, for instance, intermediate CA certificates received from
  the peers. Wildcard identity matching (e.g. ..., OU=Research, CN=*) could also be used for the latter but requires
  trust in the intermediate CAs to only issue certificates with legitimate subject DNs (e.g. the "Sales" CA must not
  issue certificates with OU=Research). With the new constraint that's not necessary as long as a path length basic
  constraint (--pathlen for pki --issue) prevents intermediate CAs from issuing further intermediate CAs.

• Intermediate CA certificates may now be sent in hash-and-URL encoding by configuring a base URL for the
  parent CA (#3234, swanctl/rw-hash-and-url-multi-level).

• Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG) based on AES-CTR and SHA2-HMAC
  modes. Currently used by the gmp and ntru plugins.

• Random nonces sent in an OCSP requests are now expected in the corresponding OCSP responses.

• The kernel-netlink plugin now ignores deprecated IPv6 addresses for MOBIKE. Whether temporary or
  permanent IPv6 addresses are included now depends on the charon.prefer_temporary_addrs setting (#3192).

• Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the kernel.

• The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now cleared before sending requests, as many
  of the messages sent by the kernel are sent as broadcasts to all PF_KEY sockets. This is an issue if an external
  tool is used to manage SAs/policies unrelated to IPsec (#3225).

• The vici plugin now uses unique section names for CHILD_SAs in child-updown events (commit:7c74ce9190).

• For individually deleted CHILD_SAs (in particular for IKEv1) the vici child-updown event now includes more
  information about the CHILD_SAs such as traffic statistics (#3198).

• Custom loggers are correctly re-registered if log levels are changed via stroke loglevel (#3182).

• Avoid lockups during startup on low entropy systems when using OpenSSL 1.1.1 (commit:095a2c2eac).

• Instead of failing later when setting a key, creating HMACs via openssl plugin now fails instantly if the underlying
  hash algorithm isn't supported (e.g. MD5 in FIPS-mode) so fallbacks to other plugins work properly (#3284).

• Exponents of RSA keys read from TPM 2.0 via SAPI are correctly converted (commit:8ee1242f1438).

• Routing table IDs > 255 are supported for custom routes on Linux.

• To avoid races, the check for hardware offloading support in the kernel-netlink plugin is performed during
  initialization of the plugin (commit:a605452c03).

• The D-Bus config file for charon-nm is now installed in $(datadir)/dbus-1/system.d instead of
  $(sysconfdir)/dbus-1/system.d, which is intended for sysadmin overrides.

• INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same exchange type and with the same
  message ID as the request.

• IKEv2 SAs are now immediately destroyed when sending or receiving INVALID_SYNTAX notifies in authenticated
  messages.

• For developers working from the repository the configure script now aborts if GNU gperf is not found.

Version 5.8.1¶

• RDNs in DNs of X.509 certificates can now optionally be matched less strict. The global strongswan.conf option
  charon.rdn_matching takes two alternative values that cause the matching algorithm to either ignore the order of
  matched RDNs (reordered) or additionally (relaxed) accept DNs that contain more RDNs than configured (unmatched
  RDNs are treated like wildcard matches).

• The updown plugin now passes the same interface to the script that is also used for the automatically
  installed routes, that is, the interface over which the peer is reached instead of the interface on which the
  local address is found (#3095).

• TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple IKE_SAs use the same private
  key concurrently (commit:4b25885025).

• Do a rekey check after the third QM message was received (#3060).

• If available, explicit_bzero() is now used as memwipe() instead of our own implementation.

• An .editorconfig file has been added, mainly so Github shows files with proper indentation (commit:68346b6962).

• The internal certificate of the load-tester plugin has been modified so it can again be used as end-entity
  cert with 5.6.3 and later (#3139).

• The maximum data length of received COOKIE notifies (64 bytes) is now enforced (#3160).

Version 5.8.0¶

• The systemd service units have been renamed. The modern unit, which was called strongswan-swanctl,
  is now called strongswan (the previous name is configured as alias in the unit, for which a symlink is
  created when the unit is enabled). The legacy unit is now called strongswan-starter.

• Support for XFRM interfaces (available since Linux 4.19) has been added, which are intended to
  replace VTI devices (they are similar but offer several advantages, for instance, they are not bound
  to an address or address family).
  IPsec SAs and policies are associated with such interfaces via interface IDs that can be configured in
  swanctl.conf (dynamic IDs may optionally be allocated for each SA and even direction). It's possible to
  use separate interfaces for in- and outbound traffic (or only use an interface in one direction and regular
  policies in the other).
  Interfaces may be created dynamically via updown/vici scripts, or statically before or after establishing
  the SAs. Routes must be added manually as needed (the daemon will not install any routes for outbound
  policies with an interface ID).
  When moving XFRM interfaces to other network namespaces they retain access to the SAs and policies
  installed in the original namespace, which allows providing IPsec tunnels for processes in other network
  namespaces without giving them access to the IPsec keys or IKE credentials.
  More information can be found on the page about route-based VPNs.

• Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and supported by the responder,
  no CHILD_SA is established during IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA
  exchanges. This allows using a separate DH exchange even for the first CHILD_SA, which is otherwise
  created during IKE_AUTH with keys derived from the IKE_SA's key material.
  The swanctl --initiate command may be used to initiate only the IKE_SA via --ike option if --child is
  omitted and the peer supports this extension.

• The NetworkManager backend and plugin support IPv6.

• The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks to Sean Parkinson of
  wolfSSL Inc. for the initial patch.

• IKE SPIs may optionally be labeled via the charon.spi_mask|label options in strongswan.conf. This feature
  was extracted from charon-tkm, however, now applies the mask/label in network order.

• The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.

• The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not correctly implemented
  when sending either a CRETRY or SRETRY batch. These batches can only be sent in the "Decided" state
  and a CRETRY batch can immediately carry all messages usually transported by a CDATA batch. It is
  currently not possible to send a SRETRY batch since full-duplex mode for PT-TLS transport is not supported.

• Instead of marking IPv6 virtual IPs as deprecated, the kernel-netlink plugin now uses address labels to
  avoid that such addresses are used for non-VPN traffic (commit:00a953d090).

• The agent plugin now creates sockets to the ssh/gpg-agent dynamically and does not keep them open,
  which otherwise might prevent the agent from getting terminated.

• To avoid broadcast loops the forecast plugin now only reinjects packets that are marked or received from
  the configured interface.

• UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses an UTF-16LE
  encoding to calculate the NT hash (#3014).

• Properly delete temporary drop policies (used when updating IP addresses of SAs) if manual priorities are
  used, which was broken since 5.6.2 (commit:8e31d65730).

• Avoid overwriting start_action when parsing the inactivity timeout in the vici plugin (#2954).

• Fixed the automatic termination of reloaded vici connections with start_action=start, which was broken
  since 5.6.3 (commit:71b22c250f).

• The lookup for shared secrets for IKEv1 SAs via sql plugin should now work better (commit:6ec9f68f32).

• Fixed a race condition in the trap manager between installation and removal of a policy (commit:69cbe2ca3f).

• Compilation of the kernel-netlink plugin has been fixed on old kernels (< 2.6.39), which was caused
  by the HW offload changes (commit:c7f579fa17).

• The IPsec stack detection and module loading in starter has been removed (it wasn't enforced anyway
  and loading modules doesn't seem necessary, also KLIPS hasn't been supported for a long time and
  PF_KEY will eventually be removed from the Linux kernel, commit:ba817d2917).

• Several IKEv2 protocol details are now handled more strictly: Unrequested virtual IPs are ignored,
  CFG_REPLY payloads are ignored if no CFG_REQUEST payloads were sent, a USE_TRANSPORT_MODE notify
  received from the responder is checked against the local configuration.

• The keys and certificates used by the scenarios in the testing environment are now generated
  dynamically. Running the testing/scripts/build-certs script after creating the base and root images
  uses the pki utility installed in the latter to create the keys and certificates for all the CAs and in some
  cases for individual scenarios. These credentials are stored in the source tree, not the image, so this has
  to be called only once even if the images are later rebuilt. The script automatically (re-)rebuilds the guest
  images as that generates fresh CRLs and signs the DNS zones. The only keys/certificates currently not
  generated are the very large ones used by the ikev2/rw-eap-tls-fragments scenario.