• The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message. So instead of deriving the keys directly while processing an IKE_SA_INIT request (which could come from a spoofed address), it is delayed until the corresponding IKE_AUTH request is received. See below for required changes for Diffie-Hellman implementations.

• Inbound IKEv2 messages, in particular requests, are now processed differently. Instead of parsing all inbound messages right away (which might trigger a key derivation or require keys we don't have anymore in the multi-KE use case), we now first check a request's message ID and compare its hash to that of the previous request to decide if it's a valid retransmit. For fragmented messages we only keep track of the first fragment so we can send the corresponding response immediately if a retransmit of it is received, instead of waiting for all fragments and reconstructing the message, which we did before.

• The retransmission logic in the dhcp plugin has been fixed (#1154). As originally intended, four retransmits are now sent over a total of 15 seconds for each DHCP request. Previously, it could happen that some or all of the five messages were sent at basically the same time, without any delay to wait for a response.

• The connmark plugin now considers configured masks in installed firewall rules (#1087). For instance, with mark_in = mark_out = %unique/0x0000ffff, mark values in the upper two bytes would not get reset by the rules installed by the plugin and could be used for other purposes. However, note that in this example the daemon would have to get restarted after 65'535 CHILD_SAs (at the latest) to reset the global 32-bit counter for unique marks as that's unaware of any masks.

• Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).

• The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).

• The openssl plugin supports AES and Camellia in CTR mode (112bb465fb531cb164c6c2dec3c49a7fe9c853fa).

• The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted (RFC 8247 only mentions AES-XCBC and recommends it exclusively for IoT deployments).

• The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).

• The CALLBACK macros (and some other issues) have been fixed when compiling with GCC 12 (#1053).

• Support for GTK 4 was added to the NetworkManager plugin (#961), the necessary changes were released separately with version 1.6.0 of the plugin.

• For developers:

  • When building from the repository, the new --enable-warnings configure option is now automatically enabled. It adds -Wall -Wextra -Werror (and a bunch of -Wno-* flags for warnings that are difficult to avoid in our codebase) to the CFLAGS prepared by the script (CFLAGS passed to the script are added after the internal flags, so overriding these options is possible without having to disable --enable-warnings completely). This was mainly added to avoid passing -Werror to the configure script in our automated CI builds as that also affects the tests run by it.
  • The diffie_hellman_t interface was renamed to key_exchange_t with the following additional changes to the interface:
    • set_other_public_key() was renamed to set_public_key()
      • this method must not do any costly public key validation or the actual key derivation anymore, which must instead be implemented in get_shared_secret()
    • get_my_public_key() was renamed to get_public_key()
    • set_private_value() was renamed to set_private_key()
    • get_dh_group() was renamed to get_method()
  • The diffie_hellman_group_t enum was renamed to key_exchange_method_t, the corresponding enum_name_t instances were renamed similarly. MODP_NONE was renamed to KE_NONE.
  • The has_dh_group() and promote_dh_group() methods on proposal_t were renamed and generalized to has_transform() and promote_transform(), respectively, which allow checking if any transform/algorithm (not only a DH group) is contained in a proposal or move it to the front. Similarly, the get_dh_group() method on ike_cfg_t and child_cfg_t was changed to get_algorithm().
  • Two new callbacks for task_t enable tasks to do work after generating (post_build()) or processing (post_process()) a message.
    • The post_build() hook is used by the ike-auth task to collect a copy of the sent IKE_SA_INIT message after it was generated. This avoids having to pre-generate the message in the task, allowing later-running tasks and plugins (via message() listener hook) to modify it (e.g. add notifies) before it's eventually generated.
  • The TESTS_VERBOSITY_<group> environment variables allow configuring the log level for individual log groups when running the unit tests (they default to TESTS_VERBOSITY).

Refer to the 5.9.7 milestone for a list of all closed issues and pull requests.