5.9.7
版本发布时间: 2022-07-29 14:36:32
strongswan/strongswan最新发布版本:5.9.14(2024-03-19 21:34:10)
-
The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message. So instead of deriving the keys directly while processing an IKE_SA_INIT request (which could come from a spoofed address), it is delayed until the corresponding IKE_AUTH request is received. See below for required changes for Diffie-Hellman implementations.
-
Inbound IKEv2 messages, in particular requests, are now processed differently. Instead of parsing all inbound messages right away (which might trigger a key derivation or require keys we don't have anymore in the multi-KE use case), we now first check a request's message ID and compare its hash to that of the previous request to decide if it's a valid retransmit. For fragmented messages we only keep track of the first fragment so we can send the corresponding response immediately if a retransmit of it is received, instead of waiting for all fragments and reconstructing the message, which we did before.
-
The retransmission logic in the dhcp plugin has been fixed (#1154). As originally intended, four retransmits are now sent over a total of 15 seconds for each DHCP request. Previously, it could happen that some or all of the five messages were sent at basically the same time, without any delay to wait for a response.
-
The connmark plugin now considers configured masks in installed firewall rules (#1087). For instance, with
mark_in = mark_out = %unique/0x0000ffff
, mark values in the upper two bytes would not get reset by the rules installed by the plugin and could be used for other purposes. However, note that in this example the daemon would have to get restarted after 65'535 CHILD_SAs (at the latest) to reset the global 32-bit counter for unique marks as that's unaware of any masks. -
Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).
-
The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).
-
The openssl plugin supports AES and Camellia in CTR mode (112bb465fb531cb164c6c2dec3c49a7fe9c853fa).
-
The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted (RFC 8247 only mentions AES-XCBC and recommends it exclusively for IoT deployments).
-
The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).
-
The
CALLBACK
macros (and some other issues) have been fixed when compiling with GCC 12 (#1053). -
Support for GTK 4 was added to the NetworkManager plugin (#961), the necessary changes were released separately with version 1.6.0 of the plugin.
-
For developers:
- When building from the repository, the new
--enable-warnings
configure option is now automatically enabled. It adds-Wall -Wextra -Werror
(and a bunch of-Wno-*
flags for warnings that are difficult to avoid in our codebase) to theCFLAGS
prepared by the script (CFLAGS
passed to the script are added after the internal flags, so overriding these options is possible without having to disable--enable-warnings
completely). This was mainly added to avoid passing-Werror
to the configure script in our automated CI builds as that also affects the tests run by it. - The
diffie_hellman_t
interface was renamed tokey_exchange_t
with the following additional changes to the interface:-
set_other_public_key()
was renamed toset_public_key()
- this method must not do any costly public key validation or the actual key derivation anymore, which must instead be implemented in
get_shared_secret()
- this method must not do any costly public key validation or the actual key derivation anymore, which must instead be implemented in
-
get_my_public_key()
was renamed toget_public_key()
-
set_private_value()
was renamed toset_private_key()
-
get_dh_group()
was renamed toget_method()
-
- The
diffie_hellman_group_t
enum was renamed tokey_exchange_method_t
, the correspondingenum_name_t
instances were renamed similarly.MODP_NONE
was renamed toKE_NONE
. - The
has_dh_group()
andpromote_dh_group()
methods onproposal_t
were renamed and generalized tohas_transform()
andpromote_transform()
, respectively, which allow checking if any transform/algorithm (not only a DH group) is contained in a proposal or move it to the front. Similarly, theget_dh_group()
method onike_cfg_t
andchild_cfg_t
was changed toget_algorithm()
. - Two new callbacks for
task_t
enable tasks to do work after generating (post_build()
) or processing (post_process()
) a message.- The
post_build()
hook is used by the ike-auth task to collect a copy of the sent IKE_SA_INIT message after it was generated. This avoids having to pre-generate the message in the task, allowing later-running tasks and plugins (viamessage()
listener hook) to modify it (e.g. add notifies) before it's eventually generated.
- The
- The
TESTS_VERBOSITY_<group>
environment variables allow configuring the log level for individual log groups when running the unit tests (they default toTESTS_VERBOSITY
).
- When building from the repository, the new
Refer to the 5.9.7 milestone for a list of all closed issues and pull requests.
1、 strongswan-5.9.7.tar.bz2 4.52MB
2、 strongswan-5.9.7.tar.bz2.sig 659B
3、 strongswan-5.9.7.tar.gz 7.37MB
4、 strongswan-5.9.7.tar.gz.sig 659B