Imported Upstream version 5.0.1

1 files changed, 114 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index deef65b91..e207dd6c6 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,117 @@
+strongswan-5.0.1
+----------------
+
+- Introduced the sending of the standard IETF Assessment Result
+  PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
+
+- Extended PTS Attestation IMC/IMV pair to provide full evidence of
+  the Linux IMA measurement process. All pertinent file information
+  of a Linux OS can be collected and stored in an SQL database.
+
+- The PA-TNC and PB-TNC protocols can now process huge data payloads
+  >64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
+  and these messages over several PB-TNC batches. As long as no
+  consolidated recommandation from all IMVs can be obtained, the TNC
+  server requests more client data by sending an empty SDATA batch.
+
+- The rightgroups2 ipsec.conf option can require group membership during
+  a second authentication round, for example during XAuth authentication
+  against a RADIUS server.
+
+- The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
+  clients against any PAM service. The IKEv2 eap-gtc plugin does not use
+  PAM directly anymore, but can use any XAuth backend to verify credentials,
+  including xauth-pam.
+
+- The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
+  Extension. As client, charon narrows traffic selectors to the received
+  Split-Include attributes and automatically installs IPsec bypass policies
+  for received Local-LAN attributes. As server, charon sends Split-Include
+  attributes for leftsubnet definitions containing multiple subnets to Unity-
+  aware clients.
+
+- An EAP-Nak payload is returned by clients if the gateway requests an EAP
+  method that the client does not support.  Clients can also request a specific
+  EAP method by configuring that method with leftauth.
+
+- The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
+  these to select a different EAP method supported/requested by the client.
+  The plugin initially requests the first registered method or the first method
+  configured with charon.plugins.eap-dynamic.preferred.
+
+- The new left/rightdns options specify connection specific DNS servers to
+  request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
+  can be any (comma separated) combination of %config4 and %config6 to request
+  multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server
+  IP addresses to return.
+
+- The left/rightsourceip options now accept multiple addresses or pools.
+  leftsourceip can be any (comma separated) combination of %config4, %config6
+  or fixed IP addresses to request. rightsourceip accepts multiple explicitly
+  specified or referenced named pools.
+
+- Multiple connections can now share a single address pool when they use the
+  same definition in one of the rightsourceip pools.
+
+- The options charon.interfaces_ignore and charon.interfaces_use allow one to
+  configure the network interfaces used by the daemon.
+
+- The kernel-netlink plugin supports the charon.install_virtual_ip_on option,
+  which specifies the interface on which virtual IP addresses will be installed.
+  If it is not specified the current behavior of using the outbound interface
+  is preserved.
+
+- The kernel-netlink plugin tries to keep the current source address when
+  looking for valid routes to reach other hosts.
+
+- The autotools build has been migrated to use a config.h header. strongSwan
+  development headers will get installed during "make install" if
+  --with-dev-headers has been passed to ./configure.
+
+- All crypto primitives gained return values for most operations, allowing
+  crypto backends to fail, for example when using hardware accelerators.
+
+strongswan-5.0.0
+----------------
+
+- The charon IKE daemon gained experimental support for the IKEv1 protocol.
+  Pluto has been removed from the 5.x series, and unless strongSwan is
+  configured with --disable-ikev1 or --disable-ikev2, charon handles both
+  keying protocols. The feature-set of IKEv1 in charon is almost on par with
+  pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
+  RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
+  mode. Informations for interoperability and migration is available at
+  http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
+
+- Charon's bus_t has been refactored so that loggers and other listeners are
+  now handled separately.  The single lock was previously cause for deadlocks
+  if extensive listeners, such as the one provided by the updown plugin, wanted
+  to acquire locks that were held by other threads which in turn tried to log
+  messages, and thus were waiting to acquire the same lock currently held by
+  the thread calling the listener.
+  The implemented changes also allow the use of a read/write-lock for the
+  loggers which increases performance if multiple loggers are registered.
+  Besides several interface changes this last bit also changes the semantics
+  for loggers as these may now be called by multiple threads at the same time.
+
+- Source routes are reinstalled if interfaces are reactivated or IP addresses
+  reappear.
+
+- The thread pool (processor_t) now has more control over the lifecycle of
+  a job (see job.h for details).  In particular, it now controls the destruction
+  of jobs after execution and the cancellation of jobs during shutdown.  Due to
+  these changes the requeueing feature, previously available to callback_job_t
+  only, is now available to all jobs (in addition to a new rescheduling
+  feature).
+
+- In addition to trustchain key strength definitions for different public key
+  systems, the rightauth option now takes a list of signature hash algorithms
+  considered save for trustchain validation. For example, the setting
+  rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512 requires a trustchain
+  that uses at least RSA-2048 or ECDSA-256 keys and certificate signatures
+  using SHA-256 or better.
+
+
 strongswan-4.6.4
 ----------------