Releases: strongswan/strongswan
strongSwan 5.9.10
-
Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service but possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. Please refer to our blog for details.
-
Added support for full packet hardware offload for IPsec SAs and policies, which has been introduced with the Linux 6.2 kernel, to the kernel-netlink plugin (#1462). Bypass policies for the IKE ports are automatically offloaded to devices that support this type of offloading.
-
TLS-based EAP methods use the key derivation specified in draft-ietf-emu-tls-eap-types (currently in the RFC Editor's publication queue) when used with TLS 1.3 (06abdf1).
-
The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication" (5401a74). Similarly, the eap-peap plugin correctly initiates Phase 2 with TLS 1.3 also if
phase2_piggybackis disabled (default) (8aa13a1). -
Routes via XFRM interfaces can now optionally be installed automatically by enabling the
charon.plugins.kernel-netlink.install_routes_xfrmioption. Such routes are only installed if an interface with the ID referenced inif_id_outexists when the corresponding CHILD_SA is installed. If the traffic selectors include the IKE traffic to the peer, special care is required (please refer to the docs for details). -
The NetworkManager backend
charon-nmnow uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel (#1048). -
With the new
prefervalue for thechildlesssetting, initiators will create a childless IKE_SA if the responder supports the extension (RFC 6023). As responder, it has the same effect asallow. -
The
pki --reqcommand can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request (CSR). -
The
pki --issuecommand adopts EKU flags that are either directly encoded in CSRs or derived from an encoded profile string (msCertificateTypeExtension). With the--flagoption, these flags can either be overridden completely, or specific flags can be added and/or removed from the encoded set. -
When running on a Linux 6.2 kernel, the last use times of CHILD_SAs are determined by querying the IPsec SAs and not the policies (older kernels don't report the last use time per SA).
-
For
libcurlwith MultiSSL support, the curl plugin provides an option to select a specific SSL/TLS backend. -
The
swanctl --monitor-sacommand exits withECONNRESETif the daemon closes the VICI connection. -
For developers:
- The default build of the Android app now relies on OpenSSL instead of the old BoringSSL version we previously used. A script to statically build
libcryptois provided in the repository (see the docs for details). - Existing enum name lists (e.g. for algorithm or notify payload identifiers) can now be extended from plugins (0de4204).
- Implementations of
kernel_ipsec_tthat support reporting the last use time of an SA viaquery_sa(), should announce this via theKERNEL_SA_USE_TIMEkernel feature. libviciprovides a callback that's invoked if the connection is closed by the daemon, which may be useful when listening for events.
- The default build of the Android app now relies on OpenSSL instead of the old BoringSSL version we previously used. A script to statically build
Refer to the 5.9.10 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.9
- Fixed an issue that could cause OCSP requests to contain an incorrect serial number if the openssl plugin parsed the certificate (#1415). Also see below for changes regarding the unified handling of serial numbers in code.
- The path/command for
resolvconf(8)used by the resolve plugin is now configurable (dee1916). - The resolve plugin does not invoke
resolvconf(8)with individual interface names for each name server anymore. Instead, it uses a single, configurable interface/protocol name and provides all available name servers toresolvconf(8)every time a name server is added or removed (#1353). - The
listen()operation in the VICI Python bindings may now optionally time out, which can be useful when listening for events in a separate thread as that can otherwise not be canceled easily (#1416). Support for Python 2 has been dropped. - The first reqid that's automatically assigned to a CHILD_SA is now configurable via
charon.reqid_basein strongswan.conf. This allows reserving some low reqids for manual allocation. - Default values for soft lifetimes of CHILD_SAs configured via swanctl.conf/VICI are now based on hard lifetimes if any are configured. Previously, it only worked the other way around (#1414).
- The kernel-netlink plugin now logs extended ACK error and warning messages provided by the Linux kernel if e.g. the installation of an SA or policy fails. This should give users a clearer indication of what might be wrong than the generic error messages for error codes like
EINVALorENOSYSdid previously. - Several build conflicts with wolfSSL's OpenSSL compatibility layer have been resolved (#1332).
- For developers:
- The
get_serial()method of thex509_t,crl_t, andac_tinterfaces is now expected to return serial numbers in canonical form (i.e. without leading zeros). The existing plugins that implement or use these interfaces have been adapted accordingly, make sure to do the same with custom plugins/patches. - If linked against
libbfd(--enable-bfd-backtraces), our own leak detective can whitelist functions that are otherwise not visible.
- The
Refer to the 5.9.9 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.8
-
Fixed a vulnerability related to online certificate revocation checking that was caused because the revocation plugin used potentially untrusted OCSP URIs and CRL distribution points in certificates. This allowed a remote attacker to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which could have lead to a denial-of-service attack. This vulnerability has been registered as CVE-2022-40617. Please refer to our blog for details.
-
The
pki --scep|--scepcacommands implement the HTTP-based "Simple Certificate Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecatedscepclientthat has been removed. -
The
pki --est|estcacommands implement the HTTPS-based "Enrollment over Secure Transport" (RFC 7070 EST) protocol. -
The
pki --reqcommand can create a certificate request based on an existing PKCS#10 template by replacing the public key and re-generating the signature with the new private key. -
The
ike_cfg_tobject is now always replaced together with thepeer_cfg_tobject that's set on an IKE_SA during authentication. This is more consistent and allows to properly take into account some settings that are also relevant during IKE_AUTH (e.g.childless) and it was actually already handled this way during rekeying/reestablishing of IKE_SAs and e.g. for the DSCP setting. -
The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests (now indirectly enabled if the
pkitool is built due to the implementation of EST) can be completed successfully with just the default plugins. -
Our TLS client implementation now sends an empty certificate payload if a certificate request is received but no certificate is available. The encoding of TLS 1.3 certificate extensions for intermediate CA certificates has also been fixed.
-
The socket plugins don't set the
SO_REUSEADDRoption anymore on the IKE UDP sockets, so an error is triggered if e.g. two daemons (e.g.charonandcharon-systemd) are running concurrently using the same ports. -
The
charon.rsa_pss_trailerfieldsetting generates an algorithmIdentifier for RSASSA-PSS signatures with explicit trailerField, which might be necessary for interoperability with implementations of RFC 7427 that haven't considered its errata. -
A potential use-after-free issue has been fixed when caching credential encodings (e.g. fingerprints) if multiple threads operate on the same key concurrently (#1231).
-
A potential crash has been fixed caused by a race condition during shutdown between the main thread flushing the IKE_SA manager and worker threads still creating IKE_SAs (#1252).
-
A potential crash in the vici plugin has been fixed that was caused when events were triggered with messages that failed to get created successfully (#1278).
-
A file descriptor leak has been fixed in the Android client (#1160), plus some other issues related to targeting Android 12 (e.g. #1151 and 86b69f2).
-
For developers:
- For IKEv2, the
ike_updown()"up" event and the state change toIKE_ESTABLISHEDare now triggered after all IKE-related tasks are done. This ensures the IKE_SA is actually fully established, which now includes any assigned virtual IPs, additional MOBIKE peer addresses or a reauthentication time updated viaAUTH_LIFETIMEnotify. This was an issue for the selinux plugin if virtual IPs were used. - In the
cert_validator_tinterface, theonlineflag has been removed from thevalidate()method, which is called during basic certificate chain validation. Online validation is now instead triggered via the newvalidate_online()method, which is called after a trusted certificate chain has been built. pen_tis now used for EAP vendor IDs instead ofuint32_t.- The
--enable-asanconfigure option enables building with AddressSanitizer (ASan). - The
TESTS_ITERATIONSenvironment variable allows running only specific iterations of loop-based test functions.
- For IKEv2, the
Refer to the 5.9.8 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.7
-
The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message. So instead of deriving the keys directly while processing an IKE_SA_INIT request (which could come from a spoofed address), it is delayed until the corresponding IKE_AUTH request is received. See below for required changes for Diffie-Hellman implementations.
-
Inbound IKEv2 messages, in particular requests, are now processed differently. Instead of parsing all inbound messages right away (which might trigger a key derivation or require keys we don't have anymore in the multi-KE use case), we now first check a request's message ID and compare its hash to that of the previous request to decide if it's a valid retransmit. For fragmented messages we only keep track of the first fragment so we can send the corresponding response immediately if a retransmit of it is received, instead of waiting for all fragments and reconstructing the message, which we did before.
-
The retransmission logic in the dhcp plugin has been fixed (#1154). As originally intended, four retransmits are now sent over a total of 15 seconds for each DHCP request. Previously, it could happen that some or all of the five messages were sent at basically the same time, without any delay to wait for a response.
-
The connmark plugin now considers configured masks in installed firewall rules (#1087). For instance, with
mark_in = mark_out = %unique/0x0000ffff, mark values in the upper two bytes would not get reset by the rules installed by the plugin and could be used for other purposes. However, note that in this example the daemon would have to get restarted after 65'535 CHILD_SAs (at the latest) to reset the global 32-bit counter for unique marks as that's unaware of any masks. -
Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).
-
The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).
-
The openssl plugin supports AES and Camellia in CTR mode (112bb46).
-
The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted (RFC 8247 only mentions AES-XCBC and recommends it exclusively for IoT deployments).
-
The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).
-
The
CALLBACKmacros (and some other issues) have been fixed when compiling with GCC 12 (#1053). -
Support for GTK 4 was added to the NetworkManager plugin (#961), the necessary changes were released separately with version 1.6.0 of the plugin.
-
For developers:
- When building from the repository, the new
--enable-warningsconfigure option is now automatically enabled. It adds-Wall -Wextra -Werror(and a bunch of-Wno-*flags for warnings that are difficult to avoid in our codebase) to theCFLAGSprepared by the script (CFLAGSpassed to the script are added after the internal flags, so overriding these options is possible without having to disable--enable-warningscompletely). This was mainly added to avoid passing-Werrorto the configure script in our automated CI builds as that also affects the tests run by it. - The
diffie_hellman_tinterface was renamed tokey_exchange_twith the following additional changes to the interface:set_other_public_key()was renamed toset_public_key()- this method must not do any costly public key validation or the actual key derivation anymore, which must instead be implemented in
get_shared_secret()
- this method must not do any costly public key validation or the actual key derivation anymore, which must instead be implemented in
get_my_public_key()was renamed toget_public_key()set_private_value()was renamed toset_private_key()get_dh_group()was renamed toget_method()
- The
diffie_hellman_group_tenum was renamed tokey_exchange_method_t, the correspondingenum_name_tinstances were renamed similarly.MODP_NONEwas renamed toKE_NONE. - The
has_dh_group()andpromote_dh_group()methods onproposal_twere renamed and generalized tohas_transform()andpromote_transform(), respectively, which allow checking if any transform/algorithm (not only a DH group) is contained in a proposal or move it to the front. Similarly, theget_dh_group()method onike_cfg_tandchild_cfg_twas changed toget_algorithm(). - Two new callbacks for
task_tenable tasks to do work after generating (post_build()) or processing (post_process()) a message.- The
post_build()hook is used by the ike-auth task to collect a copy of the sent IKE_SA_INIT message after it was generated. This avoids having to pre-generate the message in the task, allowing later-running tasks and plugins (viamessage()listener hook) to modify it (e.g. add notifies) before it's eventually generated.
- The
- The
TESTS_VERBOSITY_<group>environment variables allow configuring the log level for individual log groups when running the unit tests (they default toTESTS_VERBOSITY).
- When building from the repository, the new
Refer to the 5.9.7 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.6
-
The main two steps of the IKEv2 key derivation (PRF/prf+) have been modularized. In particular, prf+ is now provided by a plugin. This makes certification (e.g. FIPS-140) easier at it allows implementing them via an already certified third-party library.
For the most commonly used HMAC-based PRFs, the botan, openssl and wolfssl plugins implement the two steps via their respective implementations of RFC 5869's
HKDF-Extract(KDF_PRF) andHKDF-Expand(KDF_PRF_PLUS). A default implementation, based on generic PRFs from other plugins, is provided by the new kdf plugin (may be disabled if one of the mentioned third-party plugins is loaded and none of the rarely used non-HMAC PRFs, AES-XCBC or AES-CMAC, are used). -
Support for labeled IPsec with IKEv2 (draft-ietf-ipsecme-labeled-ipsec) has been added. Two modes are currently supported:
- SELinux: When building with
--enable-selinux, support for SELinux labels is enabled and the selinux plugin is built. If SELinux is usable on the system, the negotiated labels are installed on IPsec SAs and policies. The configured label is expected to be a generic context (e.g.system_u:object_r:ipsec_spd_t:s0), which is installed on trap policies. Either from the outset viastart_action=trap, or dynamically by the selinux plugin after an IKE_SA has been established (e.g. in roadwarrior scenarios, in particular as responder). Once traffic hits such a policy and matches its context viaassociation:polmatch, an acquire with the actual label is triggered by the kernel, for which a CHILD_SA is negotiated with the peer. A childless IKE_SA is created if the connection is not triggered by an acquire and no specific label is available. Labels received as responder are accepted if they match the configured label viaassociation:polmatch. - Simple: This proprietary mode, which is the default if SELinux support is disabled or not available on the system, allows exchanging arbitrary labels to identify specific child configs on the peer. These labels are not configured on the IPsec SAs or policies but are simply used during CHILD_SA creation to aid config selection (an example can be seen in the ikev2/net2net-dscp scenario).
- SELinux: When building with
-
Denial of Service (DoS) protection has been improved:
- The secrets used for generating COOKIE payloads are now switched based on a time limit (2 minutes) and not the previous usage limit (10'000 generated cookies). This avoids switching secrets multiple times a second under a heavy attack, preventing legitimate clients from successfully sending requests with valid cookies (they are valid for 10 seconds, by default).
- So far, sending and requiring COOKIE payloads was triggered only by the total number of half-open IKE_SAs. Because that global threshold is higher than the per-IP block threshold (5 half-open IKE_SAs are allowed per IP, by default), it was possible for an attacker to block a legitimate user by sending spoofed IKE_SA_INIT packets from that user's IP. To prevent this, a new per-IP threshold has been added to trigger cookies (3 half-open IKE_SAs, by default). The default value for the global threshold has also been increased slightly (from 10 to 30).
- Unprocessed but queued initial messages (IKE_SA_INIT for IKEv2) are now already counted as half-open IKE_SAs. This makes the thresholds more accurate so it isn't possible anymore for attackers to create thousands of jobs for packets from spoofed IP addresses before the daemon is able to process enough of them to create half-open IKE_SAs that would trigger the thresholds.
-
Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented. This can happen if trap policies are installed and an IKE_SA with its CHILD_SAs is reestablished (e.g. with break-before-make reauthentication or
dpd_action=restart). This does not prevent duplicates if they are initiated by the two peers concurrently. -
It's now possible to combine
trapandstartinstart_action(i.e.start_action=trap|start) to immediately initiate an SA for which trap policies are also installed. -
Updates to reqids on policies are allowed again by the kernel-netlink plugin. The infamous error
unable to install policy ... for reqid ..., the same policy for reqid ... existsis replaced by a simple warning should the reqid for a policy actually get updated. -
Compatibility with OpenSSL 3.0 has been improved (9aa7e12). Providers are not unloaded anymore to avoid issues with
atexit()handlers (#921). -
The client identity (e.g. the IKE or EAP identity for EAP-TLS) is again enforced by libtls (#873).
-
If the source address is unknown when initiating an IKEv2 SA, a NAT situation is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing asymmetric enabling of UDP-encapsulation (#861).
-
Installing unnecessary exclude routes for VPN servers on FreeBSD is now avoided (#910).
-
The default AEAD ESP proposal (sent since 5.9.0) now includes
noesnto make it standards-compliant (#868). -
Missing alerts were added to the error-notify plugin (801bb85).
-
The new
map_leveloption for syslog loggers allows mapping log levels (0..4) to syslog levels starting at the specified number (by default, all messages are logged withLOG_INFO). -
The addrblock plugin allows limiting the validation depth of issuer addrblock extensions (e3d1766).
-
Individual CHILD_SAs can be queried via the
list-sas()vici command (orswanctl --list-sas), either by unique ID or name. -
For developers:
- Plugins can provide the two IKEv2 key derivation steps (
KDF_PRF/KDF_PRF_PLUS), see kdf.h for details. ike_sa_t::initiate()now takes a struct with optional arguments (such as traffic selectors). The same is the case for similar data from acquires (changed the signatures foracquire()on thekernel_listener_tandkernel_interface_tinterfaces).- The trap manager allows installing externally managed trap policies (see the selinux plugin for an example of how this could be used).
- If dynamic traffic selectors are updated due to an address change, the reqid of a CHILD_SA now changes, in which case
kernel_ipsec_t::update_sa()is called withnew_reqidset in thekernel_ipsec_update_sa_tstruct. If a kernel interface doesn't support this,NOT_SUPPORTEDshould be returned to trigger a rekeying. - The fourth argument for
ENUM_FLAGSnow indicates the name used when no flags are set (previously,(unset)was used for all flag enums). Flags can now also be parsed viaenum_flags_from_string()(expects the flags separated by|).
- Plugins can provide the two IKEv2 key derivation steps (
Refer to the 5.9.6 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.5
- Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079. Please refer to our blog for details.
- Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now establish a secure session via RSA OAEP public key encryption or an ephemeral ECDH key exchange, respectively. The session allows HMAC-based authenticated communication with the TPM 2.0 and the exchanged parameters can be encrypted with AES-CFB where necessary to guarantee confidentiality (e.g. when using the TPM 2.0 as RNG).
- Basic support for OpenSSL 3.0 has been added to the openssl plugin, in particular, the new load_legacy option (enabled by default) allows loading the "legacy" provider for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the existing fips_mode option allows explicitly loading the "fips" provider e.g. if it's not activated in OpenSSL's
fipsmodule.cnf. All loaded providers are logged when the plugin is initialized. - The MTU of TUN devices created by the kernel-pfroute plugin on macOS and FreeBSD is now configurable and reduced to 1400 bytes, by default. This also fixes an issue on macOS 12 that prevented the detection of virtual IPs installed on such TUN devices (#707).
- When rekeying CHILD_SAs, the old outbound SA is now uninstalled earlier on the initiator/winner. Instead of delaying this until the delete for the old CHILD_SA has been exchanged, we do this shortly after the new SA has been installed. This is useful for IPsec implementations where the ordering of SAs is unpredictable and we can't set the SPI on the outbound policy to switch to the new SA while both are installed.
- The sw-collector utility may now iterate through APT history logs processed by logrotate.
- The openssl plugin now only announces the ECDH groups actually supported by OpenSSL (determined via
EC_get_builtin_curves()). - Added support for RSA encryption with OEAP padding with optional label via openssl and wolfssl plugins (the botan plugin supports OAEP padding, but only without labels, while the gcrypt only supports OEAP padding with SHA-1 and without labels). See below for the interface change this required.
- Added support for AES-CFB via botan, gcrypt, openssl and wolfssl plugins.
- Failure handling in unit tests for libtls has been improved (#752).
- Fixed the application of configured identities to raw public keys via vici/swanctl (e430528).
- Fixed the detection of several vendor IDs (broken since 5.9.3).
- Unit tests for charon-tkm now run automatically on GitHub (to test locally, refer to
testing/tkm/Dockerfile). - For developers:
- Custom EAP plugins that don't generate an MSK have to return
NOT_SUPPORTEDfromget_msk(). Those that do have to make sure to returnFAILEDuntil the EAP method is complete and an MSK has been established, see the blog post about the vulnerability above for more information. - The
public_key_t::encrypt()andprivate_key_t::decrypt()gained avoid*argument for algorithm specific parameters. First application is the optional label for RSA with OEAP padding. - A new metadata facility allows to attach arbitrary integer values to
packet_t/message_t, which may be used to transport information from custom socket plugins to other plugins that later process IKE messages and back again.
- Custom EAP plugins that don't generate an MSK have to return
Refer to the 5.9.5 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.4
- Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
Please refer to our blog for details. - Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
Please refer to our blog for details. - Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the
signatureAlgorithmfield of the outer X.509Certificatestructure. AUTH_LIFETIMEnotifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.- Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
- Serial number generation in several
pkisub-commands has been fixed so they don't start with an unintended zero byte (#631). - Loading SSH public keys via vici has been improved (#467).
- Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
- Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
- The
--enable-tpmoption now implies--enable-tss-tss2as the plugin doesn't do anything without a TSS 2.0. - libtpmtss is initialized in all programs and libraries that use it.
- Migrated testing scripts to Python 3.
- The testing environment uses images based on Debian bullseye by default (support for jessie was removed).
Refer to the 5.9.4 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.3
- Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl plugin.
- Added AES-CCM support to the openssl plugin (#353).
- The x509 and the openssl plugins now consider the authorityKeyIdentifier, if available, before verifying signatures, which avoids unnecessary signature verifications after a CA key rollover if both CA certificates are loaded. The openssl plugin now does the same also for CRLs (the x509 plugin already did).
- The pkcs11 plugin better handles optional attributes like
CKA_TRUSTED, which previously depended on a version check (6537be9). - The NetworkManager backend (charon-nm) now supports using SANs as client identities, not only full DNs (#437).
- charon-tkm now handles IKE encryption.
- Send a MOBIKE update again if a a change in the NAT mappings is detected but the endpoints stay the same (e143a7d).
- A deadlock in the HA plugin introduced with 5.9.2 has been fixed (#456).
- DSCP values are now also set for NAT keepalives.
- The
ike_derived_keys()hook now receives more keys but in a different order (4e29d6f). - Converted most of the test case scenarios to the vici interface.
Refer to the 5.9.3 milestone for a list of all closed issues and pull requests.