Skip to content

Releases: strongswan/strongswan

strongSwan 5.9.10

02 Mar 13:00
Compare
Choose a tag to compare
  • Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service but possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. Please refer to our blog for details.

  • Added support for full packet hardware offload for IPsec SAs and policies, which has been introduced with the Linux 6.2 kernel, to the kernel-netlink plugin (#1462). Bypass policies for the IKE ports are automatically offloaded to devices that support this type of offloading.

  • TLS-based EAP methods use the key derivation specified in draft-ietf-emu-tls-eap-types (currently in the RFC Editor's publication queue) when used with TLS 1.3 (06abdf1).

  • The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication" (5401a74). Similarly, the eap-peap plugin correctly initiates Phase 2 with TLS 1.3 also if phase2_piggyback is disabled (default) (8aa13a1).

  • Routes via XFRM interfaces can now optionally be installed automatically by enabling the charon.plugins.kernel-netlink.install_routes_xfrmi option. Such routes are only installed if an interface with the ID referenced in if_id_out exists when the corresponding CHILD_SA is installed. If the traffic selectors include the IKE traffic to the peer, special care is required (please refer to the docs for details).

  • The NetworkManager backend charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel (#1048).

  • With the new prefer value for the childless setting, initiators will create a childless IKE_SA if the responder supports the extension (RFC 6023). As responder, it has the same effect as allow.

  • The pki --req command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request (CSR).

  • The pki --issue command adopts EKU flags that are either directly encoded in CSRs or derived from an encoded profile string (msCertificateTypeExtension). With the --flag option, these flags can either be overridden completely, or specific flags can be added and/or removed from the encoded set.

  • When running on a Linux 6.2 kernel, the last use times of CHILD_SAs are determined by querying the IPsec SAs and not the policies (older kernels don't report the last use time per SA).

  • For libcurl with MultiSSL support, the curl plugin provides an option to select a specific SSL/TLS backend.

  • The swanctl --monitor-sa command exits with ECONNRESET if the daemon closes the VICI connection.

  • For developers:

    • The default build of the Android app now relies on OpenSSL instead of the old BoringSSL version we previously used. A script to statically build libcrypto is provided in the repository (see the docs for details).
    • Existing enum name lists (e.g. for algorithm or notify payload identifiers) can now be extended from plugins (0de4204).
    • Implementations of kernel_ipsec_t that support reporting the last use time of an SA via query_sa(), should announce this via the KERNEL_SA_USE_TIME kernel feature.
    • libvici provides a callback that's invoked if the connection is closed by the daemon, which may be useful when listening for events.

Refer to the 5.9.10 milestone for a list of all closed issues and pull requests.

strongSwan 5.9.9

03 Jan 12:47
Compare
Choose a tag to compare
  • Fixed an issue that could cause OCSP requests to contain an incorrect serial number if the openssl plugin parsed the certificate (#1415). Also see below for changes regarding the unified handling of serial numbers in code.
  • The path/command for resolvconf(8) used by the resolve plugin is now configurable (dee1916).
  • The resolve plugin does not invoke resolvconf(8) with individual interface names for each name server anymore. Instead, it uses a single, configurable interface/protocol name and provides all available name servers to resolvconf(8) every time a name server is added or removed (#1353).
  • The listen() operation in the VICI Python bindings may now optionally time out, which can be useful when listening for events in a separate thread as that can otherwise not be canceled easily (#1416). Support for Python 2 has been dropped.
  • The first reqid that's automatically assigned to a CHILD_SA is now configurable via charon.reqid_base in strongswan.conf. This allows reserving some low reqids for manual allocation.
  • Default values for soft lifetimes of CHILD_SAs configured via swanctl.conf/VICI are now based on hard lifetimes if any are configured. Previously, it only worked the other way around (#1414).
  • The kernel-netlink plugin now logs extended ACK error and warning messages provided by the Linux kernel if e.g. the installation of an SA or policy fails. This should give users a clearer indication of what might be wrong than the generic error messages for error codes like EINVAL or ENOSYS did previously.
  • Several build conflicts with wolfSSL's OpenSSL compatibility layer have been resolved (#1332).
  • For developers:
    • The get_serial() method of the x509_t, crl_t, and ac_t interfaces is now expected to return serial numbers in canonical form (i.e. without leading zeros). The existing plugins that implement or use these interfaces have been adapted accordingly, make sure to do the same with custom plugins/patches.
    • If linked against libbfd (--enable-bfd-backtraces), our own leak detective can whitelist functions that are otherwise not visible.

Refer to the 5.9.9 milestone for a list of all closed issues and pull requests.

strongSwan 5.9.8

03 Oct 15:24
Compare
Choose a tag to compare
  • Fixed a vulnerability related to online certificate revocation checking that was caused because the revocation plugin used potentially untrusted OCSP URIs and CRL distribution points in certificates. This allowed a remote attacker to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which could have lead to a denial-of-service attack. This vulnerability has been registered as CVE-2022-40617. Please refer to our blog for details.

  • The pki --scep|--scepca commands implement the HTTP-based "Simple Certificate Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecated scepclient that has been removed.

  • The pki --est|estca commands implement the HTTPS-based "Enrollment over Secure Transport" (RFC 7070 EST) protocol.

  • The pki --req command can create a certificate request based on an existing PKCS#10 template by replacing the public key and re-generating the signature with the new private key.

  • The ike_cfg_t object is now always replaced together with the peer_cfg_t object that's set on an IKE_SA during authentication. This is more consistent and allows to properly take into account some settings that are also relevant during IKE_AUTH (e.g. childless) and it was actually already handled this way during rekeying/reestablishing of IKE_SAs and e.g. for the DSCP setting.

  • The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests (now indirectly enabled if the pki tool is built due to the implementation of EST) can be completed successfully with just the default plugins.

  • Our TLS client implementation now sends an empty certificate payload if a certificate request is received but no certificate is available. The encoding of TLS 1.3 certificate extensions for intermediate CA certificates has also been fixed.

  • The socket plugins don't set the SO_REUSEADDR option anymore on the IKE UDP sockets, so an error is triggered if e.g. two daemons (e.g. charon and charon-systemd) are running concurrently using the same ports.

  • The charon.rsa_pss_trailerfield setting generates an algorithmIdentifier for RSASSA-PSS signatures with explicit trailerField, which might be necessary for interoperability with implementations of RFC 7427 that haven't considered its errata.

  • A potential use-after-free issue has been fixed when caching credential encodings (e.g. fingerprints) if multiple threads operate on the same key concurrently (#1231).

  • A potential crash has been fixed caused by a race condition during shutdown between the main thread flushing the IKE_SA manager and worker threads still creating IKE_SAs (#1252).

  • A potential crash in the vici plugin has been fixed that was caused when events were triggered with messages that failed to get created successfully (#1278).

  • A file descriptor leak has been fixed in the Android client (#1160), plus some other issues related to targeting Android 12 (e.g. #1151 and 86b69f2).

  • For developers:

    • For IKEv2, the ike_updown() "up" event and the state change to IKE_ESTABLISHED are now triggered after all IKE-related tasks are done. This ensures the IKE_SA is actually fully established, which now includes any assigned virtual IPs, additional MOBIKE peer addresses or a reauthentication time updated via AUTH_LIFETIME notify. This was an issue for the selinux plugin if virtual IPs were used.
    • In the cert_validator_t interface, the online flag has been removed from the validate() method, which is called during basic certificate chain validation. Online validation is now instead triggered via the new validate_online() method, which is called after a trusted certificate chain has been built.
    • pen_t is now used for EAP vendor IDs instead of uint32_t.
    • The --enable-asan configure option enables building with AddressSanitizer (ASan).
    • The TESTS_ITERATIONS environment variable allows running only specific iterations of loop-based test functions.

Refer to the 5.9.8 milestone for a list of all closed issues and pull requests.

strongSwan 5.9.7

29 Jul 06:36
Compare
Choose a tag to compare
  • The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message. So instead of deriving the keys directly while processing an IKE_SA_INIT request (which could come from a spoofed address), it is delayed until the corresponding IKE_AUTH request is received. See below for required changes for Diffie-Hellman implementations.

  • Inbound IKEv2 messages, in particular requests, are now processed differently. Instead of parsing all inbound messages right away (which might trigger a key derivation or require keys we don't have anymore in the multi-KE use case), we now first check a request's message ID and compare its hash to that of the previous request to decide if it's a valid retransmit. For fragmented messages we only keep track of the first fragment so we can send the corresponding response immediately if a retransmit of it is received, instead of waiting for all fragments and reconstructing the message, which we did before.

  • The retransmission logic in the dhcp plugin has been fixed (#1154). As originally intended, four retransmits are now sent over a total of 15 seconds for each DHCP request. Previously, it could happen that some or all of the five messages were sent at basically the same time, without any delay to wait for a response.

  • The connmark plugin now considers configured masks in installed firewall rules (#1087). For instance, with mark_in = mark_out = %unique/0x0000ffff, mark values in the upper two bytes would not get reset by the rules installed by the plugin and could be used for other purposes. However, note that in this example the daemon would have to get restarted after 65'535 CHILD_SAs (at the latest) to reset the global 32-bit counter for unique marks as that's unaware of any masks.

  • Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).

  • The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).

  • The openssl plugin supports AES and Camellia in CTR mode (112bb46).

  • The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted (RFC 8247 only mentions AES-XCBC and recommends it exclusively for IoT deployments).

  • The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).

  • The CALLBACK macros (and some other issues) have been fixed when compiling with GCC 12 (#1053).

  • Support for GTK 4 was added to the NetworkManager plugin (#961), the necessary changes were released separately with version 1.6.0 of the plugin.

  • For developers:

    • When building from the repository, the new --enable-warnings configure option is now automatically enabled. It adds -Wall -Wextra -Werror (and a bunch of -Wno-* flags for warnings that are difficult to avoid in our codebase) to the CFLAGS prepared by the script (CFLAGS passed to the script are added after the internal flags, so overriding these options is possible without having to disable --enable-warnings completely). This was mainly added to avoid passing -Werror to the configure script in our automated CI builds as that also affects the tests run by it.
    • The diffie_hellman_t interface was renamed to key_exchange_t with the following additional changes to the interface:
      • set_other_public_key() was renamed to set_public_key()
        • this method must not do any costly public key validation or the actual key derivation anymore, which must instead be implemented in get_shared_secret()
      • get_my_public_key() was renamed to get_public_key()
      • set_private_value() was renamed to set_private_key()
      • get_dh_group() was renamed to get_method()
    • The diffie_hellman_group_t enum was renamed to key_exchange_method_t, the corresponding enum_name_t instances were renamed similarly. MODP_NONE was renamed to KE_NONE.
    • The has_dh_group() and promote_dh_group() methods on proposal_t were renamed and generalized to has_transform() and promote_transform(), respectively, which allow checking if any transform/algorithm (not only a DH group) is contained in a proposal or move it to the front. Similarly, the get_dh_group() method on ike_cfg_t and child_cfg_t was changed to get_algorithm().
    • Two new callbacks for task_t enable tasks to do work after generating (post_build()) or processing (post_process()) a message.
      • The post_build() hook is used by the ike-auth task to collect a copy of the sent IKE_SA_INIT message after it was generated. This avoids having to pre-generate the message in the task, allowing later-running tasks and plugins (via message() listener hook) to modify it (e.g. add notifies) before it's eventually generated.
    • The TESTS_VERBOSITY_<group> environment variables allow configuring the log level for individual log groups when running the unit tests (they default to TESTS_VERBOSITY).

Refer to the 5.9.7 milestone for a list of all closed issues and pull requests.

strongSwan 5.9.6

29 Apr 05:56
Compare
Choose a tag to compare
  • The main two steps of the IKEv2 key derivation (PRF/prf+) have been modularized. In particular, prf+ is now provided by a plugin. This makes certification (e.g. FIPS-140) easier at it allows implementing them via an already certified third-party library.

    For the most commonly used HMAC-based PRFs, the botan, openssl and wolfssl plugins implement the two steps via their respective implementations of RFC 5869's HKDF-Extract (KDF_PRF) and HKDF-Expand (KDF_PRF_PLUS). A default implementation, based on generic PRFs from other plugins, is provided by the new kdf plugin (may be disabled if one of the mentioned third-party plugins is loaded and none of the rarely used non-HMAC PRFs, AES-XCBC or AES-CMAC, are used).

  • Support for labeled IPsec with IKEv2 (draft-ietf-ipsecme-labeled-ipsec) has been added. Two modes are currently supported:

    • SELinux: When building with --enable-selinux, support for SELinux labels is enabled and the selinux plugin is built. If SELinux is usable on the system, the negotiated labels are installed on IPsec SAs and policies. The configured label is expected to be a generic context (e.g. system_u:object_r:ipsec_spd_t:s0), which is installed on trap policies. Either from the outset via start_action=trap, or dynamically by the selinux plugin after an IKE_SA has been established (e.g. in roadwarrior scenarios, in particular as responder). Once traffic hits such a policy and matches its context via association:polmatch, an acquire with the actual label is triggered by the kernel, for which a CHILD_SA is negotiated with the peer. A childless IKE_SA is created if the connection is not triggered by an acquire and no specific label is available. Labels received as responder are accepted if they match the configured label via association:polmatch.
    • Simple: This proprietary mode, which is the default if SELinux support is disabled or not available on the system, allows exchanging arbitrary labels to identify specific child configs on the peer. These labels are not configured on the IPsec SAs or policies but are simply used during CHILD_SA creation to aid config selection (an example can be seen in the ikev2/net2net-dscp scenario).
  • Denial of Service (DoS) protection has been improved:

    • The secrets used for generating COOKIE payloads are now switched based on a time limit (2 minutes) and not the previous usage limit (10'000 generated cookies). This avoids switching secrets multiple times a second under a heavy attack, preventing legitimate clients from successfully sending requests with valid cookies (they are valid for 10 seconds, by default).
    • So far, sending and requiring COOKIE payloads was triggered only by the total number of half-open IKE_SAs. Because that global threshold is higher than the per-IP block threshold (5 half-open IKE_SAs are allowed per IP, by default), it was possible for an attacker to block a legitimate user by sending spoofed IKE_SA_INIT packets from that user's IP. To prevent this, a new per-IP threshold has been added to trigger cookies (3 half-open IKE_SAs, by default). The default value for the global threshold has also been increased slightly (from 10 to 30).
    • Unprocessed but queued initial messages (IKE_SA_INIT for IKEv2) are now already counted as half-open IKE_SAs. This makes the thresholds more accurate so it isn't possible anymore for attackers to create thousands of jobs for packets from spoofed IP addresses before the daemon is able to process enough of them to create half-open IKE_SAs that would trigger the thresholds.
  • Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented. This can happen if trap policies are installed and an IKE_SA with its CHILD_SAs is reestablished (e.g. with break-before-make reauthentication or dpd_action=restart). This does not prevent duplicates if they are initiated by the two peers concurrently.

  • It's now possible to combine trap and start in start_action (i.e. start_action=trap|start) to immediately initiate an SA for which trap policies are also installed.

  • Updates to reqids on policies are allowed again by the kernel-netlink plugin. The infamous error unable to install policy ... for reqid ..., the same policy for reqid ... exists is replaced by a simple warning should the reqid for a policy actually get updated.

  • Compatibility with OpenSSL 3.0 has been improved (9aa7e12). Providers are not unloaded anymore to avoid issues with atexit() handlers (#921).

  • The client identity (e.g. the IKE or EAP identity for EAP-TLS) is again enforced by libtls (#873).

  • If the source address is unknown when initiating an IKEv2 SA, a NAT situation is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing asymmetric enabling of UDP-encapsulation (#861).

  • Installing unnecessary exclude routes for VPN servers on FreeBSD is now avoided (#910).

  • The default AEAD ESP proposal (sent since 5.9.0) now includes noesn to make it standards-compliant (#868).

  • Missing alerts were added to the error-notify plugin (801bb85).

  • The new map_level option for syslog loggers allows mapping log levels (0..4) to syslog levels starting at the specified number (by default, all messages are logged with LOG_INFO).

  • The addrblock plugin allows limiting the validation depth of issuer addrblock extensions (e3d1766).

  • Individual CHILD_SAs can be queried via the list-sas() vici command (or swanctl --list-sas), either by unique ID or name.

  • For developers:

    • Plugins can provide the two IKEv2 key derivation steps (KDF_PRF/KDF_PRF_PLUS), see kdf.h for details.
    • ike_sa_t::initiate() now takes a struct with optional arguments (such as traffic selectors). The same is the case for similar data from acquires (changed the signatures for acquire() on the kernel_listener_t and kernel_interface_t interfaces).
    • The trap manager allows installing externally managed trap policies (see the selinux plugin for an example of how this could be used).
    • If dynamic traffic selectors are updated due to an address change, the reqid of a CHILD_SA now changes, in which case kernel_ipsec_t::update_sa() is called with new_reqid set in the kernel_ipsec_update_sa_t struct. If a kernel interface doesn't support this, NOT_SUPPORTED should be returned to trigger a rekeying.
    • The fourth argument for ENUM_FLAGS now indicates the name used when no flags are set (previously, (unset) was used for all flag enums). Flags can now also be parsed via enum_flags_from_string() (expects the flags separated by |).

Refer to the 5.9.6 milestone for a list of all closed issues and pull requests.

strongSwan 5.9.5

24 Jan 13:04
Compare
Choose a tag to compare
  • Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079. Please refer to our blog for details.
  • Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now establish a secure session via RSA OAEP public key encryption or an ephemeral ECDH key exchange, respectively. The session allows HMAC-based authenticated communication with the TPM 2.0 and the exchanged parameters can be encrypted with AES-CFB where necessary to guarantee confidentiality (e.g. when using the TPM 2.0 as RNG).
  • Basic support for OpenSSL 3.0 has been added to the openssl plugin, in particular, the new load_legacy option (enabled by default) allows loading the "legacy" provider for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the existing fips_mode option allows explicitly loading the "fips" provider e.g. if it's not activated in OpenSSL's fipsmodule.cnf. All loaded providers are logged when the plugin is initialized.
  • The MTU of TUN devices created by the kernel-pfroute plugin on macOS and FreeBSD is now configurable and reduced to 1400 bytes, by default. This also fixes an issue on macOS 12 that prevented the detection of virtual IPs installed on such TUN devices (#707).
  • When rekeying CHILD_SAs, the old outbound SA is now uninstalled earlier on the initiator/winner. Instead of delaying this until the delete for the old CHILD_SA has been exchanged, we do this shortly after the new SA has been installed. This is useful for IPsec implementations where the ordering of SAs is unpredictable and we can't set the SPI on the outbound policy to switch to the new SA while both are installed.
  • The sw-collector utility may now iterate through APT history logs processed by logrotate.
  • The openssl plugin now only announces the ECDH groups actually supported by OpenSSL (determined via EC_get_builtin_curves()).
  • Added support for RSA encryption with OEAP padding with optional label via openssl and wolfssl plugins (the botan plugin supports OAEP padding, but only without labels, while the gcrypt only supports OEAP padding with SHA-1 and without labels). See below for the interface change this required.
  • Added support for AES-CFB via botan, gcrypt, openssl and wolfssl plugins.
  • Failure handling in unit tests for libtls has been improved (#752).
  • Fixed the application of configured identities to raw public keys via vici/swanctl (e430528).
  • Fixed the detection of several vendor IDs (broken since 5.9.3).
  • Unit tests for charon-tkm now run automatically on GitHub (to test locally, refer to testing/tkm/Dockerfile).
  • For developers:
    • Custom EAP plugins that don't generate an MSK have to return NOT_SUPPORTED from get_msk(). Those that do have to make sure to return FAILED until the EAP method is complete and an MSK has been established, see the blog post about the vulnerability above for more information.
    • The public_key_t::encrypt() and private_key_t::decrypt() gained a void* argument for algorithm specific parameters. First application is the optional label for RSA with OEAP padding.
    • A new metadata facility allows to attach arbitrary integer values to packet_t/message_t, which may be used to transport information from custom socket plugins to other plugins that later process IKE messages and back again.

Refer to the 5.9.5 milestone for a list of all closed issues and pull requests.

strongSwan 5.9.4

18 Oct 12:01
Compare
Choose a tag to compare
  • Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
    Please refer to our blog for details.
  • Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
    Please refer to our blog for details.
  • Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
  • AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
  • Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
  • Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631).
  • Loading SSH public keys via vici has been improved (#467).
  • Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
  • Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
  • The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0.
  • libtpmtss is initialized in all programs and libraries that use it.
  • Migrated testing scripts to Python 3.
  • The testing environment uses images based on Debian bullseye by default (support for jessie was removed).

Refer to the 5.9.4 milestone for a list of all closed issues and pull requests.

strongSwan 5.9.3

06 Jul 12:53
Compare
Choose a tag to compare
  • Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl plugin.
  • Added AES-CCM support to the openssl plugin (#353).
  • The x509 and the openssl plugins now consider the authorityKeyIdentifier, if available, before verifying signatures, which avoids unnecessary signature verifications after a CA key rollover if both CA certificates are loaded. The openssl plugin now does the same also for CRLs (the x509 plugin already did).
  • The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which previously depended on a version check (6537be9).
  • The NetworkManager backend (charon-nm) now supports using SANs as client identities, not only full DNs (#437).
  • charon-tkm now handles IKE encryption.
  • Send a MOBIKE update again if a a change in the NAT mappings is detected but the endpoints stay the same (e143a7d).
  • A deadlock in the HA plugin introduced with 5.9.2 has been fixed (#456).
  • DSCP values are now also set for NAT keepalives.
  • The ike_derived_keys() hook now receives more keys but in a different order (4e29d6f).
  • Converted most of the test case scenarios to the vici interface.

Refer to the 5.9.3 milestone for a list of all closed issues and pull requests.