Releases: strongswan/strongswan
strongSwan 5.9.14
New Feature Additions
-
Support for the IKEv2 OCSP extensions (RFC 4806) has been added, which allows peers to request and send OCSP responses together with their certificate chain directly in IKEv2 (#2016). The OCSP responses for local certificates are currently retrieved via revocation plugin, either from the cache or fetched from an OCSP server (see the developer notes for details). The feature can be controlled via
<conn>.ocsp
setting in swanctl.conf. By default, OCSP responses are sent if the peer requests any and a response can be retrieved.If sending requests is enabled, the implementation generally sends an empty OCSP certificate request payload. Only if self-signed OCSP signer certificates are found locally will their public key's hash be added to the payload. Such certificates must either have the
OCSPSigning
extended key usage flag set, or be placed in thex509ocsp
directory so that they are flagged when loaded. -
The Android app now supports managed configurations via enterprise mobility management (EMM) systems (#2005). Besides configuring global settings and VPN profiles (with settings similar to those supported in profile files, including certificates), this also provides management options for disabling certain features of the app (e.g. to prevent users from creating and/or importing custom profiles or to only display managed profiles).
-
Added support for PSS padding for smartcard-based RSA signatures to the pkcs11 plugin, using either on-chip or external data hashing.
-
Added keyid and certid handles to the
pki --ocsp
command so that keys and/or certificates can be stored on a smartcard or in a TPM 2.0 device (note that this may add quite a delay to generating OCSP responses).
Enhancements and Optimizations
-
Validation of X.509 name constraints has been refactored to align with RFC 5280 (#2114). This fixes several limitations of the previous implementation. Name constraints are now correctly propagated from the root of the certificate chain so that intermediate CA certificates don't have to explicitly inherit the name constraints of their parents anymore. The latter previously prevented adding constraints in an intermediate CA certificate that's followed by another that doesn't contain any name constraints. This is perfectly fine as the set of constraints specified by the parent continue to apply to that intermediate CA certificate and the children it issues.
Identities also don't have to match all name constraints of the same type anymore, which prevented actually encoding multiple constraints of the same type because e.g. for the permitted name constraints for
example.org
andexample.com
no acceptable certificates could be issued as any SAN with one domain would get rejected by the other constraint. In compliance with the RFC, matching a single constraint is now enough.Also resolved is an issue with name constraints for IP addresses (added with 5.9.12), which were previously only supported for a single level.
-
The dhcp plugin has been ported to FreeBSD/macOS (#2047). The code for BPF handling has been refactored and is now shared between dhcp and farp plugin.
-
The openssl plugin is now compatible to AWS-LC, a crypto library based on code from BoringSSL and OpenSSL (#1907).
-
The identity enforced by the configuration was added to the message logged when identities don't match (#2088).
Fixes
- Overflows of unique identifiers (e.g. Netlink sequence numbers or reqids) are now handled gracefully when the daemon is running for a very long time without restart (#2062).
- Fail the installation of SAs on Linux if replay protection is disabled while extended sequence numbers (ESN) are enabled (#2117). This combination is currently not supported by the Linux kernel and strongSwan previously just installed the SA without ESN, causing the other end to drop packets if it was an implementation that didn't do this.
For Developers
- The optional
ocsp()
method of thecert_validator_t
interface is used to retrieve an OCSP response for a local X.509 certificate when responding to an OCSP certificate request. It's currently only implemented by the revocation plugin, which uses the same code that's used when verifying remote certificates via OCSP. - Our leak detective now implements and wraps
malloc_usable_size()
, which is used by systemd and the libraries it provides (e.g. nss-systemd) (#2045). - The
build.gradle
file for the Android app now declares the NDK version and uses the default NDK invocation instead of the custom tasks that were used before (1cab544). - With the addition of support for managed configurations, several internals of the Android app have changed:
- All VPN profiles now require a UUID as it's the only identifier used to access them.
- When using Intents to start/stop profiles, the new name for the string extra that passes the ID is
org.strongswan.android.VPN_PROFILE_UUID
(the old one is still supported as fallback, though). - Profiles may be marked as read-only internally, which adds a label in the profile list and prevents users from deleting/editing/copying them (only the password may be changed in the GUI).
- Profiles may come from different data sources (currently the database and managed configurations).
- To access the app's database, a new class (DatabaseHelper) has been added, which is accessed via an instance on the Application sub-class.
Refer to the 5.9.14 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.13
Enhancements and Optimizations
- Added
charon.ocsp_nonce_len
setting that allows specifying the length of nonce values in OCSP requests. Since 5.9.12, the default length is set to 32 bytes, as required by RFC 8954 for newer clients. However, there might be older OCSP servers that don't support that, in which case reducing the length to e.g. 16, which was the previous default, might be necessary (f3af170). - OCSP error responses are now dropped immediately instead of trying to verify a non-existent signature (b3e66ac, e7a58f4).
pki --ocsp --respond
replies with an internal error OCSP response if no signer certificate is found (e.g. if the request is sent to the wrong server) instead of failing silently (945be4e).
Fixes
- Fixed a regression with handling OCSP error responses that was introduced with 5.9.12 (#2011, 585c400, 9c4846c).
- Added missing environment variables for
cert-install-ssl
cert-enroll script script (da45cf9).
Refer to the 5.9.13 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.12
Vulnerabilities
- Fixed a vulnerability in
charon-tkm
(the TKM-backed version of the charon IKE daemon) related to processing DH public values that can lead to a buffer overflow and potentially remote code execution. This vulnerability has been registered as CVE-2023-41913. Please refer to our blog for details.
New Feature Additions
-
The new
pki --ocsp
command produces OCSP responses based on certificate status information provided by implementations of the newocsp_responder_t
interface (#1958).Two sources are currently available, the openxpki plugin that directly accesses the OpenXPKI database and the command's
--index
argument, which reads certificate status information from OpenSSL-styleindex.txt
files (multiple CAs are supported concurrently). -
The new cert-enroll script handles the initial enrollment of an X.509 host certificate with a PKI server via the EST or SCEP protocols.
Run as a systemd timer or via a crontab entry, the script checks the expiration date of the host certificate daily. When a given deadline is reached, the host certificate is automatically renewed via EST or SCEP re-enrollment based on the possession of the old private key and the matching certificate.
-
Added a global option (
charon.reject_trusted_end_entity
) to prevent peers from authenticating with certificates that are locally trusted, in particular, our own local certificate, which safeguards against accidental reuse of certificates on multiple peers. As the name suggests, all trusted end-entity certificates are rejected if enabled, so peer certificates can't be configured explicitly anymore (e.g. viaremote.certs
in swanctl.conf). -
The
--priv
argument forcharon-cmd
allows the use of any type of private key (previously, only RSA keys were supported). -
The openssl plugin now supports the
nameConstraints
extension in X.509 certificates (#1990). -
Support for
nameConstraints
of typeiPAddress
are now supported by the x509, openssl and constraints plugins (#1991). -
Support for encoding
subjectAlternativeName
extensions of typeuniformResourceIdentifier
in X.509 certificates has been added via theuri:
prefix (e.g. for URNs, #1983). -
Support for password-less PKCS#12 and PKCS#8 files has been added (#1955).
Enhancements and Optimizations
-
Because of a relatively recent NIAP requirement (TD0527, Test 8b), loading of certificates with ECDSA keys that explicitly encode the curve parameters is rejected if possible. Explicit encoding is pretty rare to begin with and e.g. wolfSSL already rejects such keys, by default. All crypto plugins that support ECDSA enforce this by rejecting such public keys, except when using older versions of OpenSSL (< 1.1.1h) or Botan (< 3.2.0) (#1949).
-
Make the NetworkManager plugin (
charon-nm
) actually use the XFRM interface it creates since 5.9.10. This involves setting interface IDs on SAs and policies, and installing routes via the interface. To avoid routing loops if the remote traffic selectors include the VPN server, IKE and ESP packets are marked to bypass the routing table that contains the routes via XFRM interface (69e0c11).If available, the plugin now also adopts the interface name configured in
connection.interface-name
in a*.nmconnection
file as name for the XFRM interface instead of generating one randomly (e8f8d32). -
The resolve plugin tries to maintain the order of DNS servers it installs via
resolvconf
orresolv.conf
(6440975, 8238ad4). -
The kernel-libipsec plugin now always installs routes to remote networks even if no address is found in the local traffic selectors, which allows forwarding traffic from networks the VPN host is not part of (190d8cb).
-
Increased the default receive buffer size for Netlink sockets to 8 MiB (doubled by the kernel to account for overhead) and simplified the configuration (no need for a separate option to force overriding
rmem_max
). It's now also set for event sockets, which previously could cause issues on hosts with e.g. lots of route changes (#1757). -
When issuing certificates, the
subjectKeyIdentifier
of the issuing certificate, if available, is now copied asauthorityKeyIdentifier
, instead of always generating a SHA-1 hash of the issuer's subjectPublicKey (#1992, 6941dcb). -
Explicitly request permission to display notifications on Android 13+ (ddf84c1), also enabled hardware acceleration for the Android-specific OpenSSL build.
Fixes
- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with unrelated traffic selectors (#1855).
- Fixed an issue in
watcher_t
with handling errors on sockets (e.g. if the receive buffer is full), which caused an infinite loop ifpoll()
only signaledPOLLERR
as event (#1757). - Fixed an issue in the IKE_SA_INIT tracking code that was added with 5.9.6, which did not correctly untrack invalid messages with non-zero message IDs or SPIs (0b47357).
- Fixed a regression introduced with 5.9.8 when handling IKE redirects during IKE_AUTH (595fa07).
- Fixed adding the
XFRMA_REPLAY_ESN_VAL
attribute twice when updating SAs in the kernel-netlink plugin, which prevented MOBIKE updates if a large anti-replay window was used (#1967). - Fixed a race condition in the kernel-pfroute plugin when adding virtual IPs if the TUN device is activated after the address was already added internally, which caused the installed route not to go via TUN device in order to force the virtual IP as source address (#1807).
- Fixed an issue in libtls that could cause the wrong ECDH group to get instantiated (b5e4bf4).
- Fixed the encoding of the
CHILD_SA_NOT_FOUND
notify if a CHILD_SA is not found during rekeying. It was previously empty, now contains the SPI and sets the protocol to the values received in theREKEY_SA
notify (849c2c9). - Fixed a possible issue with MOBIKE in the Android client on certain devices (#1691).
For Developers
- The new
ocsp_responder_t
interface can be implemented to provide certificate status information to thepki --ocsp
command. Responders can be (un-)registered via theocsp_responders_t
instance atlib->ocsp
. - For the
watcher_t
component,WATCHER_EXCEPT
has been removed as there is no way to explicitly listen for errors on sockets andpoll()
actually can returnPOLLERR
for any FD and it might even be the only signaled event (which caused an infinite loop previously). Now we simply notify the registered callbacks. The error is then reported by e.g.recvfrom()
, which was already the case before ifPOLLERR
was returned together with e.g.POLLIN
. - The reqids allocated for CHILD_SAs (including trap policies) via
kernel_interface_t::alloc_reqid()
are now refcounted. When recreating a CHILD_SA, a reference to the reqid can be requested viachild_sa_t::get_reqid_ref()
. If another reference is required afterwards, one can be acquired directly viakernel_interface_t::ref_reqid()
. Each reference has to be released viakernel_interface_t::release_reqid()
, whose interface was simplified. - The testing environment is now based on Debian 12 (bookworm), by default. Also, when copying files to guests, the guest-specific files are now copied after the default files, which allows overriding files per guest (fixes an issue with winnetou's
/etc/fstab
and mounting the test results).
Refer to the 5.9.12 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.11
-
A long-standing deadlock in the vici plugin has been fixed that could get triggered when multiple connections were initiated/terminated concurrently and control-log events were raised by the
watcher_t
component (#566). -
To potentially improve the performance and reduce the chances of a similar deadlock, the logging calls in the
watcher_t
component have been reduced and moved out of its internal mutex (53208b0) and a change that caused the component to busy wait in some situations has also been reverted (30803f9). Also related is a change that avoids verbose log calls duringinitiate/terminate()
(d96d15b, also see the developer notes below). -
In compliance with RFC 5280, CRLs now have to be signed by a certificate that either encodes the
cRLSign
keyUsage bit (even if it is a CA certificate), or is a CA certificate without a keyUsage extension. strongSwan encodes a keyUsage extension withcRLSign
bit set in all CA certificates since 13 years. And before that it didn't encode the extension, so these certificates would also be accepted as CRL issuer in case they are still valid (7dc82de). -
Support for optional CA labels in EST server URIs (e.g.
https://www.example.org/.well-known/est/arbitraryLabel1/<operation>
) was added to thepki --est
andpki --estca
commands (#1614). -
The pkcs7 and openssl plugins now support CMS-style signatures in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA signatures (#1615).
-
Fixed a regression in the server implementation of EAP-TLS when using TLS 1.2 or earlier that was introduced with 5.9.10 (#1613, 3d0d3f5).
-
The EAP-TLS client does now enforce that the TLS handshake is complete when using TLS 1.2 or earlier. It was possible to shortcut it by sending an early EAP-Success message. Note that this isn't a security issue as the server is authenticated at that point (db87087).
-
On Linux, the kernel-libipsec plugin can now optionally handle ESP packets without UDP encapsulation (uses RAW sockets, disabled by default, e3cb756). The plugin and libipsec also gained support trap policies (23d20bb).
-
The dhcp plugin uses an alternative method to determine the source address when sending unicast DHCP requests, which is not affected by interface filtering that might be employed for the IKE sockets (#1573).
-
The selection of certificates and trust chains as initiator has been improved if the local trust chain is incomplete (i.e. the root CA certificate for the local certificate is not loaded) while a certificate request for a known but unrelated CA is received, which caused any local intermediate CA certificates not to get sent (efdcbd1).
-
ECDSA and EdDSA public keys are supported by the ipseckey plugin when parsing RFC 4025
IPSECKEY
resource records (7be55ad). -
The kernel-wfp plugin installs bypass policies also on the
FWPM_SUBLAYER_IPSEC_TUNNEL
sublayer, which is necessary to bypass tunnel mode SAs/policies (8c0a67f). -
The revocation plugin suppresses some log messages for cached OCSP responses (9e17a0e).
-
To further improve handling of cached OCSP responses, stale responses are now replaced in-place in the certificate cache (47e8b21).
-
Capabilities of a SCEP server are now correctly parsed by
pki --scep
andpki --scepca
(#1607). -
When renewing a certificate via SCEP, the
--dn
argument is now optional and gets copied from the previous certificate. This is helpful in case the CA added RDNs the user might not be aware of to the issued certificate (5f8eb09, #1689). -
Fixed the fallback to the remote identity for mediated connections if no peer ID is configured (#1569, dd79253).
-
The log messages for the
terminate()
andrekey()
commands have been improved to clarify what's happening if combined filters are used (e.g. with both--ike
and--child
passed, only matching CHILD_SAs will be affected but previously a separate log message indicated that IKE_SAs would get targeted as well, 5e46e10). -
Fixed a crash when
charon-svc
is terminated (8f5c0c9). -
If IKEv1 SAs are reset during a reauthentication because of a timeout, the initiator SPI changes. CHILD_SAs are now correctly migrated to the new SPI (#1663).
-
For developers:
- Support for timeouts in the Python vici bindings has been improved so a default timeout that's configured on the socket won't be reset by
vici.Transport.receive()
and doesn't cause partial reads (#1562). - On Windows, the Python vici bindings now create a default TCP socket (00a75e3).
- The
controller_t::initiate()
andcontroller_t::terminate()
methods now take the maximum log level for messages that are passed to the callback (if any). Ifcontroller_cb_empty()
is passed as callback,LEVEL_SILENT
should be used to avoid any useless calls to the callback. - Disabling logging at compile-time via reduced
DEBUG_LEVEL
should again be possible (7fa85ff).
- Support for timeouts in the Python vici bindings has been improved so a default timeout that's configured on the socket won't be reset by
Refer to the 5.9.11 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.10
-
Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service but possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. Please refer to our blog for details.
-
Added support for full packet hardware offload for IPsec SAs and policies, which has been introduced with the Linux 6.2 kernel, to the kernel-netlink plugin (#1462). Bypass policies for the IKE ports are automatically offloaded to devices that support this type of offloading.
-
TLS-based EAP methods use the key derivation specified in draft-ietf-emu-tls-eap-types (currently in the RFC Editor's publication queue) when used with TLS 1.3 (06abdf1).
-
The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication" (5401a74). Similarly, the eap-peap plugin correctly initiates Phase 2 with TLS 1.3 also if
phase2_piggyback
is disabled (default) (8aa13a1). -
Routes via XFRM interfaces can now optionally be installed automatically by enabling the
charon.plugins.kernel-netlink.install_routes_xfrmi
option. Such routes are only installed if an interface with the ID referenced inif_id_out
exists when the corresponding CHILD_SA is installed. If the traffic selectors include the IKE traffic to the peer, special care is required (please refer to the docs for details). -
The NetworkManager backend
charon-nm
now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel (#1048). -
With the new
prefer
value for thechildless
setting, initiators will create a childless IKE_SA if the responder supports the extension (RFC 6023). As responder, it has the same effect asallow
. -
The
pki --req
command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request (CSR). -
The
pki --issue
command adopts EKU flags that are either directly encoded in CSRs or derived from an encoded profile string (msCertificateTypeExtension). With the--flag
option, these flags can either be overridden completely, or specific flags can be added and/or removed from the encoded set. -
When running on a Linux 6.2 kernel, the last use times of CHILD_SAs are determined by querying the IPsec SAs and not the policies (older kernels don't report the last use time per SA).
-
For
libcurl
with MultiSSL support, the curl plugin provides an option to select a specific SSL/TLS backend. -
The
swanctl --monitor-sa
command exits withECONNRESET
if the daemon closes the VICI connection. -
For developers:
- The default build of the Android app now relies on OpenSSL instead of the old BoringSSL version we previously used. A script to statically build
libcrypto
is provided in the repository (see the docs for details). - Existing enum name lists (e.g. for algorithm or notify payload identifiers) can now be extended from plugins (0de4204).
- Implementations of
kernel_ipsec_t
that support reporting the last use time of an SA viaquery_sa()
, should announce this via theKERNEL_SA_USE_TIME
kernel feature. libvici
provides a callback that's invoked if the connection is closed by the daemon, which may be useful when listening for events.
- The default build of the Android app now relies on OpenSSL instead of the old BoringSSL version we previously used. A script to statically build
Refer to the 5.9.10 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.9
- Fixed an issue that could cause OCSP requests to contain an incorrect serial number if the openssl plugin parsed the certificate (#1415). Also see below for changes regarding the unified handling of serial numbers in code.
- The path/command for
resolvconf(8)
used by the resolve plugin is now configurable (dee1916). - The resolve plugin does not invoke
resolvconf(8)
with individual interface names for each name server anymore. Instead, it uses a single, configurable interface/protocol name and provides all available name servers toresolvconf(8)
every time a name server is added or removed (#1353). - The
listen()
operation in the VICI Python bindings may now optionally time out, which can be useful when listening for events in a separate thread as that can otherwise not be canceled easily (#1416). Support for Python 2 has been dropped. - The first reqid that's automatically assigned to a CHILD_SA is now configurable via
charon.reqid_base
in strongswan.conf. This allows reserving some low reqids for manual allocation. - Default values for soft lifetimes of CHILD_SAs configured via swanctl.conf/VICI are now based on hard lifetimes if any are configured. Previously, it only worked the other way around (#1414).
- The kernel-netlink plugin now logs extended ACK error and warning messages provided by the Linux kernel if e.g. the installation of an SA or policy fails. This should give users a clearer indication of what might be wrong than the generic error messages for error codes like
EINVAL
orENOSYS
did previously. - Several build conflicts with wolfSSL's OpenSSL compatibility layer have been resolved (#1332).
- For developers:
- The
get_serial()
method of thex509_t
,crl_t
, andac_t
interfaces is now expected to return serial numbers in canonical form (i.e. without leading zeros). The existing plugins that implement or use these interfaces have been adapted accordingly, make sure to do the same with custom plugins/patches. - If linked against
libbfd
(--enable-bfd-backtraces
), our own leak detective can whitelist functions that are otherwise not visible.
- The
Refer to the 5.9.9 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.8
-
Fixed a vulnerability related to online certificate revocation checking that was caused because the revocation plugin used potentially untrusted OCSP URIs and CRL distribution points in certificates. This allowed a remote attacker to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which could have lead to a denial-of-service attack. This vulnerability has been registered as CVE-2022-40617. Please refer to our blog for details.
-
The
pki --scep|--scepca
commands implement the HTTP-based "Simple Certificate Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecatedscepclient
that has been removed. -
The
pki --est|estca
commands implement the HTTPS-based "Enrollment over Secure Transport" (RFC 7070 EST) protocol. -
The
pki --req
command can create a certificate request based on an existing PKCS#10 template by replacing the public key and re-generating the signature with the new private key. -
The
ike_cfg_t
object is now always replaced together with thepeer_cfg_t
object that's set on an IKE_SA during authentication. This is more consistent and allows to properly take into account some settings that are also relevant during IKE_AUTH (e.g.childless
) and it was actually already handled this way during rekeying/reestablishing of IKE_SAs and e.g. for the DSCP setting. -
The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests (now indirectly enabled if the
pki
tool is built due to the implementation of EST) can be completed successfully with just the default plugins. -
Our TLS client implementation now sends an empty certificate payload if a certificate request is received but no certificate is available. The encoding of TLS 1.3 certificate extensions for intermediate CA certificates has also been fixed.
-
The socket plugins don't set the
SO_REUSEADDR
option anymore on the IKE UDP sockets, so an error is triggered if e.g. two daemons (e.g.charon
andcharon-systemd
) are running concurrently using the same ports. -
The
charon.rsa_pss_trailerfield
setting generates an algorithmIdentifier for RSASSA-PSS signatures with explicit trailerField, which might be necessary for interoperability with implementations of RFC 7427 that haven't considered its errata. -
A potential use-after-free issue has been fixed when caching credential encodings (e.g. fingerprints) if multiple threads operate on the same key concurrently (#1231).
-
A potential crash has been fixed caused by a race condition during shutdown between the main thread flushing the IKE_SA manager and worker threads still creating IKE_SAs (#1252).
-
A potential crash in the vici plugin has been fixed that was caused when events were triggered with messages that failed to get created successfully (#1278).
-
A file descriptor leak has been fixed in the Android client (#1160), plus some other issues related to targeting Android 12 (e.g. #1151 and 86b69f2).
-
For developers:
- For IKEv2, the
ike_updown()
"up" event and the state change toIKE_ESTABLISHED
are now triggered after all IKE-related tasks are done. This ensures the IKE_SA is actually fully established, which now includes any assigned virtual IPs, additional MOBIKE peer addresses or a reauthentication time updated viaAUTH_LIFETIME
notify. This was an issue for the selinux plugin if virtual IPs were used. - In the
cert_validator_t
interface, theonline
flag has been removed from thevalidate()
method, which is called during basic certificate chain validation. Online validation is now instead triggered via the newvalidate_online()
method, which is called after a trusted certificate chain has been built. pen_t
is now used for EAP vendor IDs instead ofuint32_t
.- The
--enable-asan
configure option enables building with AddressSanitizer (ASan). - The
TESTS_ITERATIONS
environment variable allows running only specific iterations of loop-based test functions.
- For IKEv2, the
Refer to the 5.9.8 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.7
-
The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message. So instead of deriving the keys directly while processing an IKE_SA_INIT request (which could come from a spoofed address), it is delayed until the corresponding IKE_AUTH request is received. See below for required changes for Diffie-Hellman implementations.
-
Inbound IKEv2 messages, in particular requests, are now processed differently. Instead of parsing all inbound messages right away (which might trigger a key derivation or require keys we don't have anymore in the multi-KE use case), we now first check a request's message ID and compare its hash to that of the previous request to decide if it's a valid retransmit. For fragmented messages we only keep track of the first fragment so we can send the corresponding response immediately if a retransmit of it is received, instead of waiting for all fragments and reconstructing the message, which we did before.
-
The retransmission logic in the dhcp plugin has been fixed (#1154). As originally intended, four retransmits are now sent over a total of 15 seconds for each DHCP request. Previously, it could happen that some or all of the five messages were sent at basically the same time, without any delay to wait for a response.
-
The connmark plugin now considers configured masks in installed firewall rules (#1087). For instance, with
mark_in = mark_out = %unique/0x0000ffff
, mark values in the upper two bytes would not get reset by the rules installed by the plugin and could be used for other purposes. However, note that in this example the daemon would have to get restarted after 65'535 CHILD_SAs (at the latest) to reset the global 32-bit counter for unique marks as that's unaware of any masks. -
Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).
-
The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).
-
The openssl plugin supports AES and Camellia in CTR mode (112bb46).
-
The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted (RFC 8247 only mentions AES-XCBC and recommends it exclusively for IoT deployments).
-
The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).
-
The
CALLBACK
macros (and some other issues) have been fixed when compiling with GCC 12 (#1053). -
Support for GTK 4 was added to the NetworkManager plugin (#961), the necessary changes were released separately with version 1.6.0 of the plugin.
-
For developers:
- When building from the repository, the new
--enable-warnings
configure option is now automatically enabled. It adds-Wall -Wextra -Werror
(and a bunch of-Wno-*
flags for warnings that are difficult to avoid in our codebase) to theCFLAGS
prepared by the script (CFLAGS
passed to the script are added after the internal flags, so overriding these options is possible without having to disable--enable-warnings
completely). This was mainly added to avoid passing-Werror
to the configure script in our automated CI builds as that also affects the tests run by it. - The
diffie_hellman_t
interface was renamed tokey_exchange_t
with the following additional changes to the interface:set_other_public_key()
was renamed toset_public_key()
- this method must not do any costly public key validation or the actual key derivation anymore, which must instead be implemented in
get_shared_secret()
- this method must not do any costly public key validation or the actual key derivation anymore, which must instead be implemented in
get_my_public_key()
was renamed toget_public_key()
set_private_value()
was renamed toset_private_key()
get_dh_group()
was renamed toget_method()
- The
diffie_hellman_group_t
enum was renamed tokey_exchange_method_t
, the correspondingenum_name_t
instances were renamed similarly.MODP_NONE
was renamed toKE_NONE
. - The
has_dh_group()
andpromote_dh_group()
methods onproposal_t
were renamed and generalized tohas_transform()
andpromote_transform()
, respectively, which allow checking if any transform/algorithm (not only a DH group) is contained in a proposal or move it to the front. Similarly, theget_dh_group()
method onike_cfg_t
andchild_cfg_t
was changed toget_algorithm()
. - Two new callbacks for
task_t
enable tasks to do work after generating (post_build()
) or processing (post_process()
) a message.- The
post_build()
hook is used by the ike-auth task to collect a copy of the sent IKE_SA_INIT message after it was generated. This avoids having to pre-generate the message in the task, allowing later-running tasks and plugins (viamessage()
listener hook) to modify it (e.g. add notifies) before it's eventually generated.
- The
- The
TESTS_VERBOSITY_<group>
environment variables allow configuring the log level for individual log groups when running the unit tests (they default toTESTS_VERBOSITY
).
- When building from the repository, the new
Refer to the 5.9.7 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.6
-
The main two steps of the IKEv2 key derivation (PRF/prf+) have been modularized. In particular, prf+ is now provided by a plugin. This makes certification (e.g. FIPS-140) easier at it allows implementing them via an already certified third-party library.
For the most commonly used HMAC-based PRFs, the botan, openssl and wolfssl plugins implement the two steps via their respective implementations of RFC 5869's
HKDF-Extract
(KDF_PRF
) andHKDF-Expand
(KDF_PRF_PLUS
). A default implementation, based on generic PRFs from other plugins, is provided by the new kdf plugin (may be disabled if one of the mentioned third-party plugins is loaded and none of the rarely used non-HMAC PRFs, AES-XCBC or AES-CMAC, are used). -
Support for labeled IPsec with IKEv2 (draft-ietf-ipsecme-labeled-ipsec) has been added. Two modes are currently supported:
- SELinux: When building with
--enable-selinux
, support for SELinux labels is enabled and the selinux plugin is built. If SELinux is usable on the system, the negotiated labels are installed on IPsec SAs and policies. The configured label is expected to be a generic context (e.g.system_u:object_r:ipsec_spd_t:s0
), which is installed on trap policies. Either from the outset viastart_action=trap
, or dynamically by the selinux plugin after an IKE_SA has been established (e.g. in roadwarrior scenarios, in particular as responder). Once traffic hits such a policy and matches its context viaassociation:polmatch
, an acquire with the actual label is triggered by the kernel, for which a CHILD_SA is negotiated with the peer. A childless IKE_SA is created if the connection is not triggered by an acquire and no specific label is available. Labels received as responder are accepted if they match the configured label viaassociation:polmatch
. - Simple: This proprietary mode, which is the default if SELinux support is disabled or not available on the system, allows exchanging arbitrary labels to identify specific child configs on the peer. These labels are not configured on the IPsec SAs or policies but are simply used during CHILD_SA creation to aid config selection (an example can be seen in the ikev2/net2net-dscp scenario).
- SELinux: When building with
-
Denial of Service (DoS) protection has been improved:
- The secrets used for generating COOKIE payloads are now switched based on a time limit (2 minutes) and not the previous usage limit (10'000 generated cookies). This avoids switching secrets multiple times a second under a heavy attack, preventing legitimate clients from successfully sending requests with valid cookies (they are valid for 10 seconds, by default).
- So far, sending and requiring COOKIE payloads was triggered only by the total number of half-open IKE_SAs. Because that global threshold is higher than the per-IP block threshold (5 half-open IKE_SAs are allowed per IP, by default), it was possible for an attacker to block a legitimate user by sending spoofed IKE_SA_INIT packets from that user's IP. To prevent this, a new per-IP threshold has been added to trigger cookies (3 half-open IKE_SAs, by default). The default value for the global threshold has also been increased slightly (from 10 to 30).
- Unprocessed but queued initial messages (IKE_SA_INIT for IKEv2) are now already counted as half-open IKE_SAs. This makes the thresholds more accurate so it isn't possible anymore for attackers to create thousands of jobs for packets from spoofed IP addresses before the daemon is able to process enough of them to create half-open IKE_SAs that would trigger the thresholds.
-
Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented. This can happen if trap policies are installed and an IKE_SA with its CHILD_SAs is reestablished (e.g. with break-before-make reauthentication or
dpd_action=restart
). This does not prevent duplicates if they are initiated by the two peers concurrently. -
It's now possible to combine
trap
andstart
instart_action
(i.e.start_action=trap|start
) to immediately initiate an SA for which trap policies are also installed. -
Updates to reqids on policies are allowed again by the kernel-netlink plugin. The infamous error
unable to install policy ... for reqid ..., the same policy for reqid ... exists
is replaced by a simple warning should the reqid for a policy actually get updated. -
Compatibility with OpenSSL 3.0 has been improved (9aa7e12). Providers are not unloaded anymore to avoid issues with
atexit()
handlers (#921). -
The client identity (e.g. the IKE or EAP identity for EAP-TLS) is again enforced by libtls (#873).
-
If the source address is unknown when initiating an IKEv2 SA, a NAT situation is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing asymmetric enabling of UDP-encapsulation (#861).
-
Installing unnecessary exclude routes for VPN servers on FreeBSD is now avoided (#910).
-
The default AEAD ESP proposal (sent since 5.9.0) now includes
noesn
to make it standards-compliant (#868). -
Missing alerts were added to the error-notify plugin (801bb85).
-
The new
map_level
option for syslog loggers allows mapping log levels (0..4) to syslog levels starting at the specified number (by default, all messages are logged withLOG_INFO
). -
The addrblock plugin allows limiting the validation depth of issuer addrblock extensions (e3d1766).
-
Individual CHILD_SAs can be queried via the
list-sas()
vici command (orswanctl --list-sas
), either by unique ID or name. -
For developers:
- Plugins can provide the two IKEv2 key derivation steps (
KDF_PRF/KDF_PRF_PLUS
), see kdf.h for details. ike_sa_t::initiate()
now takes a struct with optional arguments (such as traffic selectors). The same is the case for similar data from acquires (changed the signatures foracquire()
on thekernel_listener_t
andkernel_interface_t
interfaces).- The trap manager allows installing externally managed trap policies (see the selinux plugin for an example of how this could be used).
- If dynamic traffic selectors are updated due to an address change, the reqid of a CHILD_SA now changes, in which case
kernel_ipsec_t::update_sa()
is called withnew_reqid
set in thekernel_ipsec_update_sa_t
struct. If a kernel interface doesn't support this,NOT_SUPPORTED
should be returned to trigger a rekeying. - The fourth argument for
ENUM_FLAGS
now indicates the name used when no flags are set (previously,(unset)
was used for all flag enums). Flags can now also be parsed viaenum_flags_from_string()
(expects the flags separated by|
).
- Plugins can provide the two IKEv2 key derivation steps (
Refer to the 5.9.6 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.5
- Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079. Please refer to our blog for details.
- Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now establish a secure session via RSA OAEP public key encryption or an ephemeral ECDH key exchange, respectively. The session allows HMAC-based authenticated communication with the TPM 2.0 and the exchanged parameters can be encrypted with AES-CFB where necessary to guarantee confidentiality (e.g. when using the TPM 2.0 as RNG).
- Basic support for OpenSSL 3.0 has been added to the openssl plugin, in particular, the new load_legacy option (enabled by default) allows loading the "legacy" provider for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the existing fips_mode option allows explicitly loading the "fips" provider e.g. if it's not activated in OpenSSL's
fipsmodule.cnf
. All loaded providers are logged when the plugin is initialized. - The MTU of TUN devices created by the kernel-pfroute plugin on macOS and FreeBSD is now configurable and reduced to 1400 bytes, by default. This also fixes an issue on macOS 12 that prevented the detection of virtual IPs installed on such TUN devices (#707).
- When rekeying CHILD_SAs, the old outbound SA is now uninstalled earlier on the initiator/winner. Instead of delaying this until the delete for the old CHILD_SA has been exchanged, we do this shortly after the new SA has been installed. This is useful for IPsec implementations where the ordering of SAs is unpredictable and we can't set the SPI on the outbound policy to switch to the new SA while both are installed.
- The sw-collector utility may now iterate through APT history logs processed by logrotate.
- The openssl plugin now only announces the ECDH groups actually supported by OpenSSL (determined via
EC_get_builtin_curves()
). - Added support for RSA encryption with OEAP padding with optional label via openssl and wolfssl plugins (the botan plugin supports OAEP padding, but only without labels, while the gcrypt only supports OEAP padding with SHA-1 and without labels). See below for the interface change this required.
- Added support for AES-CFB via botan, gcrypt, openssl and wolfssl plugins.
- Failure handling in unit tests for libtls has been improved (#752).
- Fixed the application of configured identities to raw public keys via vici/swanctl (e430528).
- Fixed the detection of several vendor IDs (broken since 5.9.3).
- Unit tests for charon-tkm now run automatically on GitHub (to test locally, refer to
testing/tkm/Dockerfile
). - For developers:
- Custom EAP plugins that don't generate an MSK have to return
NOT_SUPPORTED
fromget_msk()
. Those that do have to make sure to returnFAILED
until the EAP method is complete and an MSK has been established, see the blog post about the vulnerability above for more information. - The
public_key_t::encrypt()
andprivate_key_t::decrypt()
gained avoid*
argument for algorithm specific parameters. First application is the optional label for RSA with OEAP padding. - A new metadata facility allows to attach arbitrary integer values to
packet_t
/message_t
, which may be used to transport information from custom socket plugins to other plugins that later process IKE messages and back again.
- Custom EAP plugins that don't generate an MSK have to return
Refer to the 5.9.5 milestone for a list of all closed issues and pull requests.