forked from strongswan/strongswan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
3922 lines (2827 loc) · 167 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
strongswan-5.9.6
----------------
- The IKEv2 key derivation, in particular prf+, has been modularized to simplify
certification (e.g. FIPS-140) via an already certified third-party library.
The botan, openssl and wolfssl plugins implement the key derivation for
HMAC-based PRFs via their respective HKDF implementation. A generic
implementation is provided by the new kdf plugin.
- Labeled IPsec with IKEv2 is supported in an SELinux and a proprietary simple
mode. In SELinux mode, traffic that matches a trap policy with generic
context (e.g. system_u:object_r:ipsec_spd_t:s0) triggers the negotiation of
CHILD_SAs with a specific label. With the simple mode, labels are not set on
SAs/policies but can be used as identifier to select specific child configs.
- DoS protection has been improved: COOKIE secrets are now switched based on a
time limit (2 min.), a new per-IP threshold (default 3) is used to trigger
them, and unprocessed IKE_SA_INITs are already counted as half-open IKE_SAs.
- Initiating duplicate CHILD_SAs within the same IKE_SA is largely prevented.
- Immediately initiating a CHILD_SA with trap policies is now possible via
`start_action=trap|start`.
- If the source address is unknown when initiating an IKEv2 SA, a NAT situation
is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing
asymmetric enabling of UDP-encapsulation.
- Installing unnecessary exclude routes for VPN servers on FreeBSD is avoided.
- The new `map_level` option for syslog loggers allows mapping log levels
to syslog levels starting at the specified number.
- The addrblock plugin allows limiting the validation depth of issuer addrblock
extensions.
- The default AEAD ESP proposal (sent since 5.9.0) now includes `noesn` to make
it standards-compliant.
- Individual CHILD_SAs can be queried via the `list-sas` vici command (or
`swanctl --list-sas ), either by unique ID or name.
- Compatibility with OpenSSL 3.0 has been improved.
strongswan-5.9.5
----------------
- Fixed a vulnerability in the EAP client implementation that was caused by
incorrectly handling early EAP-Success messages. It may allow to bypass the
client and in some scenarios even the server authentication, or could lead to
a denial-of-service attack.
This vulnerability has been registered as CVE-2021-45079.
- Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now
establish a secure session via RSA encryption or an ephemeral ECDH key
exchange, respectively. The session allows HMAC-based authenticated
communication with the TPM 2.0 and the exchanged parameters can be encrypted
where necessary to guarantee confidentiality (e.g. when using the TPM as RNG).
- Basic support for OpenSSL 3.0 has been added, in particular, the new
load_legacy option (enabled by default) allows loading the "legacy" provider
for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the
existing fips_mode option allows explicitly loading the "fips" provider e.g.
if it's not activated in OpenSSL's fipsmodule.cnf.
- The MTU of TUN devices created by the kernel-pfroute plugin on macOS and
FreeBSD is now configurable and reduced to 1400 bytes, by default. This also
fixes an issue on macOS 12 that prevented the detection of virtual IPs
installed on such TUN devices.
- When rekeying CHILD_SAs, the old outbound SA is now uninstalled shortly after
the new SA has been installed on the initiator/winner. This is useful for
IPsec implementations where the ordering of SAs is unpredictable and we can't
set the SPI on the outbound policy to switch to the new SA while both are
installed.
- The sw-collector utility may now iterate through APT history logs processed
by logrotate.
- The openssl plugin now only announces the ECDH groups actually supported by
OpenSSL (determined via EC_get_builtin_curves()).
strongswan-5.9.4
----------------
- Fixed a denial-of-service vulnerability in the gmp plugin that was caused by
an integer overflow when processing RSASSA-PSS signatures with very large
salt lengths.
This vulnerability has been registered as CVE-2021-41990.
- Fixed a denial-of-service vulnerabililty in the in-memory certificate cache
if certificates are replaced and a very large random value caused an integer
overflow.
This vulnerability has been registered as CVE-2021-41991.
- Fixed a related flaw that caused the daemon to accept an infinite number of
versions of a valid certificate by modifying the parameters in the
signatureAlgorithm field of the outer X.509 Certificate structure.
- AUTH_LIFETIME notifies are now only sent by a responder if it can't
reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP)
or the use of virtual IPs.
- Serial number generation in several pki sub-commands has been fixed so they
don't start with an unintended zero byte.
- Initialize libtpmtss in all programs and library that use it.
- Migrated testing scripts to Python 3.
strongswan-5.9.3
----------------
- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
- Added AES_CCM and SHA-3 signature support to openssl plugin.
- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
available, before verifying signatures, which avoids unnecessary signature
verifications after a CA key rollover if both certificates are loaded.
- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
previously depended on a version check.
- charon-nm now supports using SANs as client identities, not only full DNs.
- charon-tkm now handles IKE encryption.
- A MOBIKE update is sent again if a a change in the NAT mappings is detected
but the endpoints stay the same.
- Converted most of the test case scenarios to the vici interface
strongswan-5.9.2
----------------
- Together with a Linux 5.8 kernel supporting the IMA measurement of the GRUB
bootloader and the Linux kernel, the strongSwan Attestation IMC allows to do
remote attestation of the complete boot phase. A recent TPM 2.0 device with a
SHA-256 PCR bank is required, so that both BIOS and IMA file measurements are
based on SHA-256 hashes.
- Our own TLS library (libtls) that we use for TLS-based EAP methods and PT-TLS
gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and
Pascal Knecht (client and server) for their work on this.
Because the use of TLS 1.3 with these EAP methods is not yet standardized (two
Internet-Drafts are being worked on), the default maximum version is currently
set to TLS 1.2, which is now also the default minimum version. However the TNC
test scenarios using PT-TLS transport already use TLS 1.3.
- Other improvements for libtls also affect older TLS versions. For instance, we
added support for ECDH with Curve25519/448 (DH groups may also be configured
now), for EdDSA keys and certificates and for RSA-PSS signatures. Support for
old and weak cipher suites has been removed (e.g. with 3DES and MD5) as well
as signature schemes with SHA-1.
- The listener_t::ike_update event is now also called for MOBIKE updates. Its
signature has changed so we only have to call it once if both addresses/ports
have changed (e.g. for an address family switch). The event is now also
exposed via vici.
- The farp plugin has been ported to macOS and FreeBSD. Thanks to Dan James for
working on this.
- To fix DNS server installation with systemd-resolved, charon-nm now creates a
dummy TUN device again (was removed with 5.5.1).
- The botan plugin can use rng_t implementations provided by other plugins when
generating keys etc. if the Botan library supports it.
- charon-tkm now supports multiple CAs and is configured via vici/swanctl.
- Simple glob patterns (e.g. include conf.d/*.conf) now also work on Windows.
Handling of forward slashes in paths on Windows has also been improved.
- The abbreviations for the 'surname' and 'serial number' RDNs in ASN.1 DNs have
been changed to align with RFC 4519: The abbreviation for 'surname' is now
"SN" (was "S" before), which was previously used for 'serial number' that can
now be specified as "serialNumber" only.
- An issue with Windows clients requesting previous IPv6 but not IPv4 virtual
IP addresses has been fixed.
- ike_sa_manager_t: Checking out IKE_SAs by config is now atomic (e.g. when
acquires for different children of the same connection arrive concurrently).
The checkout_new() method has been renamed to create_new(). A new
checkout_new() method allows registering a new IKE_SA with the manager before
checking it in, so jobs can be queued without losing them as they can block
on checking out the new SA.
strongswan-5.9.1
----------------
- Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI
measurements introduced with the Linux 5.4 kernel.
- Nonces in OCSP responses are not enforced anymore and only validated if a
nonce is actually contained.
- Fixed an issue when only some fragments of a retransmitted IKEv2 message were
received, which prevented processing a following fragmented message.
- All queued vici messages are now sent to subscribed clients during shutdown,
which includes ike/child-updown events triggered when all SAs are deleted.
- CHILD_SA IP addresses are updated before installation to allow MOBIKE updates
while retransmitting a CREATE_CHILD_SA request.
- When looking for a route to the peer, the kernel-netlink plugin ignores the
current source address if it's deprecated.
- The file and syslog loggers support logging the log level of each message
after the subsystem (e.g. [IKE2]).
- charon-nm is now properly terminated during system shutdown.
- Improved support for EdDSA keys in vici/swanctl, in particular, encrypted
keys are now supported.
- A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID
to prevent Cisco devices from narrowing a 0.0.0.0/0 traffic selector.
- The openssl plugin accepts CRLs issued by non-CA certificates if they contain
the cRLSign keyUsage flag (the x509 plugin already does this since 4.5.1).
- Attributes in PKCS#7 containers, as used in SCEP, are now properly
DER-encoded, i.e. sorted.
- The load-tester plugin now supports virtual IPv6 addresses and IPv6 source
address pools.
strongswan-5.9.0
----------------
- We prefer AEAD algorithms for ESP and therefore put AES-GCM in a default AEAD
proposal in front of the previous default proposal.
- The NM backend now clears cached credentials when disconnecting, has DPD and
and close action set to restart, and supports custom remote TS via 'remote-ts'
option (no GUI support).
- The pkcs11 plugin falls back to software hashing for PKCS#1v1.5 RSA signatures
if mechanisms with hashing (e.g. CKM_SHA256_RSA_PKCS) are not supported.
- The owner/group of log files is now set so the daemon can reopen them if the
config is reloaded and it doesn't run as root.
- The wolfssl plugin (with wolfSSL 4.4.0+) supports x448 DH and Ed448 keys.
- The vici plugin stores all CA certificates in one location, which avoids
issues with unloading authority sections or clearing all credentials.
- When unloading a vici connection with start_action=start, any related IKE_SAs
without children are now terminated (including those in CONNECTING state).
- The hashtable implementation has been changed so it maintains insertion order.
This was mainly done so the vici plugin can store its connections in a
hashtable, which makes managing high numbers of connections faster.
- The default maximum size for vici messages (512 KiB) can now be changed via
VICI_MESSAGE_SIZE_MAX compile option.
- The charon.check_current_path option allows forcing a DPD exchange to check if
the current path still works whenever interface/address-changes are detected.
- It's possible to use clocks other than CLOCK_MONOTONIC (e.g. CLOCK_BOOTTIME)
via TIME_CLOCK_ID compile option if clock_gettime() is available and
pthread_condattr_setclock() supports that clock.
- Test cases and functions can now be filtered when running the unit tests.
strongswan-5.8.4
----------------
- In IKEv1 Quick Mode make sure that a proposal exists before determining
lifetimes (fixes crash due to null pointer exception).
- OpenSSL currently doesn't support squeezing bytes out of a SHAKE128/256
XOF (eXtended Output Function) multiple times. Unfortunately,
EVP_DigestFinalXOF() completely resets the context and later calls not
simply fail, they cause a null-pointer dereference in libcrypto. This
fixes the crash at the cost of repeating initializing the whole state
and allocating too much data for subsequent calls.
strongswan-5.8.3
----------------
- Updates for the NM backend (and plugin), among others: EAP-TLS authentication,
configurable local and remote IKE identities, custom server port, redirection
and reauthentication support.
- Previously used reqids are now reallocated to workaround an issue on FreeBSD
where the daemon can't use reqids > 16383.
- On Linux, throw type routes are installed for passthrough policies. They act
as fallbacks on routes in other tables and require less information, so they
can be installed earlier and are not affected by updates.
- For IKEv1, the lifetimes of the selected transform are returned to the
initiator, which is an issue with peers that propose different lifetimes in
different transforms. We also return the correct transform and proposal IDs.
- IKE_SAs are not re-established anymore if a deletion has been queued.
- Added support for Ed448 keys and certificates via openssl plugin and pki tool.
The openssl plugin also supports SHA-3 and SHAKE128/256.
- The use of algorithm IDs from the private use ranges can now be enabled
globally, to use them even if no strongSwan vendor ID was exchanged.
strongswan-5.8.2
----------------
- Identity-based CA constraints are supported via vici/swanctl.conf. They
enforce that the remote's certificate chain contains a CA certificate with a
specific identity. While similar to the existing CA constraints, they don't
require that the CA certificate is locally installed such as intermediate CA
certificates received from peers. Compared to wildcard identity matching (e.g.
"..., OU=Research, CN=*") this requires less trust in the intermediate CAs (to
only issue certificates with legitimate subject DNs) as long as path length
basic constraints prevent them from issuing further intermediate CAs.
- Intermediate CA certificates may now be sent in hash-and-URL encoding by
configuring a base URL for the parent CA.
- Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
based on AES-CTR and SHA2-HMAC modes. Currently used by gmp and ntru plugins.
- Random nonces sent in an OCSP requests are now expected in the corresponding
OCSP responses.
- The kernel-netlink plugin ignores deprecated IPv6 addresses for MOBIKE.
Whether temporary or permanent IPv6 addresses are included depends on the
charon.prefer_temporary_addrs setting.
- Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the
kernel.
- Unique section names are used for CHILD_SAs in vici child-updown events and
more information (e.g. statistics) are included for individually deleted
CHILD_SAs (in particular for IKEv1).
- So fallbacks to other plugins work properly, creating HMACs via openssl plugin
now fails instantly if the underlying hash algorithm isn't supported (e.g.
MD5 in FIPS-mode).
- Exponents of RSA keys read from TPM 2.0 via SAPI are now correctly converted.
- Routing table IDs > 255 are supported for custom routes on Linux.
- The D-Bus config file for charon-nm is now installed in
$(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d.
- INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same
exchange type and using the same message ID as the request.
- IKEv2 SAs are immediately destroyed when sending or receiving INVALID_SYNTAX
notifies in authenticated messages.
strongswan-5.8.1
----------------
- RDNs in Distinguished Names can now optionally be matched less strict. The
global option charon.rdn_matching takes two alternative values that cause the
matching algorithm to either ignore the order of matched RDNs or additionally
accept DNs that contain more RDNs than configured (unmatched RDNs are treated
like wildcard matches).
- The updown plugin now passes the same interface to the script that is also
used for the automatically installed routes, i.e. the interface over which the
peer is reached instead of the interface on which the local address is found.
- TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple
IKE_SAs use the same private key concurrently.
strongswan-5.8.0
----------------
- The systemd service units have been renamed. The modern unit, which was called
strongswan-swanctl, is now called strongswan (the previous name is configured
as alias). The legacy unit is now called strongswan-starter.
- Support for XFRM interfaces (available since Linux 4.19) has been added.
Configuration is possible via swanctl.conf. Interfaces may be created
dynamically via updown/vici scripts, or statically before or after
establishing the SAs. Routes must be added manually as needed (the daemon will
not install any routes for outbound policies with an interface ID).
- Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and
supported by the responder, no CHILD_SA is established during IKE_AUTH. This
allows using a separate DH exchange even for the first CHILD_SA, which is
otherwise created with keys derived from the IKE_SA's key material.
- The NetworkManager backend and plugin support IPv6.
- The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks
to Sean Parkinson of wolfSSL Inc. for the initial patch.
- IKE SPIs may optionally be labeled via the charon.spi_mask|label options. This
feature was extracted from charon-tkm, however, now applies the mask/label in
network order.
- The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
- The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not
correctly implemented when sending either a CRETRY or SRETRY batch. These
batches can only be sent in the "Decided" state and a CRETRY batch can
immediately carry all messages usually transported by a CDATA batch. It is
currently not possible to send a SRETRY batch since full-duplex mode for
PT-TLS transport is not supported.
- Instead of marking virtual IPv6 addresses as deprecated, the kernel-netlink
plugin uses address labels to avoid their use for non-VPN traffic.
- The agent plugin creates sockets to the ssh/gpg-agent dynamically and does not
keep them open, which otherwise can prevent the agent from getting terminated.
- To avoid broadcast loops the forecast plugin now only reinjects packets that
are marked or received from the configured interface.
- UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses
an UTF-16LE encoding to calculate the NT hash.
- Adds the build-certs script to generate the keys and certificates used for
regression tests dynamically. They are built with the pki version installed
in the KVM root image so it's not necessary to have an up-to-date version with
all required plugins installed on the host system.
strongswan-5.7.2
----------------
- Private key implementations may optionally provide a list of supported
signature schemes, which is used by the tpm plugin because for each key on a
TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined.
- For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt
length (as defined by the length of the key and hash). However, if the TPM is
FIPS-168-4 compliant, the salt length equals the hash length. This is assumed
for FIPS-140-2 compliant TPMs, but if that's not the case, it might be
necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't
use the maximum salt length.
- swanctl now accesses directories for credentials relative to swanctl.conf, in
particular, when it's loaded from a custom location via --file argument. The
base directory that's used if --file is not given is configurable at runtime
via SWANCTL_DIR environment variable.
- With RADIUS Accounting enabled, the eap-radius plugin adds the session ID to
Access-Request messages, simplifying associating database entries for IP
leases and accounting with sessions.
- IPs assigned by RADIUS servers are included in Accounting-Stop even if clients
don't claim them, allowing releasing them early on connection errors.
- Selectors installed on transport mode SAs by the kernel-netlink plugin are
updated on IP address changes (e.g. via MOBIKE).
- Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin.
For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature
authentication has to be disabled via charon.signature_authentication.
- The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
- The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys
and signatures when built against OpenSSL 1.1.1.
- Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
- The mysql plugin now properly handles database connections with transactions
under heavy load.
- IP addresses in HA pools are now distributed evenly among all segments.
- On newer FreeBSD kernels, the kernel-pfkey plugin reads the reqid directly
from SADB_ACQUIRE messages, i.e. not requiring previous policy installation by
the plugin, e.g. for compatibility with if_ipsec(4) VTIs.
strongswan-5.7.1
----------------
- Fixes a vulnerability in the gmp plugin triggered by crafted certificates with
RSA keys with very small moduli. When verifying signatures with such keys,
the code patched with the fix for CVE-2018-16151/2 caused an integer underflow
and subsequent heap buffer overflow that results in a crash of the daemon.
The vulnerability has been registered as CVE-2018-17540.
strongswan-5.7.0
----------------
- Fixes a potential authorization bypass vulnerability in the gmp plugin that
was caused by a too lenient verification of PKCS#1 v1.5 signatures. Several
flaws could be exploited by a Bleichenbacher-style attack to forge signatures
for low-exponent keys (i.e. with e=3). CVE-2018-16151 has been assigned to
the problem of accepting random bytes after the OID of the hash function in
such signatures, and CVE-2018-16152 has been assigned to the issue of not
verifying that the parameters in the ASN.1 algorithmIdentifier structure is
empty. Other flaws that don't lead to a vulnerability directly (e.g. not
checking for at least 8 bytes of padding) have no separate CVE assigned.
- Dots are not allowed anymore in section names in swanctl.conf and
strongswan.conf. This mainly affects the configuration of file loggers. If the
path for such a log file contains dots it now has to be configured in the new
`path` setting within the arbitrarily renamed subsection in the `filelog`
section.
- Sections in swanctl.conf and strongswan.conf may now reference other sections.
All settings and subsections from such a section are inherited. This allows
to simplify configs as redundant information has only to be specified once
and may then be included in other sections (refer to the example in the man
page for strongswan.conf).
- The originally selected IKE config (based on the IPs and IKE version) can now
change if no matching algorithm proposal is found. This way the order
of the configs doesn't matter that much anymore and it's easily possible to
specify separate configs for clients that require weak algorithms (instead
of having to also add them in other configs that might be selected).
- Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2)
has been added.
- The new botan plugin is a wrapper around the Botan C++ crypto library. It
requires a fairly recent build from Botan's master branch (or the upcoming
2.8.0 release). Thanks to René Korthaus and his team from Rohde & Schwarz
Cybersecurity for the initial patch.
- The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using
the syntax --san xmppaddr:<jid>.
- Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA)
for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger on apt
history.log file resulting in a ClientRetry PB-TNC batch to initialize
a new measurement cycle.
- Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA
protocols on Google's OSS-Fuzz infrastructure.
- Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of
the in-kernel /dev/tpmrm0 resource manager is automatically detected.
- Marks the in- and/or outbound SA should apply to packets after processing may
be configured in swanctl.conf on Linux. For outbound SAs this requires at
least a 4.14 kernel. Setting a mask and configuring a mark/mask for inbound
SAs will be added with the upcoming 4.19 kernel.
- New options in swanctl.conf allow configuring how/whether DF, ECN and DS
fields in the IP headers are copied during IPsec processing. Controlling this
is currently only possible on Linux.
- To avoid conflicts, the dhcp plugin now only uses the DHCP server port if
explicitly configured.
strongswan-5.6.3
----------------
- Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is
used in FIPS mode and HMAC-MD5 is negotiated as PRF.
This vulnerability has been registered as CVE-2018-10811.
- Fixed a vulnerability in the stroke plugin, which did not check the received
length before reading a message from the socket. Unless a group is configured,
root privileges are required to access that socket, so in the default
configuration this shouldn't be an issue.
This vulnerability has been registered as CVE-2018-5388.
⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios
where expired certificates are removed from CRLs and the clock on the host
doing the revocation check is trailing behind that of the host issuing CRLs.
- The issuer of fetched CRLs is now compared to the issuer of the checked
certificate.
- CRL validation results other than revocation (e.g. a skipped check because
the CRL couldn't be fetched) are now stored also for intermediate CA
certificates and not only for end-entity certificates, so a strict CRL policy
can be enforced in such cases.
- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
now either not contain a keyUsage extension (like the ones generated by pki)
or have at least one of the digitalSignature or nonRepudiation bits set.
- New options for vici/swanctl allow forcing the local termination of an IKE_SA.
This might be useful in situations where it's known the other end is not
reachable anymore, or that it already removed the IKE_SA, so retransmitting a
DELETE and waiting for a response would be pointless. Waiting only a certain
amount of time for a response before destroying the IKE_SA is also possible
by additionally specifying a timeout.
- When removing routes, the kernel-netlink plugin now checks if it tracks other
routes for the same destination and replaces the installed route instead of
just removing it. Same during installation, where existing routes previously
weren't replaced. This should allow using traps with virtual IPs on Linux.
- The dhcp plugin only sends the client identifier option if identity_lease is
enabled. It can also send identities of up to 255 bytes length, instead of
the previous 64 bytes. If a server address is configured, DHCP requests are
now sent from port 67 instead of 68 to avoid ICMP port unreachables.
- Roam events are now completely ignored for IKEv1 SAs.
- ChaCha20/Poly1305 is now correctly proposed without key length. For
compatibility with older releases the chacha20poly1305compat keyword may be
included in proposals to also propose the algorithm with a key length.
- Configuration of hardware offload of IPsec SAs is now more flexible and allows
a new mode, which automatically uses it if the kernel and device support it.
- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
- The pki --verify tool may load CA certificates and CRLs from directories.
- Fixed an issue with DNS servers passed to NetworkManager in charon-nm.
strongswan-5.6.2
----------------
- Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that
was caused by insufficient input validation. One of the configurable
parameters in algorithm identifier structures for RSASSA-PSS signatures is the
mask generation function (MGF). Only MGF1 is currently specified for this
purpose. However, this in turn takes itself a parameter that specifies the
underlying hash function. strongSwan's parser did not correctly handle the
case of this parameter being absent, causing an undefined data read.
This vulnerability has been registered as CVE-2018-6459.
- The previously negotiated DH group is reused when rekeying an SA, instead of
using the first group in the configured proposals, which avoids an additional
exchange if the peer selected a different group via INVALID_KE_PAYLOAD when
the SA was created initially.
The selected DH group is also moved to the front of all sent proposals that
contain it and all proposals that don't are moved to the back in order to
convey the preference for this group to the peer.
- Handling of MOBIKE task queuing has been improved. In particular, the response
to an address update is not ignored anymore if only an address list update or
DPD is queued.
- The fallback drop policies installed to avoid traffic leaks when replacing
addresses in installed policies are now replaced by temporary drop policies,
which also prevent acquires because we currently delete and reinstall IPsec
SAs to update their addresses.
- Access X.509 certificates held in non-volatile storage of a TPM 2.0
referenced via the NV index.
- Adding the --keyid parameter to pki --print allows to print private keys
or certificates stored in a smartcard or a TPM 2.0.
- Fixed proposal selection if a peer incorrectly sends DH groups in the ESP
proposals during IKE_AUTH and also if a DH group is configured in the local
ESP proposal and charon.prefer_configured_proposals is disabled.
- MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility
issues with EAP-MSCHAPv2 and PRFs that have a block size < 64 bytes (e.g.
AES-XCBC-PRF-128).
- The tpm_extendpcr command line tool extends a digest into a TPM PCR.
- Ported the NetworkManager backend from the deprecated libnm-glib to libnm.
- The save-keys debugging/development plugin saves IKE and/or ESP keys to files
compatible with Wireshark.
strongswan-5.6.1
----------------
- In compliance with RFCs 8221 and 8247 several algorithms were removed from the
default ESP/AH and IKEv2 proposals, respectively (3DES, Blowfish and MD5 from
ESP/AH, MD5 and MODP-1024 from IKEv2). These algorithms may still be used in
custom proposals.
- Added support for RSASSA-PSS signatures. For backwards compatibility they are
not used automatically by default, enable charon.rsa_pss to change that. To
explicitly use or require such signatures with IKEv2 signature authentication
(RFC 7427), regardless of whether that option is enabled, use ike:rsa/pss...
authentication constraints.
- The pki tool can optionally sign certificates/CRLs with RSASSA-PSS via the
`--rsa-padding pss` option.
- The sec-updater tool checks for security updates in dpkg-based repositories
(e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database
accordingly. Additionally for each new package version a SWID tag for the
given OS and HW architecture is created and stored in the database.
Using the sec-updater.sh script template the lookup can be automated
(e.g. via an hourly cron job).
- The introduction of file versions in the IMV database scheme broke file
reference hash measurements. This has been fixed by creating generic product
versions having an empty package name.
- A new timeout option for the systime-fix plugin stops periodic system time
checks after a while and enforces a certificate verification, closing or
reauthenticating all SAs with invalid certificates.
- The IKE event counters, previously only available via ipsec listcounters, may
now be queried/reset via vici and the new swanctl --counters command. They are
provided by the new optional counters plugin.
- Class attributes received in RADIUS Access-Accept messages may optionally be
added to RADIUS accounting messages.
- Inbound marks may optionally be installed on the SA again (was removed with
5.5.2) by enabling the mark_in_sa option in swanctl.conf.
strongswan-5.6.0
----------------
- Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient
input validation when verifying RSA signatures, which requires decryption
with the operation m^e mod n, where m is the signature, and e and n are the
exponent and modulus of the public key. The value m is an integer between
0 and n-1, however, the gmp plugin did not verify this. So if m equals n the
calculation results in 0, in which case mpz_export() returns NULL. This
result wasn't handled properly causing a null-pointer dereference.
This vulnerability has been registered as CVE-2017-11185.
- New SWIMA IMC/IMV pair implements the "draft-ietf-sacm-nea-swima-patnc"
Internet Draft and has been demonstrated at the IETF 99 Prague Hackathon.
- The IMV database template has been adapted to achieve full compliance
with the ISO 19770-2:2015 SWID tag standard.
- The sw-collector tool extracts software events from apt history logs
and stores them in an SQLite database to be used by the SWIMA IMC.
The tool can also generate SWID tags both for installed and removed
package versions.
- The pt-tls-client can attach and use TPM 2.0 protected private keys
via the --keyid parameter.
- libtpmtss supports Intel's TSS2 Architecture Broker and Resource
Manager interface (tcti-tabrmd).
- The new eap-aka-3gpp plugin implements the 3GPP MILENAGE algorithms
in software. K (optionally concatenated with OPc) may be configured as
binary EAP secret.
- CHILD_SA rekeying was fixed in charon-tkm and was slightly changed: The
switch to the new outbound IPsec SA now happens via SPI on the outbound
policy on Linux, and in case of lost rekey collisions no outbound SA/policy
is temporarily installed for the redundant CHILD_SA.
- The new %unique-dir value for mark* settings allocates separate unique marks
for each CHILD_SA direction (in/out).
strongswan-5.5.3
----------------
- Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient
input validation when verifying RSA signatures. More specifically,
mpz_powm_sec() has two requirements regarding the passed exponent and modulus
that the plugin did not enforce, if these are not met the calculation will
result in a floating point exception that crashes the whole process.
This vulnerability has been registered as CVE-2017-9022.
- Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1
parser didn't handle ASN.1 CHOICE types properly, which could result in an
infinite loop when parsing X.509 extensions that use such types.
This vulnerability has been registered as CVE-2017-9023.
- The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
traffic loss. The responder now only installs the new inbound SA and delays
installing the outbound SA until it receives the DELETE for the replaced
CHILD_SA. Similarly, the inbound SA of the replaced CHILD_SA is not removed
for a configurable amount of seconds (charon.delete_rekeyed_delay) after the
DELETE has been processed to reduce the chance of dropping delayed packets.
- The code base has been ported to Apple's ARM64 iOS platform, whose calling
conventions for variadic and regular functions are different. This means
assigning non-variadic functions to variadic function pointers does not work.
To avoid this issue the enumerator_t interface has been changed and the
signatures of the callback functions for enumerator_create_filter(), and the
invoke_function() and find_first() methods on linked_list_t have been changed.
The return type of find_first() also changed from status_t to bool.
- Added support for fuzzing the certificate parser provided by the default
plugins (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure. Several
issues found while fuzzing these plugins were fixed.
- Two new options have been added to charon's retransmission settings:
retransmit_limit and retransmit_jitter. The former adds an upper limit to the
calculated retransmission timeout, the latter randomly reduces it.
- A bug in swanctl's --load-creds command was fixed that caused unencrypted
private keys to get unloaded if the command was called multiple times. The
load-key VICI command now returns the key ID of the loaded key on success.
- The credential manager now enumerates local credential sets before global
ones. This means certificates supplied by the peer will now be preferred over
certificates with the same identity that may be locally stored (e.g. in the
certificate cache).
- Added support for hardware offload of IPsec SAs as introduced by Linux 4.11
for hardware that supports this.
- When building the libraries monolithically and statically the plugin
constructors are now hard-coded in each library so the plugin code is not
removed by the linker because it thinks none of their symbols are ever
referenced.
- The pki tool loads the curve25519 plugin by default.
strongswan-5.5.2
----------------
- Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined
by RFC 8031.
- Support of Ed25519 digital signature algorithm for IKEv2 as defined by
draft-ietf-ipsecme-eddsa. Ed25519-based public key pairs, X.509 certificates
and CRLs can be generated and printed by the pki tool.
- The new "tpm" libtpmtss plugin allows to use persistent private RSA and ECDSA
keys bound to a TPM 2.0 for both IKE and TLS authentication. Using the
TPM 2.0 object handle as keyid parameter, the pki --pub tool can extract
the public key from the TPM thereby replacing the aikpub2 tool. In a similar
fashion pki --req can generate a PKCS#10 certificate request signed with
the TPM private key.
- The pki tool gained support for generating certificates with the RFC 3779
addrblock extension. The charon addrblock plugin now dynamically narrows
traffic selectors based on the certificate addrblocks instead of rejecting
non-matching selectors completely. This allows generic connections, where
the allowed selectors are defined by the used certificates only.
- In-place update of cached base and delta CRLs does not leave dozens
of stale copies in cache memory.
- Several new features for the VICI interface and the swanctl utility: Querying
specific pools, enumerating and unloading keys and shared secrets, loading
keys and certificates from PKCS#11 tokens, the ability to initiate, install
and uninstall connections and policies by their exact name (if multiple child
sections in different connections share the same name), a command to initiate
the rekeying of IKE and IPsec SAs, support for settings previously only
supported by the old config files (plain pubkeys, dscp, certificate policies,
IPv6 Transport Proxy Mode, NT Hash secrets, mediation extension).
Important: Due to issues with VICI bindings that map sub-sections to
dictionaries the CHILD_SA sections returned via list-sas now have a unique
name, the original name of a CHILD_SA is returned in the "name" key of its
section.
strongswan-5.5.1
----------------
- The newhope plugin implements the post-quantum NewHope key exchange algorithm
proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
Peter Schwabe.
- The libstrongswan crypto factory now offers the registration of Extended
Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin
and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.
- The pki tool, with help of the pkcs1 or openssl plugins, can parse private
keys in any of the supported formats without having to know the exact type.
So instead of having to specify rsa or ecdsa explicitly the keyword priv may
be used to indicate a private key of any type. Similarly, swanctl can load
any type of private key from the swanctl/private directory.
- The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
sha3 and gmp plugins.
- The VICI flush-certs command flushes certificates from the volatile
certificate cache. Optionally the type of the certificates to be
flushed (e.g. type = x509_crl) can be specified.
- Setting cache_crls = yes in strongswan.conf the vici plugin saves regular,
base and delta CRLs to disk.
- IKE fragmentation is now enabled by default with the default fragment size
set to 1280 bytes for both IP address families.
- libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
tss2_tcti_finalize().
strongswan-5.5.0
----------------
- The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0
Trusted Platform Modules. This allows the Attestation IMC/IMV pair to
do TPM 2.0 based attestation.
- The behavior during IKEv2 exchange collisions has been improved/fixed in
several corner cases and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND
notifies, as defined by RFC 7296, has been added.
- IPsec policy priorities can be set manually (e.g. for high-priority drop
policies) and outbound policies may be restricted to a network interface.
- The scheme for the automatically calculated default priorities has been
changed and now also considers port masks, which were added with 5.4.0.
- FWD policies are now installed in both directions in regards to the traffic
selectors. Because such "outbound" FWD policies could conflict with "inbound"
FWD policies of other SAs they are installed with a lower priority and don't
have a reqid set, which allows kernel plugins to distinguish between the two
and prefer those with a reqid.
- For outbound IPsec SAs no replay window is configured anymore.
- Enhanced the functionality of the swanctl --list-conns command by listing
IKE_SA and CHILD_SA reauthentication and rekeying settings, and EAP/XAuth
identities and EAP types.
- DNS servers installed by the resolve plugin are now refcounted, which should
fix its use with make-before-break reauthentication. Any output written to
stderr/stdout by resolvconf is now logged.
- The methods in the kernel interfaces have been changed to take structs instead
of long lists of arguments. Similarly the constructors for peer_cfg_t and
child_cfg_t now take structs.
strongswan-5.4.0
----------------
- Support for IKEv2 redirection (RFC 5685) has been added. Plugins may
implement the redirect_provider_t interface to decide if and when to redirect
connecting clients. It is also possible to redirect established IKE_SAs based
on different selectors via VICI/swanctl. Unless disabled in strongswan.conf
the charon daemon will follow redirect requests received from servers.
- The ike: prefix enables the explicit configuration of signature scheme
constraints against IKEv2 authentication in rightauth, which allows the use
of different signature schemes for trustchain verification and authentication.
- The initiator of an IKEv2 make-before-break reauthentication now suspends
online certificate revocation checks (OCSP, CRLs) until the new IKE_SA and all
CHILD_SAs are established. This is required if the checks are done over the
CHILD_SA established with the new IKE_SA. This is not possible until the
initiator installs this SA and that only happens after the authentication is
completed successfully. So we suspend the checks during the reauthentication
and do them afterwards, if they fail the IKE_SA is closed. This change has no
effect on the behavior during the authentication of the initial IKE_SA.
- For the vici plugin a Vici:Session Perl CPAN module has been added to allow
Perl applications to control and/or monitor the IKE daemon using the VICI
interface, similar to the existing Python egg or Ruby gem.
- Traffic selectors with port ranges can now be configured in the Linux kernel:
e.g. remote_ts = 10.1.0.0/16[tcp/20-23] local_ts = dynamic[tcp/32768-65535].
The port range must map to a port mask, though since the kernel does not
support arbitrary ranges.
- The vici plugin allows the configuration of IPv4 and IPv6 address ranges
in local and remote traffic selectors. Since both the Linux kernel and
iptables cannot handle arbitrary ranges, address ranges are mapped to the next
larger CIDR subnet by the kernel-netlink and updown plugins, respectively.
- Implemented IKEv1 IPv4/IPv6 address subnet and range identities that can be
used as owners of shared secrets.
strongswan-5.3.5
----------------
- Properly handle potential EINTR errors in sigwaitinfo(2) calls that replaced
sigwait(3) calls with 5.3.4.
- RADIUS retransmission timeouts are now configurable, courtesy of Thom Troy.
strongswan-5.3.4
----------------
- Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
was caused by insufficient verification of the internal state when handling
MSCHAPv2 Success messages received by the client.
This vulnerability has been registered as CVE-2015-8023.
- The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
Within the strongSwan framework SHA3 is currently used for BLISS signatures
only because the OIDs for other signature algorithms haven't been defined
yet. Also the use of SHA3 for IKEv2 has not been standardized yet.