Project

General

Profile

Version 5.3.4

  • Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
    was caused by insufficient verification of the internal state when handling
    EAP-MSCHAPv2 Success messages received by the client.
    This vulnerability has been registered as CVE-2015-8023.
    Please refer to our blog for details.
  • The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
    Within the strongSwan framework SHA3 is currently used for BLISS signatures
    only because the OIDs for other signature algorithms haven't been defined
    yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
  • The EAP-MSCHAPv2 username now replaces the identity of any previous EAP-Identity
    exchange (#1182).
  • A bug with setting the source IP for IKE packets was fixed that caused problems with
    newer compilers (#1171).
  • Some VICI commands received updates: NAT information and virtual IPs are listed for
    IKE_SAs (04f22cdabc, bdb8b76515), IP address leases are optionally listed
    for pools defined via VICI (f4641f9e45).
  • Fetching CRLs in PEM format is now supported and using the curl plugin to fetch CRLs
    from file:// URIs has also been fixed (#1203).
  • CRLs added via VICI are now properly added to the credential set (e5e352e631).
  • IKEv2 NAT-D payloads are now created in a more static way, which ensures they stay the
    same when retrying to establish an IKE_SA (e.g. due to INVALID_KEY_PAYLOAD notifies, #1131).
  • Fixed compress=yes (IPComp) with IPv6 and leftfirewall=yes (382f8a334a).
  • The del_policy method of kernel_ipsec_t now receives the same information originally
    passed to add_policy (a6e0f14fd2).
  • The kernel-netlink plugin allows IPsec policies to replace shunt policies, which allows
    configuring matching type=drop policies along side auto=add connections.
  • To debug custom plugins they can now optionally be loaded with RTLD_NOW so missing
    symbols are revealed immediately (via charon.dlopen_use_rtld_now). The same applies
    for custom IMVs/IMCs.
  • The Android app has been updated to use the Gradle build system.