Project

General

Profile

Version 5.5.2 » History » Version 2

Tobias Brunner, 24.03.2017 17:22
Changes for 5.5.2

1 1 Tobias Brunner
h1. Version 5.5.2
2 1 Tobias Brunner
3 2 Tobias Brunner
* Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined by "RFC 8031":https://tools.ietf.org/html/rfc8031
4 2 Tobias Brunner
  is provided by the new _curve25519_ plugin.
5 2 Tobias Brunner
6 2 Tobias Brunner
* Support of Ed25519 digital signature algorithm for IKEv2 as defined by "draft-ietf-ipsecme-eddsa":https://tools.ietf.org/html/draft-ietf-ipsecme-eddsa
7 2 Tobias Brunner
  is provided by the new _curve25519_ plugin. Ed25519-based public key pairs, X.509 certificates and CRLs
8 2 Tobias Brunner
  can be generated and printed by the [[IpsecPKI|pki]] tool.
9 2 Tobias Brunner
10 2 Tobias Brunner
* The new [[TpmPlugin|tpm libtpmtss plugin]] allows to use persistent private RSA and ECDSA keys bound
11 2 Tobias Brunner
  to a TPM 2.0 for both IKE and TLS authentication. Using the TPM 2.0 object handle as keyid
12 2 Tobias Brunner
  parameter, the [[IpsecPkiPub|pki --pub]] tool can extract the public key from the TPM thereby replacing the
13 2 Tobias Brunner
  _aikpub2_ tool. In a similar fashion [[IpsecPkiReq|pki --req]] can generate a PKCS#10 certificate request signed
14 2 Tobias Brunner
  with the TPM private key.  Optionally the _tpm_ plugin may be used as RNG.
15 2 Tobias Brunner
16 2 Tobias Brunner
* The [[IpsecPki|pki tool]] gained support for generating certificates with "RFC 3779":https://tools.ietf.org/html/rfc3779 addrblock extensions.
17 2 Tobias Brunner
  The charon _addrblock_ plugin now dynamically narrows traffic selectors based on the certificate's
18 2 Tobias Brunner
  addrblocks instead of rejecting non-matching selectors completely. This allows generic connections,
19 2 Tobias Brunner
  where the allowed selectors are defined by the used certificates only.
20 2 Tobias Brunner
21 2 Tobias Brunner
* The optional _bypass-lan_ plugin automatically installs and updates passthrough/bypass
22 2 Tobias Brunner
  policies for locally attached subnets.  This is useful for mobile hosts that are used in different
23 2 Tobias Brunner
  networks that want to access local devices in these networks (e.g. printers or NAS) while
24 2 Tobias Brunner
  connected to a VPN.
25 2 Tobias Brunner
26 2 Tobias Brunner
* A command injection vulnerability in the [[IPsecCommand|ipsec script]] was fixed, which was exploitable if unprivileged
27 2 Tobias Brunner
  users were allowed to run the script via @sudo@ (commit:2ec6372f5a).
28 2 Tobias Brunner
  Thanks to Andrea Barisani for reporting this.
29 2 Tobias Brunner
30 2 Tobias Brunner
* Several new features for the [[VICI]] interface and the [[swanctl]] utility were added:
31 2 Tobias Brunner
32 2 Tobias Brunner
 * Enumerating and unloading private keys and shared secrets (@swanctl --load-creds@ now
33 2 Tobias Brunner
   automatically unloads removed secrets)
34 2 Tobias Brunner
 * Loading keys and certificates from PKCS#11 tokens or a TPM (refer to the documentation of
35 2 Tobias Brunner
   _cert<suffix>_ and _token<suffix>_ sections in [[swanctl.conf]])
36 2 Tobias Brunner
 * The ability to initiate, install and uninstall connections and policies by their exact
37 2 Tobias Brunner
   name (if multiple child sections in different connections share the same name)
38 2 Tobias Brunner
 * Querying a specific pool
39 2 Tobias Brunner
 * A command to initiate the rekeying of IKE and IPsec SAs
40 2 Tobias Brunner
 * Public keys may be configured directly in [[swanctl.conf]] via _0x/0s_ prefix (actually works for
41 2 Tobias Brunner
   certificates too)
42 2 Tobias Brunner
 * The overhead of the VICI logger has been reduced as it now only does something if listeners
43 2 Tobias Brunner
   are registered
44 2 Tobias Brunner
 * Support for [[swanctl.conf|settings]] previously only supported by the old config files: DSCP, certificate
45 2 Tobias Brunner
   policies, IPv6 Transport Proxy Mode, NT hash secrets, mediation extension
46 2 Tobias Brunner
47 2 Tobias Brunner
* In-place update of cached base and delta CRLs does not leave dozens of stale copies in cache memory.
48 2 Tobias Brunner
49 2 Tobias Brunner
* Support for handling @IKEV2_MESSAGE_ID_SYNC@ notifies as responder (usually the original initiator
50 2 Tobias Brunner
  of an IKE_SA) as defined in "RFC 6311":https://tools.ietf.org/html/rfc6311 was added. Some HA solutions use these notifies to set
51 2 Tobias Brunner
  the new IKEv2 message IDs after a failover event (currently not our [[HighAvailability|HA]] solution, though).
52 2 Tobias Brunner
53 2 Tobias Brunner
* By default, the IKE daemon keeps SAs on the routing path with addresses it previously used if that
54 2 Tobias Brunner
  path is still usable. Enabling _charon.prefer_best_path_ changes that and it will try more aggressively
55 2 Tobias Brunner
  to update SAs with MOBIKE on routing changes using the cheapest path. This adds more noise, but
56 2 Tobias Brunner
  allows to dynamically adapt SAs to routing priority changes, for instance, if some paths actually
57 2 Tobias Brunner
  generate more costs than others (commit:597e8c9e00).
58 2 Tobias Brunner
59 2 Tobias Brunner
* If MOBIKE is disabled and the local address is statically configured the daemon will now ignore any
60 2 Tobias Brunner
  roaming events that might, otherwise, cause it to attempt to recreate the IKE_SA (commit:be27e76869).
61 2 Tobias Brunner
62 2 Tobias Brunner
* Trap policies now use priorities from the same range as regular policies, which allows installing
63 2 Tobias Brunner
  overlapping trap policies (#1243).
64 2 Tobias Brunner
65 2 Tobias Brunner
* When proposing transport mode the IKE daemon now always applies the hosts to the traffic selectors.
66 2 Tobias Brunner
  It previously only did so if _%dynamic_ was used as TS. However, that's not the case if wildcard trap
67 2 Tobias Brunner
  policies are configured (no single remote address specified).  Once traffic matched, the daemon proposed
68 2 Tobias Brunner
  the configured remote TS as-as, which the responder then had to narrow down to its own local address.
69 2 Tobias Brunner
  Some third-party implementations, however, reject such non-host TS for transport mode SAs (commit:da82786b2d).
70 2 Tobias Brunner
71 2 Tobias Brunner
* For AH the _kernel-netlink_ plugin now enables the correct 4 byte alignment (by default, the kernel
72 2 Tobias Brunner
  uses an 8 byte alignment, which is mandatory for IPv6 but prohibited for IPv4, commit:965daa1df3).
73 2 Tobias Brunner
74 2 Tobias Brunner
* The _kernel-netlink_ plugin now considers labels when selecting IPv6 addresses (#2138) and sets the
75 2 Tobias Brunner
  NODAD flag for virtual IPv6 addresses to avoid issues with failing DAD(Optimistic Duplicate Address Detection) (#2183).
76 2 Tobias Brunner
77 2 Tobias Brunner
* The receive buffer size used by the _kernel-netlink_ plugin is now configurable (commit:8a91729dfe).
78 2 Tobias Brunner
79 2 Tobias Brunner
* If route installation is disabled (_charon.install_routes_) the _kernel-netlink_ plugin now uses a more
80 2 Tobias Brunner
  efficient route lookup to determine source and next-hop addresses (commit:558691b3b0).
81 2 Tobias Brunner
82 2 Tobias Brunner
* No mark is installed anymore on inbound IPsec SAs. So explicitly marking inbound traffic before
83 2 Tobias Brunner
  decryption is not necessary anymore (commit:067fd2c69c).
84 2 Tobias Brunner
85 2 Tobias Brunner
* The range from which SPIs for IPsec SAs are allocated by the kernel is now configurable.
86 2 Tobias Brunner
87 2 Tobias Brunner
* PSKs for IKEv1 connections are now first looked up based on configured identities of connections
88 2 Tobias Brunner
  that match the IPs, before falling back to searching for PSKs for the IPs (#2223).
89 2 Tobias Brunner
90 2 Tobias Brunner
* The daemon now responds to DPDs for rekeyed IKEv1 SAs (#2090).
91 2 Tobias Brunner
92 2 Tobias Brunner
* [[charon-systemd]] now reloads [[strongswan.conf], the loggers and the plugins (that support it)
93 2 Tobias Brunner
  when it receives a SIGHUP. The same may be achieved via VICI's _reload-settings_ command, which
94 2 Tobias Brunner
  previously did not reload the loggers.
95 2 Tobias Brunner
96 2 Tobias Brunner
* The [[forecast]] plugin used the incorrect port in UDP NAT-T rules (commit:094a4d15cf).
97 2 Tobias Brunner
98 2 Tobias Brunner
* Validation via OCSP and CRLs can be disabled individually in the _revocation_ plugin.
99 2 Tobias Brunner
100 2 Tobias Brunner
* RFC 5114 DH groups were removed from the default proposal (commit:649537ee8d), they may be used if
101 2 Tobias Brunner
  configured explicitly.
102 2 Tobias Brunner
103 2 Tobias Brunner
* A memory leak was fixed when CHILD_SA configs were updated via VICI (commit:da1d5cd2e6).
104 2 Tobias Brunner
105 2 Tobias Brunner
* The plugin loader now correctly hashes registered plugin features (commit:ac4942c3c3).
106 2 Tobias Brunner
107 2 Tobias Brunner
* Notes for developers:
108 2 Tobias Brunner
109 2 Tobias Brunner
 * Due to issues with [[VICI]] bindings that map sub-sections to dictionaries (e.g. Python)
110 2 Tobias Brunner
   the CHILD_SA sections returned via _list-sas_ now have a unique name, the original name
111 2 Tobias Brunner
   of a CHILD_SA is returned in the _name_ key of its section.
112 2 Tobias Brunner
 * To simplify loading certificates via [[VICI]] when running on the same host as the daemon
113 2 Tobias Brunner
   absolute paths to certificates (instead of their binary encoding) may be passed via
114 2 Tobias Brunner
   _cert<suffix>_ sections.
115 2 Tobias Brunner
 * The @load-testconfig@ script now loads the configs from the source directory and pre-processes
116 2 Tobias Brunner
   them properly (previously it was required to run do-tests once for that scenario).