strongSwan

h1. Version 5.5.3

* Fixed a DoS vulnerability in the _gmp_ plugin that was caused by insufficient input

  validation when verifying RSA signatures.  More specifically, @mpz_powm_sec()@ has two

  requirements regarding the passed exponent and modulus that the plugin did not

  enforce, if these are not met the calculation will result in a floating point exception

  that crashes the whole process.

  This vulnerability has been registered as "CVE-2017-9022":https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9022.

  Please refer to "our blog":https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9022).html for details.

* Fixed a DoS vulnerability in the _x509_ plugin that was caused because the ASN.1 parser

  didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when

  parsing X.509 extensions that use such types.

  This vulnerability has been registered as "CVE-2017-9023":https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9023.

  Please refer to "our blog":https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9023).html for details.

* The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid

  traffic loss. When responding to a @CREATE_CHILD_SA@ request to rekey a CHILD_SA

  the responder already has everything available to install and use the new CHILD_SA.

  However, this could lead to lost traffic as the initiator won't be able to process

  inbound packets until it processed the @CREATE_CHILD_SA@ response and updated the

  inbound SA.  To avoid this the responder now only installs the new inbound SA and

  delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.

  The messages transporting these DELETEs could reach the peer before packets sent

  with the deleted outbound SAs reach it.  To reduce  the chance of traffic loss due

  to this the inbound SA of the replaced CHILD_SA is not removed for a configurable

  amount of seconds (_charon.delete_rekeyed_delay_) after the DELETE has been processed.

* The code base has been ported to Apple's ARM64 iOS platform, which required several

  changes regarding the use of variadic functions.  This was necessary because the calling

  conventions for variadic and regular functions are "different there":https://developer.apple.com/library/content/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARM64FunctionCallingConventions.html.

  This means that assigning a non-variadic function to a variadic function pointer, as we

  did with our @enumerator_t::enumerate()@ implementations and several callbacks, will

  result in crashes as the called function accesses the arguments differently than the

  caller provided them.  To avoid this issue the @enumerator_t@ interface has been changed

  and the signature of the callback functions for @enumerator_create_filter()@ and two

  methods on @linked_list_t@ have been changed. Refer to the *developer notes* below

  for details.

* Adds support for [[fuzzing]] the certificate parser provided by the default plugins

  (x509, pem, gmp etc.) on Google's "OSS-Fuzz":https://github.com/google/oss-fuzz infrastructure (or generally with

  libFuzzer). Several issues found while fuzzing these plugins were fixed.

* Two new options have been added to charon's [[retransmission]] settings:

  _retransmit_limit_ and _retransmit_jitter_.  The former adds an upper limit to the

  calculated retransmission timeout, the latter randomly reduces it.

  Refer to [[Retransmission]] for details.

* A bug in [[swanctl]]'s @--load-creds@ command was fixed that caused unencrypted

  private keys to get unloaded if the command was called multiple times.

  The _load-key_ [[VICI]] command now returns the key ID of the loaded key on success.

* The credential manager now enumerates local credential sets before global ones.

  This means certificates supplied by the peer will now be preferred over certificates

  with the same identity that may be locally stored (e.g. in the certificate cache).

* Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for

  specific hardware that supports this.

* To announce support for IKE fragmentation but not actively fragment IKE messages

  the new _accept_ option for the _fragmentation_ setting may be used.

* If _charon.plugins.socket-default.set_sourceif_ is enabled the _socket-default_ plugin

  sets the outbound interface via IP_PKTINFO/IN6_PKTINFO.  This is usually not required

  but could be used in special scenarios, e.g. to use IPv6 link-local addresses as

  tunnel endpoints.

* Add support for @SADB_X_EXT_NEW_ADDRESS_SRC|DST@ extensions for PF_KEYv2's

  @SADB_UPDATE@ message, which upcoming FreeBSD kernels will support for updating

  IP addresses of existing SAs.

* The value of _charon.plugins.kernel-netlink.xfrm_acq_expires_ is now determined

  automatically based on the configured [[retransmission]] settings.

* If updating the inbound SA fails the _kernel-netlink_ plugin now tries to add it, which

  could be useful if the SPI already expired after lots of retransmits of several exchanges.

* _charon-nm_ and the [[NetworkManager]] plugin now support customizing the IKE and

  ESP proposals.

* With the _sha_256_96_ compatibility option it's possible to locally configure 96-bit truncation

  for HMAC_SHA256 (the correct truncation is 128 bit) when negotiated using the official

  algorithm identifier (12).  This is only useful for compatibility with peers that incorrectly

  use this shorter truncation as the actual truncation length is not negotiated.

* The removal of all online leases by the [[attrsql|attr-sql]] plugin at startup may now be disabled

  to share the database between multiple instances.

* The [[ipsecpki|pki]] tool loads the _curve25519_ plugin by default.

* When building the libraries monolithically and statically the plugin constructors are now

  hard-coded in each library so the plugin code is not removed by the linker because it

  thinks none of their symbols are ever referenced.  This allows building an almost stand-alone

  static version of e.g. charon when building with @--enable-monolithic --enable-static

  --disable-shared@ (without @--disable-shared@ libtool will build a version that still links

  the libraries dynamically, which might save some disk space if it's not necessary to link

  them statically, however, using @--enable-monolithic@ might be enough in that case).

  External libraries (e.g. gmp or openssl) are not linked statically this way, though.

* Notes for developers:

  * *child_sa_t*: The API used for installing policies and SAs has been changed (traffic

    selectors are now only set once, outbound SAs and policies may be installed/uninstalled

    separately).

  * *enumerator_t*: A new mandatory method, venumerate(), has been added that takes

    a @va_list@ with the arguments provided while enumerating.  @enumerate()@ is replaced

    with a generic implementation that prepares a @va_list@ and calls the enumerator's

    @venumerate()@ implementation.  As this allows passing the arguments of one enumerator

    to another it avoids the five pointer hack previously used by @enumerator_create_nested()@

    and @enumerator_create_cleaner()@. To simplify the implementation of @venumerate()@ a

    helper macro is provided that assigns values from a given @va_list@ to local variables.

  * *enumerator_create_filter()*: The signature of the callback has changed significantly.

    It's now required to enumerate over the original enumerator in the callback itself, as

    this avoids the previous in/out pointer hack. The arguments to the outer enumerator are

    provided in a @va_list@.

  * *linked_list_t*: To avoid the five pointer hack previously used the signatures of the

    callbacks for @linked_list_t@'s @invoke_function()@ and @find_first()@ methods have been

    changed to take a @va_list@ as second argument.  For the latter method the return type also

    changed from @status_t@ to @bool@, which is important as @SUCCESS@ is defined as 0, so checks

    for @== SUCCESS@ will now fail.