Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation when verifying RSA signatures, which requires decryption with the operation m^e mod n, where m is the signature, and e and n are the exponent and modulus of the public key. The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this. So if m equals n the calculation results in 0, in which case mpz_export() returns NULL. This result wasn't handled properly causing a null-pointer dereference. This vulnerability has been registered as CVE-2017-11185. Please refer to our blog for details.
The IMV database template has been adapted to achieve full compliance with the ISO 19770-2:2015 SWID tag standard.
The sw-collector tool extracts software events from apt history logs and stores them in an SQLite database to be used by the SWIMA IMC. The tool can also generate SWID tags both for installed and removed package versions.
The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
Adds the eap-aka-3gpp plugin, which implements the 3GPP MILENAGE algorithms in software. K (optionally concatenated with OPc) may be configured as binary EAP secret in ipsec.secrets or swanctl.conf.
The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3:
On Linux the outbound policy now has the SPI of the corresponding SA set and the responder of a rekeying will install both IPsec SAs (in/out) immediately, but delay the update of the outbound policy until it received the delete for the replaced CHILD_SA.
The previous code temporarily installed an outbound IPsec SA/policy that was deleted immediately afterwards when a rekey collision was lost, which caused a slight chance for traffic loss.
The remote address must not be resolvable anymore when installing trap policies (at least not if the remote traffic selector is not %dynamic, 1a8226429a).