strongSwan

h1. Version 5.6.2

* Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient

  input validation.  One of the configurable parameters in algorithm identifier structures for RSASSA-PSS

  signatures is the mask generation function (MGF).  Only MGF1 is currently specified for this purpose.

  However, this in turn takes itself a parameter that specifies the underlying hash function.  strongSwan's

  parser did not correctly handle the case of this parameter being absent, causing an undefined data read.

  This vulnerability has been registered as "CVE-2018-6459":https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6459.

  Please refer to "our blog":https://www.strongswan.org/blog/2018/02/19/strongswan-vulnerability-(cve-2018-6459).html for details.

* When rekeying IKEv2 IKE_SAs the previously negotiated DH group will be reused, instead of using

  the first configured group, which avoids an additional exchange if the peer previously selected a

  different DH group via @INVALID_KE_PAYLOAD@ notify.  The same is also done when rekeying CHILD_SAs

  except for the first rekeying of the CHILD_SA that was created with the IKE_SA, where no DH group

  was negotiated yet.

  Also, the selected DH group is moved to the front in all sent proposals that contain it and all proposals

  that don't are moved to the back in order to convey the preference for this group to the peer.

* Handling of MOBIKE task queuing has been improved. In particular, the response to an address update

  (with NAT-D payloads) is not ignored anymore if only an address list update or DPD is queued as that

  could prevent updating the UDP encapsulation in the kernel.

* On Linux, roam events may optionally be triggered by changes to the routing rules, which can be

  useful if routing rules (instead of e.g. route metrics) are used to switch from one to another

  interface (i.e. from one to another routing table). Since routing rules are currently not evaluated

  when doing route lookups this is only useful if the kernel-based route lookup is used (commit:4664992f7d).

* The fallback drop policies installed to avoid traffic leaks when replacing addresses in installed policies

  are now replaced by temporary drop policies, which also prevent acquires because we currently delete and

  reinstall IPsec SAs to update their addresses (commit:35ef1b032d).

* Access X.509 certificates held in non-volatile storage of a [[TpmPlugin|TPM 2.0]] referenced via the NV index.

* Adding the @--keyid@ parameter to [[IpsecPkiPrint|pki --print]] allows to print private keys or certificates stored in a

  smartcard or a TPM 2.0.

* Fixed proposal selection if a peer incorrectly sends DH groups in the ESP proposal during IKE_AUTH and

  also if a DH group is configured in the local ESP proposal and _charon.prefer_configured_proposals_ is

  disabled (commit:d058fd3c32).

* The lookup for PSK secrets for IKEv1 has been improved for certain scenarios (see #2497 for details).

* MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility issues with EAP-MSCHAPv2

  and PRFs that have a block size < 64 bytes (e.g. AES-XCBC-PRF-128, see commit:73cbce6013).

* The @tpm_extendpcr@ command line tool extends a digest into a TPM PCR.

* Ported the [[NetworkManager]] backend from the deprecated _libnm-glib_ to _libnm_.

* The _save-keys_ debugging/development plugin saves IKE and/or ESP keys to files compatible with Wireshark.