Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF. This vulnerability has been registered as CVE-2018-10811. Please refer to our blog for details.
Fixed a vulnerability in the stroke plugin, which did not check the received length before reading a message from the socket. Unless a group is configured, root privileges are required to access that socket, so in the default configuration this shouldn't be an issue. This vulnerability has been registered as CVE-2018-5388. Please refer to our blog for details.
CRLs that are not yet valid are now ignored to avoid problems in scenarios where expired certificates are removed from new CRLs and the clock on the host doing the revocation check is trailing behind that of the host issuing CRLs. Not doing this could result in accepting a revoked and expired certificate, if it's still valid according to the trailing clock but not contained anymore in not yet valid CRLs.
The issuer of fetched CRLs is now compared to the issuer of the checked certificate (#2608).
CRL validation results other than revocation (e.g. a skipped check because the CRL couldn't be fetched) are now stored also for intermediate CA certificates and not only for end-entity certificates, so a strict CRL policy can be enforced in such cases.
In compliance with RFC 4945, section 22.214.171.124, certificates used for IKE must now either not contain a keyUsage extension (like the ones generated by pki), or have at least one of the digitalSignature or nonRepudiation bits set.
New options for vici/swanctl allow forcing the local termination of an IKE_SA. This might be useful in situations where it's known the other end is not reachable anymore, or that it already removed the IKE_SA, so retransmitting a DELETE and waiting for a response would be pointless. Waiting only a certain amount of time for a response (i.e. shorter than all retransmits would be) before destroying the IKE_SA is also possible by additionally specifying a timeout in the forced termination request.
When removing routes, the kernel-netlink plugin now checks if it tracks other routes for the same destination and replaces the installed route instead of just removing it. Same during installation, where existing routes previously weren't replaced. This should allow using traps with virtual IPs on Linux (#2162).
The dhcp plugin now only sends the client identifier DHCP option if the identity_lease setting is enabled (7b660944b6). It can also send identities of up to 255 bytes length, instead of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server address is configured, DHCP requests are now sent from port 67 instead of 68 to avoid ICMP port unreachables (becf027cd9).
The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one containing a DH group that wasn't proposed) during CREATE_CHILD_SA exchanges has been improved (#2536).
Roam events are now completely ignored for IKEv1 SAs (there is no MOBIKE to handle such changes properly).
ChaCha20/Poly1305 is now correctly proposed without key length (#2614). For compatibility with older releases the chacha20poly1305compat keyword may be included in proposals to also propose the algorithm with a key length (c58434aeff).
Configuration of hardware offload of IPsec SAs is now more flexible and allows a new setting (auto), which automatically uses it if the kernel and device both support it. If hw_offload is set to yes and offloading is not supported, the CHILD_SA installation now fails.
The kernel-pfkey plugin optionally installs routes via internal interface (one with an IP in the local traffic selector). On FreeBSD, enabling this selects the correct source IP when sending packets from the gateway itself (e811659323).
SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1 (#2574).
The pki --verify tool may load CA certificates and CRLs from directories.
The IKE daemon now also switches to port 4500 if the remote port is not 500 (e.g. because the remote maps the response to a different port, as might happen on Azure), as long as the local port is 500 (85bfab621d).
Fixed an issue with DNS servers passed to NetworkManager in charon-nm (ee8c25516a).
Logged traffic selectors now always contain the protocol if either protocol or port are set (a36d8097ed).
Only the inbound SA/policy will be updated as reaction to IP address changes for rekeyed CHILD_SAs that are kept around.
The parser for strongswan.conf/swanctl.conf now accepts = characters in values without having to put the value in quotes (e.g. for Base64 encoded shared secrets).
Notes for developers:
trap_manager_t: Trap policies are now unistalled by peer/child name and not the reqid. No reqid is returned anymore when installing trap policies.
child_sa_t: A new state (CHILD_DELETED) is used for CHILD_SAs that have been deleted but not yet destroyed (after a rekeying CHILD_SAs are kept around for a while to process delayed packets). This way child_updown events are not triggered anymore for such SAs when an IKE_SA that has such CHILD_SAs assigned is deleted.