Version 5.6.3

  • Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is used in FIPS
    mode and HMAC-MD5 is negotiated as PRF.
    This vulnerability has been registered as CVE-2018-10811.
    Please refer to our blog for details.
  • Fixed a vulnerability in the stroke plugin, which did not check the received length before
    reading a message from the socket. Unless a group is configured, root privileges are
    required to access that socket, so in the default configuration this shouldn't be an issue.
    This vulnerability has been registered as CVE-2018-5388.
    Please refer to our blog for details.
  • CRLs that are not yet valid are now ignored to avoid problems in scenarios where expired
    certificates are removed from new CRLs and the clock on the host doing the revocation
    check is trailing behind that of the host issuing CRLs. Not doing this could result in accepting
    a revoked and expired certificate, if it's still valid according to the trailing clock but not
    contained anymore in not yet valid CRLs.
  • The issuer of fetched CRLs is now compared to the issuer of the checked certificate (#2608).
  • CRL validation results other than revocation (e.g. a skipped check because the CRL couldn't
    be fetched) are now stored also for intermediate CA certificates and not only for end-entity
    certificates, so a strict CRL policy can be enforced in such cases.
  • In compliance with RFC 4945, section, certificates used for IKE must now either
    not contain a keyUsage extension (like the ones generated by pki), or have at least one of the
    digitalSignature or nonRepudiation bits set.
  • New options for vici/swanctl allow forcing the local termination of an IKE_SA. This might be
    useful in situations where it's known the other end is not reachable anymore, or that it already
    removed the IKE_SA, so retransmitting a DELETE and waiting for a response would be pointless.
    Waiting only a certain amount of time for a response (i.e. shorter than all retransmits would be)
    before destroying the IKE_SA is also possible by additionally specifying a timeout in the forced
    termination request.
  • When removing routes, the kernel-netlink plugin now checks if it tracks other routes for the same
    destination and replaces the installed route instead of just removing it. Same during installation,
    where existing routes previously weren't replaced. This should allow using traps with virtual IPs
    on Linux (#2162).
  • The dhcp plugin now only sends the client identifier DHCP option if the identity_lease setting is
    enabled (7b660944b6). It can also send identities of up to 255 bytes length, instead of the
    previous 64 bytes (30e886fe3b, 0e5b94d038). If a server address is configured, DHCP requests
    are now sent from port 67 instead of 68 to avoid ICMP port unreachables (becf027cd9).
  • The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one containing a DH group that wasn't
    proposed) during CREATE_CHILD_SA exchanges has been improved (#2536).
  • Roam events are now completely ignored for IKEv1 SAs (there is no MOBIKE to handle such
    changes properly).
  • ChaCha20/Poly1305 is now correctly proposed without key length (#2614). For compatibility with
    older releases the chacha20poly1305compat keyword may be included in proposals to also propose
    the algorithm with a key length (c58434aeff).
  • Configuration of hardware offload of IPsec SAs is now more flexible and allows a new setting (auto),
    which automatically uses it if the kernel and device both support it. If hw_offload is set to yes and
    offloading is not supported, the CHILD_SA installation now fails.
  • The kernel-pfkey plugin optionally installs routes via internal interface (one with an IP in the local
    traffic selector). On FreeBSD, enabling this selects the correct source IP when sending packets
    from the gateway itself (e811659323).
  • SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1 (#2574).
  • The pki --verify tool may load CA certificates and CRLs from directories.
  • The IKE daemon now also switches to port 4500 if the remote port is not 500 (e.g. because the
    remote maps the response to a different port, as might happen on Azure), as long as the local port
    is 500 (85bfab621d).
  • Fixed an issue with DNS servers passed to NetworkManager in charon-nm (ee8c25516a).
  • Logged traffic selectors now always contain the protocol if either protocol or port are set (a36d8097ed).
  • Only the inbound SA/policy will be updated as reaction to IP address changes for rekeyed CHILD_SAs
    that are kept around.
  • The parser for strongswan.conf/swanctl.conf now accepts = characters in values without having to
    put the value in quotes (e.g. for Base64 encoded shared secrets).
  • Notes for developers:
    • trap_manager_t: Trap policies are now unistalled by peer/child name and not the reqid.
      No reqid is returned anymore when installing trap policies.
    • child_sa_t: A new state (CHILD_DELETED) is used for CHILD_SAs that have been deleted but not yet
      destroyed (after a rekeying CHILD_SAs are kept around for a while to process delayed packets).
      This way child_updown events are not triggered anymore for such SAs when an IKE_SA that has such
      CHILD_SAs assigned is deleted.