strongSwan

h1. Version 5.6.3

* Fixed a vulnerability in the _stroke_ plugin, which did not check the received length before

  reading a message from the socket. Unless a [[ReducedPrivileges#Running-strongSwan-as-non-root|group]] is configured, root privileges are

  required to access that socket, so in the default configuration this shouldn't be an issue.

  The fix (commit:0acd1ab4d0) is also "available for older releases":https://download.strongswan.org/security/CVE-2018-5388/.

  This vulnerability has been registered as "CVE-2018-5388":https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-5388.

* CRLs that are not yet valid are now ignored to avoid problems in scenarios where expired

  certificates are removed from new CRLs and the clock on the host doing the revocation

  check is trailing behind that of the host issuing CRLs. Not doing this could result in accepting

  a revoked and expired certificate, if it's still valid according to the trailing clock but not

  contained anymore in not yet valid CRLs.

* The issuer of fetched CRLs is now compared to the issuer of the checked certificate (#2608).

* CRL validation results other than revocation (e.g. a skipped check because the CRL couldn't

  be fetched) are now stored also for intermediate CA certificates and not only for end-entity

  certificates, so a strict CRL policy can be enforced in such cases.

* In compliance with "RFC 4945, section 5.1.3.2":https://tools.ietf.org/html/rfc4945#section-5.1.3.2, certificates used for IKE must now either

  *not* contain a _keyUsage_ extension (like the ones generated by [[ipsecpki|pki]]), or have at least one of the

  _digitalSignature_ or _nonRepudiation_ bits set.

* New options for [[vici]]/[[swanctl]] allow forcing the local termination of an IKE_SA. This might be

  useful in situations where it's known the other end is not reachable anymore, or that it already

  removed the IKE_SA, so retransmitting a DELETE and waiting for a response would be pointless.

  Waiting only a certain amount of time for a response (i.e. shorter than all retransmits would be)

  before destroying the IKE_SA is also possible by additionally specifying a timeout in the forced

  termination request.

* When removing routes, the _kernel-netlink_ plugin now checks if it tracks other routes for the same

  destination and replaces the installed route instead of just removing it.  Same during installation,

  where existing routes previously weren't replaced.  This should allow using traps with virtual IPs

  on Linux (#2162).

* The [[dhcpplugin|dhcp plugin]] now only sends the client identifier DHCP option if the _identity_lease_ setting is

  enabled (commit:7b660944b6).  It can also send identities of up to 255 bytes length, instead of the

  previous 64 bytes (commit:30e886fe3b, commit:0e5b94d038). If a server address is configured, DHCP requests

  are now sent from port 67 instead of 68 to avoid ICMP port unreachables (commit:becf027cd9).

* The handling of faulty @INVALID_KE_PAYLOAD@ notifies (e.g. one containing a DH group that wasn't

  proposed) during @CREATE_CHILD_SA@ exchanges has been improved (#2536).

* Roam events are now completely ignored for IKEv1 SAs (there is no MOBIKE to handle such

  changes properly).

* ChaCha20/Poly1305 is now correctly proposed without key length (#2614). For compatibility with

  older releases the _chacha20poly1305compat_ keyword may be included in proposals to also propose

  the algorithm with a key length (commit:c58434aeff).

* Configuration of hardware offload of IPsec SAs is now more flexible and allows a new setting (_auto_),

  which automatically uses it if the kernel and device both support it. If _hw_offload_ is set to _yes_ and

  offloading is not supported, the CHILD_SA installation now fails.

* The _kernel-pfkey_ plugin optionally installs routes via internal interface (one with an IP in the local

  traffic selector).  On FreeBSD, enabling this selects the correct source IP when sending packets

  from the gateway itself (commit:e811659323).

* SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1 (#2574).

* The [[ipsecpkiverify|pki --verify]] tool may load CA certificates and CRLs from directories.

* The IKE daemon now also switches to port 4500 if the remote port is not 500 (e.g. because the

  remote maps the response to a different port, as might happen on Azure), as long as the local port

  is 500 (commit:85bfab621d).

* Fixed an issue with DNS servers passed to NetworkManager in charon-nm (commit:ee8c25516a).

* Logged traffic selectors now always contain the protocol if either protocol or port are set (commit:a36d8097ed).

* Only the inbound SA/policy will be updated as reaction to IP address changes for rekeyed CHILD_SAs

  that are kept around.

* The parser for [[strongswan.conf]]/[[swanctl.conf]] now accepts @=@ characters in values without having to

  put the value in quotes (e.g. for Base64 encoded shared secrets).

* Notes for developers:

  * *trap_manager_t*: Trap policies are now unistalled by peer/child name and not the reqid.

    No reqid is returned anymore when installing trap policies.

  * *child_sa_t*: A new state (@CHILD_DELETED@) is used for CHILD_SAs that have been deleted but not yet

    destroyed (after a rekeying CHILD_SAs are kept around for a while to process delayed packets).

    This way child_updown events are not triggered anymore for such SAs when an IKE_SA that has such

    CHILD_SAs assigned is deleted.