Changelog for 5.5.x¶

Version 5.5.3¶

• Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
  validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
  requirements regarding the passed exponent and modulus that the plugin did not
  enforce, if these are not met the calculation will result in a floating point exception
  that crashes the whole process.
  This vulnerability has been registered as CVE-2017-9022.
  Please refer to our blog for details.

• Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser
  didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when
  parsing X.509 extensions that use such types.
  This vulnerability has been registered as CVE-2017-9023.
  Please refer to our blog for details.

• The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
  traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA
  the responder already has everything available to install and use the new CHILD_SA.
  However, this could lead to lost traffic as the initiator won't be able to process
  inbound packets until it processed the CREATE_CHILD_SA response and updated the
  inbound SA. To avoid this the responder now only installs the new inbound SA and
  delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.

  The messages transporting these DELETEs could reach the peer before packets sent
  with the deleted outbound SAs reach it. To reduce the chance of traffic loss due
  to this the inbound SA of the replaced CHILD_SA is not removed for a configurable
  amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed.

• The code base has been ported to Apple's ARM64 iOS platform, which required several
  changes regarding the use of variadic functions. This was necessary because the calling
  conventions for variadic and regular functions are different there.
  This means that assigning a non-variadic function to a variadic function pointer, as we
  did with our enumerator_t::enumerate() implementations and several callbacks, will
  result in crashes as the called function accesses the arguments differently than the
  caller provided them. To avoid this issue the enumerator_t interface has been changed
  and the signature of the callback functions for enumerator_create_filter() and two
  methods on linked_list_t have been changed. Refer to the developer notes below
  for details.

• Adds support for fuzzing the certificate parser provided by the default plugins
  (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with
  libFuzzer). Several issues found while fuzzing these plugins were fixed.

• Two new options have been added to charon's retransmission settings:
  retransmit_limit and retransmit_jitter. The former adds an upper limit to the
  calculated retransmission timeout, the latter randomly reduces it.
  Refer to Retransmission for details.

• A bug in swanctl's --load-creds command was fixed that caused unencrypted
  private keys to get unloaded if the command was called multiple times.
  The load-key VICI command now returns the key ID of the loaded key on success.

• The credential manager now enumerates local credential sets before global ones.
  This means certificates supplied by the peer will now be preferred over certificates
  with the same identity that may be locally stored (e.g. in the certificate cache).

• Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for
  specific hardware that supports this.

• To announce support for IKE fragmentation but not actively fragment IKE messages
  the new accept option for the fragmentation setting may be used.

• If charon.plugins.socket-default.set_sourceif is enabled the socket-default plugin
  sets the outbound interface via IP_PKTINFO/IN6_PKTINFO. This is usually not required
  but could be used in special scenarios, e.g. to use IPv6 link-local addresses as
  tunnel endpoints.

• Add support for SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for PF_KEYv2's
  SADB_UPDATE message, which upcoming FreeBSD kernels will support for updating
  IP addresses of existing SAs.

• The value of charon.plugins.kernel-netlink.xfrm_acq_expires is now determined
  automatically based on the configured retransmission settings.

• If updating the inbound SA fails the kernel-netlink plugin now tries to add it, which
  could be useful if the SPI already expired after lots of retransmits of several exchanges.

• charon-nm and the NetworkManager plugin now support customizing the IKE and
  ESP proposals.

• With the sha256_96 compatibility option it's possible to locally configure 96-bit truncation
  for HMAC_SHA256 (the correct truncation is 128 bit) when negotiated using the official
  algorithm identifier (12). This is only useful for compatibility with peers that incorrectly
  use this shorter truncation as the actual truncation length is not negotiated.

• The removal of all online leases by the attr-sql plugin at startup may now be disabled
  to share the database between multiple instances.

• The pki tool loads the curve25519 plugin by default.

• When building the libraries monolithically and statically the plugin constructors are now
  hard-coded in each library so the plugin code is not removed by the linker because it
  thinks none of their symbols are ever referenced. This allows building an almost stand-alone
  static version of e.g. charon when building with --enable-monolithic --enable-static
--disable-shared (without --disable-shared libtool will build a version that still links
  the libraries dynamically, which might save some disk space if it's not necessary to link
  them statically, however, using --enable-monolithic might be enough in that case).
  External libraries (e.g. gmp or openssl) are not linked statically this way, though.

• Notes for developers:
  • child_sa_t: The API used for installing policies and SAs has been changed (traffic
    selectors are now only set once, outbound SAs and policies may be installed/uninstalled
    separately).
  • enumerator_t: A new mandatory method, venumerate(), has been added that takes
    a va_list with the arguments provided while enumerating. enumerate() is replaced
    with a generic implementation that prepares a va_list and calls the enumerator's
    venumerate() implementation. As this allows passing the arguments of one enumerator
    to another it avoids the five pointer hack previously used by enumerator_create_nested()
    and enumerator_create_cleaner(). To simplify the implementation of venumerate() a
    helper macro is provided that assigns values from a given va_list to local variables.
  • enumerator_create_filter(): The signature of the callback has changed significantly.
    It's now required to enumerate over the original enumerator in the callback itself, as
    this avoids the previous in/out pointer hack. The arguments to the outer enumerator are
    provided in a va_list.
  • linked_list_t: To avoid the five pointer hack previously used the signatures of the
    callbacks for linked_list_t's invoke_function() and find_first() methods have been
    changed to take a va_list as second argument. For the latter method the return type also
    changed from status_t to bool, which is important as SUCCESS is defined as 0, so checks
    for == SUCCESS will now fail.

Version 5.5.2¶

• Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined by RFC 8031
  is provided by the new curve25519 plugin.

• Support of Ed25519 digital signature algorithm for IKEv2 as defined by draft-ietf-ipsecme-eddsa
  is provided by the new curve25519 plugin. Ed25519-based public key pairs, X.509 certificates and CRLs
  can be generated and printed by the pki tool.

• The new tpm libtpmtss plugin allows to use persistent private RSA and ECDSA keys bound
  to a TPM 2.0 for both IKE and TLS authentication. Using the TPM 2.0 object handle as keyid
  parameter, the pki --pub tool can extract the public key from the TPM thereby replacing the
  aikpub2 tool. In a similar fashion pki --req can generate a PKCS#10 certificate request signed
  with the TPM private key. Optionally the tpm plugin may be used as RNG.

• The pki tool gained support for generating certificates with RFC 3779 addrblock extensions.
  The charon addrblock plugin now dynamically narrows traffic selectors based on the certificate's
  addrblocks instead of rejecting non-matching selectors completely. This allows generic connections,
  where the allowed selectors are defined by the used certificates only.

• The optional bypass-lan plugin automatically installs and updates passthrough/bypass
  policies for locally attached subnets. This is useful for mobile hosts that are used in different
  networks that want to access local devices in these networks (e.g. printers or NAS) while
  connected to a VPN.

• A command injection vulnerability in the ipsec script was fixed, which was exploitable if unprivileged
  users were allowed to run the script via sudo (2ec6372f5a).
  Thanks to Andrea Barisani for reporting this.

• Several new features for the VICI interface and the swanctl utility were added:
  • Enumerating and unloading private keys and shared secrets (swanctl --load-creds now
    automatically unloads removed secrets)
  • Loading keys and certificates from PKCS#11 tokens or a TPM (refer to the documentation of
    cert<suffix> and token<suffix> sections in swanctl.conf)
  • The ability to initiate, install and uninstall connections and policies by their exact
    name (if multiple child sections in different connections share the same name)
  • Querying a specific pool
  • A command to initiate the rekeying of IKE and IPsec SAs
  • Public keys may be configured directly in swanctl.conf via 0x/0s prefix (actually works for
    certificates too)
  • The overhead of the VICI logger has been reduced as it now only does something if listeners
    are registered
  • Support for settings previously only supported by the old config files: DSCP, certificate
    policies, IPv6 Transport Proxy Mode, NT hash secrets, mediation extension

• In-place update of cached base and delta CRLs does not leave dozens of stale copies in cache memory.

• Support for handling IKEV2_MESSAGE_ID_SYNC notifies as responder (usually the original initiator
  of an IKE_SA) as defined in RFC 6311 was added. Some HA solutions use these notifies to set
  the new IKEv2 message IDs after a failover event (currently not our HA solution, though).

• By default, the IKE daemon keeps SAs on the routing path with addresses it previously used if that
  path is still usable. Enabling charon.prefer_best_path changes that and it will try more aggressively
  to update SAs with MOBIKE on routing changes using the cheapest path. This adds more noise, but
  allows to dynamically adapt SAs to routing priority changes, for instance, if some paths actually
  generate more costs than others (597e8c9e00).

• If MOBIKE is disabled and the local address is statically configured the daemon will now ignore any
  roaming events that might, otherwise, cause it to attempt to recreate the IKE_SA (be27e76869).

• Trap policies now use priorities from the same range as regular policies, which allows installing
  overlapping trap policies (#1243).

• When proposing transport mode the IKE daemon now always applies the hosts to the traffic selectors.
  It previously only did so if %dynamic was used as TS. However, that's not the case if wildcard trap
  policies are configured (no single remote address specified). Once traffic matched, the daemon proposed
  the configured remote TS as-as, which the responder then had to narrow down to its own local address.
  Some third-party implementations, however, reject such non-host TS for transport mode SAs (da82786b2d).

• For AH the kernel-netlink plugin now enables the correct 4 byte alignment (by default, the kernel
  uses an 8 byte alignment, which is mandatory for IPv6 but prohibited for IPv4, 965daa1df3).

• The kernel-netlink plugin now considers labels when selecting IPv6 addresses (#2138) and sets the
  NODAD flag for virtual IPv6 addresses to avoid issues with failing DAD (#2183).

• The receive buffer size used by the kernel-netlink plugin is now configurable (8a91729dfe).

• Large responses to Netlink requests are now concatenated more efficiently by the kernel-netlink
  plugin (6fe1d78a0d).

• If route installation is disabled (charon.install_routes) the kernel-netlink plugin now uses a more
  efficient route lookup to determine source and next-hop addresses (558691b3b0).

• No mark is installed anymore on inbound IPsec SAs. So explicitly marking inbound traffic before
  decryption is not necessary anymore (067fd2c69c).

• The range from which SPIs for IPsec SAs are allocated by the kernel is now configurable.

• PSKs for IKEv1 connections are now first looked up based on configured identities of connections
  that match the IPs, before falling back to searching for PSKs for the IPs (#2223).

• The daemon now responds to DPDs for rekeyed IKEv1 SAs (#2090).

• charon-systemd now reloads strongswan.conf, the loggers and the plugins (that support it)
  when it receives a SIGHUP. The same may be achieved via VICI's reload-settings command, which
  previously did not reload the loggers.

• The forecast plugin used the incorrect port in UDP NAT-T rules (094a4d15cf).

• Validation via OCSP and CRLs can be disabled individually in the revocation plugin.

• RFC 5114 DH groups were removed from the default proposal (649537ee8d), they may be used if
  configured explicitly.

• A memory leak was fixed when CHILD_SA configs were updated via VICI (da1d5cd2e6).

• The plugin loader now correctly hashes registered plugin features (ac4942c3c3).

• Notes for developers:
  • Due to issues with VICI bindings that map sub-sections to dictionaries (e.g. Python)
    the CHILD_SA sections returned via list-sas now have a unique name. The original name
    of a CHILD_SA is returned in the name key of its section.
  • To simplify loading certificates via VICI when running on the same host as the daemon
    absolute paths to certificates (instead of their binary encoding) may be passed via
    cert<suffix> sections (file key).
  • The load-testconfig script now loads the configs from the source directory and pre-processes
    them properly (previously it was required to run do-tests once for the target scenario).

Version 5.5.1¶

• The newhope plugin implements the post-quantum NewHope key exchange algorithm
  proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
  Peter Schwabe.

• The libstrongswan crypto factory now offers the registration of Extended
  Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
  implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin
  and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
  SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.

• By default, the "outbound" FWD policies, introduced with 5.5.0, are not installed anymore.
  They may be enabled via the policies_fwd_out setting in swanctl.conf/vici for a specific
  CHILD_SA if its traffic would otherwise get blocked by a drop policy.
  A bug in regards to updating reqids in the kernel-netlink plugin, that was particularly a problem
  with duplicate "outbound" FWD policies, has also been fixed (175d78df60).

• XFRM policy hashing thresholds may be configured via strongswan.conf. This can significantly
  improve the performance on hosts where the number of flows exceeds the flow cache size of the
  Linux kernel. Policies covering more than a single address don't get hash-indexed by default,
  which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and the called
  xfrm_policy_match(). Since Linux 3.18 the kernel can hash the first n-bit of a policy subnet to
  perform indexed lookups. With correctly chosen thresholds this can completely eliminate the
  performance impact of policy lookups.
  Note: Due to a bug in Linux 3.19 through 4.7, the kernel crashes with a NULL pointer dereference
  if a socket policy (used by strongSwan to exempt IKE traffic from IPsec tunnels) is installed while
  hash thresholds are changed. See ac9759a532 for details and a workaround.

• The NetworkManager integration has been updated to support NM 1.2.
  The directory from which CA certificates are loaded if no certificate is configured in the GUI can
  now be configured via strongswan.conf using the new charon-nm.ca_dir setting.

• IKE fragmentation is now enabled by default with the default fragment size set to 1280 bytes
  for both IP address families.

• A DELETE is sent when a rekeyed IKEv1 SA is deleted. This fixes issues with peers that continue
  to send DPDs on the old SA and then delete all SAs if no response is received (see #2090).
  Also, when terminating IKEv1 SAs, DELETEs for all CHILD_SAs are now sent before sending one for
  the IKE_SA and destroying it.

• The pki tool, with help of the pkcs1 or openssl plugins, can parse private keys in any of the
  supported formats without having to know the exact type. So instead of having to specify rsa or
  ecdsa explicitly the keyword priv may be used to indicate a private key of any type.
  Similarly, swanctl can load any type of private key from the swanctl/private directory.

• The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
  sha3 and gmp plugins.

• The VICI flush-certs command flushes certificates from the volatile certificate cache.
  Optionally the type of the certificates to be flushed (e.g. type = x509_crl) can be specified.

• When setting charon.cache_crls = yes in strongswan.conf the vici plugin saves regular,
  base and delta CRLs to disk.
  Fetched CRLs are now also cached if the checked certificate has been revoked.

• The serial number for delta CRLs generated by pki --signcrl is now based on
  the given base CRL again (was broken since 4.6.3).

• Delta CRLs are now properly cached in-memory (and on disk) together with their base. Before this
  the presence of a delta CRL might have required that the base be refetched every time.

• When verifying trust chains with pki --verify local CRLs may now be specified with the
  new --crl argument.

• IKE and ESP/AH proposals configured as strings in ipsec.conf and swanctl.conf (or VICI) are now
  checked to avoid invalid proposals. For instance, the presence of DH, PRF and encryption algorithms
  for IKE proposal are now enforced and AEAD and regular encryption algorithms are not allowed in
  the same proposal anymore. Also fixed is the mapping of the aes*gmac keywords to an integrity
  algorithm in AH proposals.

• Unmarked packets may now be matched by setting 0/0xffffffff as XFRM mark (33d3ffde25).

• The maximum registered log level is now determined correctly if loggers implementing only
  log or vlog are mixed (dac15e03c8).

• In addition to the existing ike_keys and child_keys hooks on listener_t two new hooks
  allow listeners to receive the derived IKE and CHILD_SA keys (ike|child_derived_keys).

• The check for libatomic has been improved (6e19a1f5f2).

• The use of AES-GCM with BoringSSL has been fixed (c72c6e9225).

• libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
  tss2_tcti_finalize().

• The results of leak-detective are now evaluated in our testing environment, which
  lead to the fixing of several memory leaks.

• No key and self-signed certificate is generated by starter anymore if ipsec.secrets does not exist.

• The long unmaintained Maemo plugin and frontend have been removed.

Version 5.5.0¶

• The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.
  This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.

• The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases
  and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND notifies, as defined by RFC 7296,
  has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.

• IPsec policy priorities can be set manually (e.g. for high-priority drop policies) and outbound
  policies may be restricted to a network interface. These options are only configurable via swanctl.conf.
  An example is provided in the swanctl/manual-prio scenario.

• The scheme for the automatically calculated default priorities has been changed and now also
  considers port masks, which were added with 5.4.0 (for details see d3af3b799f).

• FWD policies are now installed in both directions in regards to the traffic selectors (9c12635252).
  Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, for
  example, in the swanctl/net2net-gw or the ikev2/ip-two-pools-db scenarios) they are installed
  with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the
  two and prefer those with a reqid.

• How the interface for routes installed with policies is determined has changed (96b1fab53c). In most
  cases the interface over which the other peer is reached is now used, not the interface on which the local
  address (or the source IP) is installed. However, that might be the same interface depending on the
  configuration (i.e. in practice there will often not be a change).

• No routes are installed anymore for drop policies and policies with port/protocol selector (e7369a9dc5).

• For outbound IPsec SAs no replay window is configured anymore.

• When using unique marks (mark=%unique) the allocated mark is now correctly passed to the
  updown script (b210369314).

• Enhanced the functionality of the swanctl --list-conns command by listing IKE_SA and CHILD_SA
  reauthentication and rekeying settings and EAP/XAuth identities and EAP types.

• Fixed an interoperability issue with Windows Server 2012 R2 gateways after modifying the default IKE
  proposal with 5.4.0 (fae18fd201, also explained in the changelog of the Android app).

• DNS servers installed by the resolve plugin are now refcounted, which should fix its use with
  make-before-break reauthentication. Any output written to stderr/stdout by resolvconf is now logged.

• Negotiation of ESN with IKEv1 is supported (40bb4677f7).

• The default plugin load list may now be modified by specifying the individual load setting of a plugin.

• Fixed how mappings are stored in the eap-simaka-pseudonym plugin (5005325020).

• Support for BoringSSL and OpenSSL 1.1.0 has been added.

• Notes for developers:
  • The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.
  • Similarly the constructors for peer_cfg_t and child_cfg_t now take structs.
  • We now use the standard unsigned integer types (e.g. uint64_t instead of u_int64_t).
  • The testing environment now uses images based on Debian jessie (stable).