Changelog for 5.6.x

Version 5.6.3

  • Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is used in FIPS
    mode and HMAC-MD5 is negotiated as PRF.
    This vulnerability has been registered as CVE-2018-10811.
    Please refer to our blog for details.
  • Fixed a vulnerability in the stroke plugin, which did not check the received length before
    reading a message from the socket. Unless a group is configured, root privileges are
    required to access that socket, so in the default configuration this shouldn't be an issue.
    This vulnerability has been registered as CVE-2018-5388.
    Please refer to our blog for details.
  • CRLs that are not yet valid are now ignored to avoid problems in scenarios where expired
    certificates are removed from new CRLs and the clock on the host doing the revocation
    check is trailing behind that of the host issuing CRLs. Not doing this could result in accepting
    a revoked and expired certificate, if it's still valid according to the trailing clock but not
    contained anymore in not yet valid CRLs.
  • The issuer of fetched CRLs is now compared to the issuer of the checked certificate (#2608).
  • CRL validation results other than revocation (e.g. a skipped check because the CRL couldn't
    be fetched) are now stored also for intermediate CA certificates and not only for end-entity
    certificates, so a strict CRL policy can be enforced in such cases.
  • In compliance with RFC 4945, section, certificates used for IKE must now either
    not contain a keyUsage extension (like the ones generated by pki), or have at least one of the
    digitalSignature or nonRepudiation bits set.
  • New options for vici/swanctl allow forcing the local termination of an IKE_SA. This might be
    useful in situations where it's known the other end is not reachable anymore, or that it already
    removed the IKE_SA, so retransmitting a DELETE and waiting for a response would be pointless.
    Waiting only a certain amount of time for a response (i.e. shorter than all retransmits would be)
    before destroying the IKE_SA is also possible by additionally specifying a timeout in the forced
    termination request.
  • When removing routes, the kernel-netlink plugin now checks if it tracks other routes for the same
    destination and replaces the installed route instead of just removing it. Same during installation,
    where existing routes previously weren't replaced. This should allow using traps with virtual IPs
    on Linux (#2162).
  • The dhcp plugin now only sends the client identifier DHCP option if the identity_lease setting is
    enabled (7b660944b6). It can also send identities of up to 255 bytes length, instead of the
    previous 64 bytes (30e886fe3b, 0e5b94d038). If a server address is configured, DHCP requests
    are now sent from port 67 instead of 68 to avoid ICMP port unreachables (becf027cd9).
  • The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one containing a DH group that wasn't
    proposed) during CREATE_CHILD_SA exchanges has been improved (#2536).
  • Roam events are now completely ignored for IKEv1 SAs (there is no MOBIKE to handle such
    changes properly).
  • ChaCha20/Poly1305 is now correctly proposed without key length (#2614). For compatibility with
    older releases the chacha20poly1305compat keyword may be included in proposals to also propose
    the algorithm with a key length (c58434aeff).
  • Configuration of hardware offload of IPsec SAs is now more flexible and allows a new setting (auto),
    which automatically uses it if the kernel and device both support it. If hw_offload is set to yes and
    offloading is not supported, the CHILD_SA installation now fails.
  • The kernel-pfkey plugin optionally installs routes via internal interface (one with an IP in the local
    traffic selector). On FreeBSD, enabling this selects the correct source IP when sending packets
    from the gateway itself (e811659323).
  • SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1 (#2574).
  • The pki --verify tool may load CA certificates and CRLs from directories.
  • The IKE daemon now also switches to port 4500 if the remote port is not 500 (e.g. because the
    remote maps the response to a different port, as might happen on Azure), as long as the local port
    is 500 (85bfab621d).
  • Fixed an issue with DNS servers passed to NetworkManager in charon-nm (ee8c25516a).
  • Logged traffic selectors now always contain the protocol if either protocol or port are set (a36d8097ed).
  • Only the inbound SA/policy will be updated as reaction to IP address changes for rekeyed CHILD_SAs
    that are kept around.
  • The parser for strongswan.conf/swanctl.conf now accepts = characters in values without having to
    put the value in quotes (e.g. for Base64 encoded shared secrets).
  • Notes for developers:
    • trap_manager_t: Trap policies are now unistalled by peer/child name and not the reqid.
      No reqid is returned anymore when installing trap policies.
    • child_sa_t: A new state (CHILD_DELETED) is used for CHILD_SAs that have been deleted but not yet
      destroyed (after a rekeying CHILD_SAs are kept around for a while to process delayed packets).
      This way child_updown events are not triggered anymore for such SAs when an IKE_SA that has such
      CHILD_SAs assigned is deleted.

Version 5.6.2

  • Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient
    input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS
    signatures is the mask generation function (MGF). Only MGF1 is currently specified for this purpose.
    However, this in turn takes itself a parameter that specifies the underlying hash function. strongSwan's
    parser did not correctly handle the case of this parameter being absent, causing an undefined data read.
    This vulnerability has been registered as CVE-2018-6459.
    Please refer to our blog for details.
  • When rekeying IKEv2 IKE_SAs the previously negotiated DH group will be reused, instead of using
    the first configured group, which avoids an additional exchange if the peer previously selected a
    different DH group via INVALID_KE_PAYLOAD notify. The same is also done when rekeying CHILD_SAs
    except for the first rekeying of the CHILD_SA that was created with the IKE_SA, where no DH group
    was negotiated yet.
    Also, the selected DH group is moved to the front in all sent proposals that contain it and all proposals
    that don't are moved to the back in order to convey the preference for this group to the peer.
  • Handling of MOBIKE task queuing has been improved. In particular, the response to an address update
    (with NAT-D payloads) is not ignored anymore if only an address list update or DPD is queued as that
    could prevent updating the UDP encapsulation in the kernel.
  • On Linux, roam events may optionally be triggered by changes to the routing rules, which can be
    useful if routing rules (instead of e.g. route metrics) are used to switch from one to another
    interface (i.e. from one to another routing table). Since routing rules are currently not evaluated
    when doing route lookups this is only useful if the kernel-based route lookup is used (4664992f7d).
  • The fallback drop policies installed to avoid traffic leaks when replacing addresses in installed policies
    are now replaced by temporary drop policies, which also prevent acquires because we currently delete and
    reinstall IPsec SAs to update their addresses (35ef1b032d).
  • Access X.509 certificates held in non-volatile storage of a TPM 2.0 referenced via the NV index.
  • Adding the --keyid parameter to pki --print allows to print private keys or certificates stored in a
    smartcard or a TPM 2.0.
  • Fixed proposal selection if a peer incorrectly sends DH groups in the ESP proposal during IKE_AUTH and
    also if a DH group is configured in the local ESP proposal and charon.prefer_configured_proposals is
    disabled (d058fd3c32).
  • The lookup for PSK secrets for IKEv1 has been improved for certain scenarios (see #2497 for details).
  • MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility issues with EAP-MSCHAPv2
    and PRFs that have a block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
  • The tpm_extendpcr command line tool extends a digest into a TPM PCR.
  • Ported the NetworkManager backend from the deprecated libnm-glib to libnm.
  • The save-keys debugging/development plugin saves IKE and/or ESP keys to files compatible with Wireshark.

Version 5.6.1

  • Several algorithms were removed from the default ESP/AH and IKE proposals in compliance with
    RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH proposal were the
    3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKE default
    proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the
    latter is significant for Windows clients in their default configuration).
    These algorithms may still be used in custom proposals.
  • Support for RSASSA-PSS signatures has been added. For compatibility with previous releases they are
    currently not used automatically, by default, to change that charon.rsa_pss may be enabled. To explicitly use
    or require such signatures during IKEv2 signature authentication (RFC 7427) ike:rsa/pss... authentication
    constraints may be used for specific connections (regardless of whether the strongswan.conf option above is
    enabled). Only the hash algorithm can be specified in such constraints, the MGF1 will be based on that hash
    and the salt length will equal the hash length (when verifying the salt length is not enforced).

    To enforce such signatures during PKI verification use rsa/pss... authentication constraints.

    All pki commands that create certificates/CRLs can be made to sign with RSASSA-PSS instead of the
    classing PKCS#1 scheme with the --rsa-padding pss option. As with signatures during authentication, only
    the hash algorithm is configurable (via --digest option), the MGF1 will be based on that and the salt length
    will equal the hash length.

    These signatures are supported by all RSA backends except pkcs11 (i.e. gmp, gcrypt, openssl). The gmp
    plugin requires the mgf1 plugin.

    Note that RSASSA-PSS algorithm identifiers and parameters in keys (public keys in certificates or private keys
    in PKCS#8 files) are currently not used as constraints.

  • The sec-updater tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu)
    and sets the security flags in the IMV policy database accordingly. Additionally for each new package
    version a SWID tag for the given OS and HW architecture is created and stored in the database.
    Using the script template the lookup can be automated (e.g. via an hourly cron job).
  • When restarting an IKEv2 negotiation after receiving an INVALID_KE_PAYLOAD notify (or due to other reasons
    like too many retransmits) a new initiator SPI is allocated. This prevents issues caused by retransmits for
    IKE_SA_INIT messages.

    Because the initiator SPI was previously reused when restarting the connection delayed responses for previous
    connection attempts were processed and might have caused fatal errors due to a failed DH negotiation or because
    of the internal retry counter in the ike-init task. For instance, if we proposed a DH group the responder rejected we
    might have later received delayed responses that either contained INVALID_KE_PAYLOAD notifies with the DH group
    we already switched to, or, if we retransmitted an IKE_SA_INIT with the requested group but then had to restart again,
    a KE payload with a group different from the one we proposed.

  • The introduction of file versions in the IMV database scheme broke file reference hash measurements.
    This has been fixed by creating generic product versions having an empty package name.
  • A new timeout option for the systime-fix plugin stops periodic system time checks after a while and enforces
    a certificate verification, closing or reauthenticating all SAs with invalid certificates.
  • The IKE event counters, previously only available via ipsec listcounters command, may now also be queried and
    reset via vici and the new swanctl --counters command. They are collected and provided by the optional
    counters plugin (enabled by default for backwards compatibility if the stroke plugin is built).
  • Class attributes received in RADIUS Access-Accept messages may optionally be added to RADIUS accounting
    messages (655924074b).
  • Basic support for systemd sockets has been added, which may be used for privilege separation (59db98fb94).
  • Inbound marks may optionally be installed in the SA again (was removed with 5.5.2) by enabling the mark_in_sa
    option in swanctl.conf.
  • The timeout of leases in pools configured via pool utility may be configured in other units than hours.
  • INITIAL_CONTACT notifies are now only omitted if never is configured as uniqueness policy.
  • Outbound FWD policies for shunts are not installed anymore, by default (as is the case for other policies since 5.5.1).
  • Don't consider a DH group mismatch during CHILD_SA rekeying as failure as responder (e7276f78aa).
  • Handling of fragmented IPv4 and IPv6 packets in libipsec has been improved (e138003de9).
  • Trigger expire events for the correct IPsec SA in libipsec (6e861947a0).
  • A crash in CRL verification via openssl plugin using OpenSSL 1.1 has been fixed (78acaba6a1).
  • No hard-coded default proposals are passed from starter to the stroke plugin anymore (the IKE proposal used
    curve25519 since 5.5.2, which is an optional plugin).
  • A workaround for an issue with virtual IPs on macOS 10.13 (High Sierra) has been added (039b85dd43).
  • Handling of IKE_SA rekey collisions in charon-tkm has been fixed.
  • Instead of failing or just silently doing nothing unit tests may now warn about certain conditions (e.g. if a test
    was not executed due to external dependencies).

Version 5.6.0

  • Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
    when verifying RSA signatures, which requires decryption with the operation m^e mod n,
    where m is the signature, and e and n are the exponent and modulus of the public key.
    The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
    So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
    This result wasn't handled properly causing a null-pointer dereference.
    This vulnerability has been registered as CVE-2017-11185.
    Please refer to our blog for details.
  • The IMV database template has been adapted to achieve full compliance with the
    ISO 19770-2:2015 SWID tag standard.
  • The sw-collector tool extracts software events from apt history logs and stores them
    in an SQLite database to be used by the SWIMA IMC. The tool can also generate SWID tags both
    for installed and removed package versions.
  • The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
  • libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
  • Adds the eap-aka-3gpp plugin, which implements the 3GPP MILENAGE algorithms in software.
    K (optionally concatenated with OPc) may be configured as binary EAP secret in ipsec.secrets
    or swanctl.conf.
  • The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3:
    • On Linux the outbound policy now has the SPI of the corresponding SA set and the responder
      of a rekeying will install both IPsec SAs (in/out) immediately, but delay the update of the
      outbound policy until it received the delete for the replaced CHILD_SA.
    • The previous code temporarily installed an outbound IPsec SA/policy that was deleted
      immediately afterwards when a rekey collision was lost, which caused a slight chance for traffic loss.
  • The remote address must not be resolvable anymore when installing trap policies (at least not if the
    remote traffic selector is not %dynamic, 1a8226429a).
  • By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
    swanctl.conf file.
  • The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
  • The sha2 plugin was changed so that the last output is not stored in an internal buffer anymore (1a75514b76, #2388).
  • The encoding of nonces in OCSP requests was fixed in the x509 plugin (d7dc677ee5).
  • The handling of keyUsage extensions in X.509 certificates was fixed in the openssl plugin (e793d65acd).
  • pki loads the pubkey plugin to fix printing public keys (ef6b710f19).
  • Some changes were added to the TestingEnvironment:
    • do-tests supports running multiple tests via wildcards (e.g. do-tests ikev2/ocsp-*)
    • With the -v option do-tests will prefix each executed command with a timestamp in console.log
    • Tests in evaltest.dat can now easily match a specific number of lines (instead of [YES] or [NO]
      use e.g. [2] if exactly two matching lines - or packets for tcpdump matches - are expected)
    • Failed matches are now clearly marked in console.log