Changelog for 5.6.x¶

Version 5.6.1¶

• Several algorithms were removed from the default ESP/AH and IKE proposals in compliance with
  RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH proposal were the
  3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKE default
  proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the
  latter is significant for Windows clients in their default configuration).
  These algorithms may still be used in custom proposals.

• Support for RSASSA-PSS signatures has been added. For compatibility with previous releases they are
  currently not used automatically, by default, to change that charon.rsa_pss may be enabled. To explicitly use
  or require such signatures during IKEv2 signature authentication (RFC 7427) ike:rsa/pss... authentication
  constraints may be used for specific connections (regardless of whether the strongswan.conf option above is
  enabled). Only the hash algorithm can be specified in such constraints, the MGF1 will be based on that hash
  and the salt length will equal the hash length (when verifying the salt length is not enforced).

  To enforce such signatures during PKI verification use rsa/pss... authentication constraints.

  All pki commands that create certificates/CRLs can be made to sign with RSASSA-PSS instead of the
  classing PKCS#1 scheme with the --rsa-padding pss option. As with signatures during authentication, only
  the hash algorithm is configurable (via --digest option), the MGF1 will be based on that and the salt length
  will equal the hash length.

  These signatures are supported by all RSA backends except pkcs11 (i.e. gmp, gcrypt, openssl). The gmp
  plugin requires the mgf1 plugin.

  Note that RSASSA-PSS algorithm identifiers and parameters in keys (public keys in certificates or private keys
  in PKCS#8 files) are currently not used as constraints.

• The sec-updater tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu)
  and sets the security flags in the IMV policy database accordingly. Additionally for each new package
  version a SWID tag for the given OS and HW architecture is created and stored in the database.
  Using the sec-updater.sh script template the lookup can be automated (e.g. via an hourly cron job).

• When restarting an IKEv2 negotiation after receiving an INVALID_KE_PAYLOAD notify (or due to other reasons
  like too many retransmits) a new initiator SPI is allocated. This prevents issues caused by retransmits for
  IKE_SA_INIT messages.

  Because the initiator SPI was previously reused when restarting the connection delayed responses for previous
  connection attempts were processed and might have caused fatal errors due to a failed DH negotiation or because
  of the internal retry counter in the ike-init task. For instance, if we proposed a DH group the responder rejected we
  might have later received delayed responses that either contained INVALID_KE_PAYLOAD notifies with the DH group
  we already switched to, or, if we retransmitted an IKE_SA_INIT with the requested group but then had to restart again,
  a KE payload with a group different from the one we proposed.

• The introduction of file versions in the IMV database scheme broke file reference hash measurements.
  This has been fixed by creating generic product versions having an empty package name.

• A new timeout option for the systime-fix plugin stops periodic system time checks after a while and enforces
  a certificate verification, closing or reauthenticating all SAs with invalid certificates.

• The IKE event counters, previously only available via ipsec listcounters command, may now also be queried and
  reset via vici and the new swanctl --counters command. They are collected and provided by the optional
  counters plugin (enabled by default for backwards compatibility if the stroke plugin is built).

• Class attributes received in RADIUS Access-Accept messages may optionally be added to RADIUS accounting
  messages (commit:655924074b).

• Basic support for systemd sockets has been added, which may be used for privilege separation (commit:59db98fb94).

• Inbound marks may optionally be installed in the SA again (was removed with 5.5.2) by enabling the mark_in_sa
  option in swanctl.conf.

• The timeout of leases in pools configured via pool utility may be configured in other units than hours.

• INITIAL_CONTACT notifies are now only omitted if never is configured as uniqueness policy.

• Outbound FWD policies for shunts are not installed anymore, by default (as is the case for other policies since 5.5.1).

• Don't consider a DH group mismatch during CHILD_SA rekeying as failure as responder (commit:e7276f78aa).

• Handling of fragmented IPv4 and IPv6 packets in libipsec has been improved (commit:e138003de9).

• Trigger expire events for the correct IPsec SA in libipsec (commit:6e861947a0).

• A crash in CRL verification via openssl plugin using OpenSSL 1.1 has been fixed (commit:78acaba6a1).

• No hard-coded default proposals are passed from starter to the stroke plugin anymore (the IKE proposal used
  curve25519 since 5.5.2, which is an optional plugin).

• A workaround for an issue with virtual IPs on macOS 10.13 (High Sierra) has been added (commit:039b85dd43).

• Handling of IKE_SA rekey collisions in charon-tkm has been fixed.

• Instead of failing or just silently doing nothing unit tests may now warn about certain conditions (e.g. if a test
  was not executed due to external dependencies).

Version 5.6.0¶

• Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
  when verifying RSA signatures, which requires decryption with the operation m^e mod n,
  where m is the signature, and e and n are the exponent and modulus of the public key.
  The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
  So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
  This result wasn't handled properly causing a null-pointer dereference.
  This vulnerability has been registered as CVE-2017-11185.
  Please refer to our blog for details.

• New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
  Draft and has been demonstrated at the IETF 99 Prague Hackathon.

• The IMV database template has been adapted to achieve full compliance with the
  ISO 19770-2:2015 SWID tag standard.

• The sw-collector tool extracts software events from apt history logs and stores them
  in an SQLite database to be used by the SWIMA IMC. The tool can also generate SWID tags both
  for installed and removed package versions.

• The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.

• libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).

• Adds the eap-aka-3gpp plugin, which implements the 3GPP MILENAGE algorithms in software.
  K (optionally concatenated with OPc) may be configured as binary EAP secret in ipsec.secrets
  or swanctl.conf.

• The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3:
  • On Linux the outbound policy now has the SPI of the corresponding SA set and the responder
    of a rekeying will install both IPsec SAs (in/out) immediately, but delay the update of the
    outbound policy until it received the delete for the replaced CHILD_SA.
  • The previous code temporarily installed an outbound IPsec SA/policy that was deleted
    immediately afterwards when a rekey collision was lost, which caused a slight chance for traffic loss.

• The remote address must not be resolvable anymore when installing trap policies (at least not if the
  remote traffic selector is not %dynamic, commit:1a8226429a).

• The new %unique-dir value for the mark* settings in swanctl.conf or ipsec.conf will allocate separate
  unique marks for each CHILD_SA direction (commit:32e5c49234).

• By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
  swanctl.conf file.

• The curl plugin now follows HTTP redirects (configurable via strongswan.conf).

• The error-notify plugin correctly handles disconnected listeners (commit:ed926a73df).

• The sha2 plugin was changed so that the last output is not stored in an internal buffer anymore (commit:1a75514b76, #2388).

• The encoding of nonces in OCSP requests was fixed in the x509 plugin (commit:d7dc677ee5).

• The handling of keyUsage extensions in X.509 certificates was fixed in the openssl plugin (commit:e793d65acd).

• pki loads the pubkey plugin to fix printing public keys (commit:ef6b710f19).

• Some changes were added to the TestingEnvironment:
  • do-tests supports running multiple tests via wildcards (e.g. do-tests ikev2/ocsp-*)
  • With the -v option do-tests will prefix each executed command with a timestamp in console.log
  • Tests in evaltest.dat can now easily match a specific number of lines (instead of [YES] or [NO]
    use e.g. [2] if exactly two matching lines - or packets for tcpdump matches - are expected)
  • Failed matches are now clearly marked in console.log