Changelog for 5.7.x

Version 5.7.2

  • For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt length
    (as defined by the length of the key and hash). However, if the TPM is FIPS-168-4 compliant,
    the salt length equals the hash length. This is assumed for FIPS-140-2 compliant TPMs, but
    if that's not the case, it might be necessary to manually enable charon.plugins.tpm.fips_186_4
    if the TPM doesn't use the maximum salt length.
  • Directories for credentials loaded by swanctl are now accessed relative to the loaded
    swanctl.conf file, in particular, when loading it from a custom location via --file argument.
    The base directory, which is used if no custom location for swanctl.conf is specified, is now
    also configurable at runtime via SWANCTL_DIR environment variable.
  • If RADIUS Accounting is enabled, the eap-radius plugin will add the session ID (Acct-Session-Id)
    to Access-Request messages, which e.g. simplifies associating database entries for IP leases and
    accounting with sessions (the session ID does not change when IKE_SAs are rekeyed, #2853).
  • All IP addresses assigned by a RADIUS server are included in Accounting-Stop messages even if
    the client did not claim them, allowing to release them early in case of connection errors (#2856).
  • Selectors installed on transport mode SAs by the kernel-netlink plugin are now updated if an
    IP address changes (e.g. via MOBIKE) and it was part of the selectors.
  • No deletes are sent anymore when a rekeyed CHILD_SA expires (#2815).
  • The bypass-lan plugin now tracks interfaces to handle subnets that move from one interface
    to another and properly update associated routes (#2820).
  • Only valid and expected inbound IKEv2 messages are used to update the timestamp of the
    last received message (previously, retransmits also triggered an update).
  • IKEv2 requests from responders are now ignored until the IKE_SA is fully established (e.g. if a
    DPD request from the peer arrives before the IKE_AUTH response does, 46bea1add9).
  • Delayed IKE_SA_INIT responses with COOKIE notifies we already recevied are ignored, they caused
    another reset of the IKE_SA previously (#2837).
  • Active and queued Quick Mode tasks are now adopted if the peer reauthenticates an IKEv1 SA
    while creating lots of CHILD_SAs.
  • Newer versions of the FreeBSD kernel add an SADB_X_EXT_SA2 extension to SADB_ACQUIRE
    messages, which allows the kernel-pfkey plugin to determine the reqid of the policy even if it
    wasn't installed by the daemon previously (e.g. when using FreeBSD's if_ipsec(4) VTIs, which
    install policies themselves, 872b9b3e8d).
  • Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin. For older
    versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature authentication has to be
    disabled via charon.signature_authentication.
  • The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
  • The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys and
    signatures when built against OpenSSL 1.1.1.
  • Support for Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
  • The mysql plugin now properly handles database connections with transactions
    under heavy load (#2779).
  • IP addresses in ha pools are now distributed evenly among all segments (#2828).
  • Private key implementations may optionally provide a list of supported signature schemes,
    which, as described above, is used by the tpm plugin because for each key on a TPM 2.0 the
    hash algorithm and for RSA also the padding scheme is predefined.
  • The testing environment is now based on Debian 9 (stretch) by default. This required
    some changes, in particular, updating to FreeRADIUS 3.x (which forced us to abandon the
    TNC@FHH patches and scenarios, 2fbe44bef3) and removing FIPS-enabled versions of
    OpenSSL (the FIPS module only supports OpenSSL 1.0.2).

Version 5.7.1

  • Fixes a vulnerability in the gmp plugin triggered by crafted certificates with RSA keys with
    very small moduli. When verifying signatures with such keys, the code patched with the fix
    for CVE-2018-16151/2 caused an integer underflow and subsequent heap buffer overflow
    that results in a crash of the daemon.
    The vulnerability has been registered as CVE-2018-17540.
    Please refer to our blog for details.
  • This release contains no other changes, please refer to 5.7.0 for other features and fixes.

Version 5.7.0

  • Fixes a potential authorization bypass vulnerability in the gmp plugin that was caused by a too lenient
    verification of PKCS#1 v1.5 signatures. Several flaws could be exploited by a Bleichenbacher-style attack
    to forge signatures for low-exponent keys (i.e. with e=3).
    CVE-2018-16151 has been assigned to the problem of accepting random bytes after the OID of the
    hash function in such signatures, and CVE-2018-16152 has been assigned to the issue of not verifying
    that the parameters in the ASN.1 algorithmIdentitifer structure is empty. Other flaws that don't lead
    to a vulnerability directly (e.g. not checking for at least 8 bytes of padding) have no separate CVE assigned.
    Please refer to our blog for details.
  • Dots are not allowed anymore in section names in swanctl.conf and strongswan.conf.
    This mainly affects the configuration of file loggers. If the path for such a log file contains dots
    it now has to be configured in the new path setting within the arbitrarily renamed subsection in the
    filelog section.
  • Sections in swanctl.conf and strongswan.conf may now reference other sections. All settings and
    subsections from such a section are inherited. This allows to simplify configs as redundant information
    has only to be specified once and may then be included in other sections (see strongswan.conf for
    an example).
  • The originally selected IKE config (based on the IPs and IKE version) can now change if no matching
    algorithm proposal is found. This way the order of the configs doesn't matter that much anymore and
    it's easily possible to specify separate configs for clients that require weaker algorithms (instead
    of having to also add them in other configs that might be selected).
  • The new botan plugin is a wrapper around the Botan C++ crypto library.
    It requires a fairly recent build from Botan's master branch (or the upcoming 2.8.0 release).
    Thanks to René Korthaus and his team from Rohde & Schwarz Cybersecurity for the initial patch and to
    Jack Lloyd for quickly adding missing functions to Botan's FFI (C89) interface.
  • Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA) for PA-TNC".
    SWIMA subscription option sets CLOSE_WRITE trigger on apt history.log file resulting in a ClientRetry
    PB-TNC batch to initialize a new measurement cycle. The new imv/imc-swima plugins replace the previous
    imv/imc-swid plugins, which were removed.
  • Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA protocols
    on Google's OSS-Fuzz infrastructure.
  • Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of the in-kernel /dev/tpmrm0
    resource manager is automatically detected.
  • The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using the
    syntax --san xmppaddr:<jid>.
  • swanctl.conf supports the configuration of marks the in- and/or outbound SA should apply to packets after
    processing on Linux. Configuring such a mark for outbound SAs requires at least a 4.14 kernel. The ability
    to set a mask and configuring a mark/mask for inbound SAs will be added with the upcoming 4.19 kernel.
  • New options in swanctl.conf allow configuring how/whether DF, ECN and DS fields in the IP headers are
    copied during IPsec processing. Controlling this is currently only possible on Linux.
  • The handling of sequence numbers in IKEv1 DPDs has been improved (#2714).
  • To avoid conflicts, the dhcp plugin now only uses the DHCP server port if explicitly configured.