Project

General

Profile

5.3.1

01.06.2015

Minor Release

100%

4 issues   (4 closed — 0 open)

Version 5.3.1

  • Fixed a denial-of-service and potential remote code execution vulnerability
    triggered by IKEv1/IKEv2 messages that contain payloads for the respective
    other IKE version. Such payload are treated specially since 5.2.2 but because
    they were still identified by their original payload type they were used as
    such in some places causing invalid function pointer dereferences.
    The vulnerability has been registered as CVE-2015-3991.
    Please refer to our blog for details.
  • The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto
    primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ
    instructions and works on both x86 and x64 architectures. It provides
    superior crypto performance in userland without any external libraries.
  • Fixed an issue with IKEv2 fragmentation (introduced with 5.2.1) and encryption
    algorithms that use sequential IVs (e.g. AES-GCM). Previously the IKE message ID was
    used as IV, but with IKEv2 fragmentation this ID is not unique anymore, causing the
    same IV to get used for fragments of the same message. This was fixed by including
    the fragment identifier in the IV (62e0abe759).
  • The TLS client in libtls now rejects Diffie-Hellman groups with primes < 1024 bit (47e96391f2).
  • The accuracy of usage statistics reported via RADIUS Accounting has been
    increased in several situations (e.g. if interim updates occur while rekeying a CHILD_SA).
  • A constant time memory comparison utility function (chunk_equals_const) was
    added for cryptographic purposes (aa9b74931f).
  • The interface for DH implementations was extended to enable unit tests (44136bec94).
  • Fixed initialization of HMAC primitives in the openssl plugin for newer
    OpenSSL releases (c2906c8f21).
  • ike-updown and child-updown events are now relayed via VICI (a7e4a2d6c2).
  • The Ruby Gems and Python Eggs built with --enable-ruby-gems|--enable-python-eggs are
    not installed anymore during make install. To do so the options --enable-ruby-gems-install
    and/or --enable-python-eggs-install may be passed to ./configure (f16f792e17).
Issues by
Feature

1/1
Bug

3/3
Related issues
Feature #943: Increase stroke message size limit again?
Bug #838: "RADIUS Response-Authenticator verification failed" error if RADIUS message arrives after charon gave up retransmitting
Bug #891: [eap_radius] AcctInputOctets increase twice in 5 seconds and decrease to normal after 5 seconds.
Bug #914: strongswan make install does not honor DESTDIR for python eggs and ruby gems