Minor Release


6 issues   (6 closed — 0 open)

Version 5.5.3

  • Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
    validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
    requirements regarding the passed exponent and modulus that the plugin did not
    enforce, if these are not met the calculation will result in a floating point exception
    that crashes the whole process.
    This vulnerability has been registered as CVE-2017-9022.
    Please refer to our blog for details.
  • Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser
    didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when
    parsing X.509 extensions that use such types.
    This vulnerability has been registered as CVE-2017-9023.
    Please refer to our blog for details.
  • The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
    traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA
    the responder already has everything available to install and use the new CHILD_SA.
    However, this could lead to lost traffic as the initiator won't be able to process
    inbound packets until it processed the CREATE_CHILD_SA response and updated the
    inbound SA. To avoid this the responder now only installs the new inbound SA and
    delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.

    The messages transporting these DELETEs could reach the peer before packets sent
    with the deleted outbound SAs reach it. To reduce the chance of traffic loss due
    to this the inbound SA of the replaced CHILD_SA is not removed for a configurable
    amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed.

  • The code base has been ported to Apple's ARM64 iOS platform, which required several
    changes regarding the use of variadic functions. This was necessary because the calling
    conventions for variadic and regular functions are different there.
    This means that assigning a non-variadic function to a variadic function pointer, as we
    did with our enumerator_t::enumerate() implementations and several callbacks, will
    result in crashes as the called function accesses the arguments differently than the
    caller provided them. To avoid this issue the enumerator_t interface has been changed
    and the signature of the callback functions for enumerator_create_filter() and two
    methods on linked_list_t have been changed. Refer to the developer notes below
    for details.
  • Adds support for fuzzing the certificate parser provided by the default plugins
    (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with
    libFuzzer). Several issues found while fuzzing these plugins were fixed.
  • Two new options have been added to charon's retransmission settings:
    retransmit_limit and retransmit_jitter. The former adds an upper limit to the
    calculated retransmission timeout, the latter randomly reduces it.
    Refer to Retransmission for details.
  • A bug in swanctl's --load-creds command was fixed that caused unencrypted
    private keys to get unloaded if the command was called multiple times.
    The load-key VICI command now returns the key ID of the loaded key on success.
  • The credential manager now enumerates local credential sets before global ones.
    This means certificates supplied by the peer will now be preferred over certificates
    with the same identity that may be locally stored (e.g. in the certificate cache).
  • Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for
    specific hardware that supports this.
  • To announce support for IKE fragmentation but not actively fragment IKE messages
    the new accept option for the fragmentation setting may be used.
  • If charon.plugins.socket-default.set_sourceif is enabled the socket-default plugin
    sets the outbound interface via IP_PKTINFO/IN6_PKTINFO. This is usually not required
    but could be used in special scenarios, e.g. to use IPv6 link-local addresses as
    tunnel endpoints.
  • Add support for SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for PF_KEYv2's
    SADB_UPDATE message, which upcoming FreeBSD kernels will support for updating
    IP addresses of existing SAs.
  • The value of charon.plugins.kernel-netlink.xfrm_acq_expires is now determined
    automatically based on the configured retransmission settings.
  • If updating the inbound SA fails the kernel-netlink plugin now tries to add it, which
    could be useful if the SPI already expired after lots of retransmits of several exchanges.
  • charon-nm and the NetworkManager plugin now support customizing the IKE and
    ESP proposals.
  • With the sha256_96 compatibility option it's possible to locally configure 96-bit truncation
    for HMAC_SHA256 (the correct truncation is 128 bit) when negotiated using the official
    algorithm identifier (12). This is only useful for compatibility with peers that incorrectly
    use this shorter truncation as the actual truncation length is not negotiated.
  • The removal of all online leases by the attr-sql plugin at startup may now be disabled
    to share the database between multiple instances.
  • The pki tool loads the curve25519 plugin by default.
  • When building the libraries monolithically and statically the plugin constructors are now
    hard-coded in each library so the plugin code is not removed by the linker because it
    thinks none of their symbols are ever referenced. This allows building an almost stand-alone
    static version of e.g. charon when building with --enable-monolithic --enable-static
    (without --disable-shared libtool will build a version that still links
    the libraries dynamically, which might save some disk space if it's not necessary to link
    them statically, however, using --enable-monolithic might be enough in that case).
    External libraries (e.g. gmp or openssl) are not linked statically this way, though.
  • Notes for developers:
    • child_sa_t: The API used for installing policies and SAs has been changed (traffic
      selectors are now only set once, outbound SAs and policies may be installed/uninstalled
    • enumerator_t: A new mandatory method, venumerate(), has been added that takes
      a va_list with the arguments provided while enumerating. enumerate() is replaced
      with a generic implementation that prepares a va_list and calls the enumerator's
      venumerate() implementation. As this allows passing the arguments of one enumerator
      to another it avoids the five pointer hack previously used by enumerator_create_nested()
      and enumerator_create_cleaner(). To simplify the implementation of venumerate() a
      helper macro is provided that assigns values from a given va_list to local variables.
    • enumerator_create_filter(): The signature of the callback has changed significantly.
      It's now required to enumerate over the original enumerator in the callback itself, as
      this avoids the previous in/out pointer hack. The arguments to the outer enumerator are
      provided in a va_list.
    • linked_list_t: To avoid the five pointer hack previously used the signatures of the
      callbacks for linked_list_t's invoke_function() and find_first() methods have been
      changed to take a va_list as second argument. For the latter method the return type also
      changed from status_t to bool, which is important as SUCCESS is defined as 0, so checks
      for == SUCCESS will now fail.
Issues by