Headline
CVE-2023-41913: Releases · strongswan/strongswan
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm’s DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.
strongSwan 5.9.13
Enhancements and Optimizations
- Added charon.ocsp_nonce_len setting that allows specifying the length of nonce values in OCSP requests. Since 5.9.12, the default length is set to 32 bytes, as required by RFC 8954 for newer clients. However, there might be older OCSP servers that don’t support that, in which case reducing the length to e.g. 16, which was the previous default, might be necessary (f3af170).
- OCSP error responses are now dropped immediately instead of trying to verify a non-existent signature (b3e66ac, e7a58f4).
- pki --ocsp --respond replies with an internal error OCSP response if no signer certificate is found (e.g. if the request is sent to the wrong server) instead of failing silently (945be4e).
Fixes
- Fixed a regression with handling OCSP error responses that was introduced with 5.9.12 (#2011, 585c400, 9c4846c).
- Added missing environment variables for cert-install-ssl cert-enroll script script (da45cf9).
Refer to the 5.9.13 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.12
Vulnerabilities
- Fixed a vulnerability in charon-tkm (the TKM-backed version of the charon IKE daemon) related to processing DH public values that can lead to a buffer overflow and potentially remote code execution. This vulnerability has been registered as CVE-2023-41913. Please refer to our blog for details.
New Feature Additions
The new pki --ocsp command produces OCSP responses based on certificate status information provided by implementations of the new ocsp_responder_t interface (#1958).
Two sources are currently available, the openxpki plugin that directly accesses the OpenXPKI database and the command’s --index argument, which reads certificate status information from OpenSSL-style index.txt files (multiple CAs are supported concurrently).
The new cert-enroll script handles the initial enrollment of an X.509 host certificate with a PKI server via the EST or SCEP protocols.
Run as a systemd timer or via a crontab entry, the script checks the expiration date of the host certificate daily. When a given deadline is reached, the host certificate is automatically renewed via EST or SCEP re-enrollment based on the possession of the old private key and the matching certificate.
Added a global option (charon.reject_trusted_end_entity) to prevent peers from authenticating with certificates that are locally trusted, in particular, our own local certificate, which safeguards against accidental reuse of certificates on multiple peers. As the name suggests, all trusted end-entity certificates are rejected if enabled, so peer certificates can’t be configured explicitly anymore (e.g. via remote.certs in swanctl.conf).
The --priv argument for charon-cmd allows the use of any type of private key (previously, only RSA keys were supported).
The openssl plugin now supports the nameConstraints extension in X.509 certificates (#1990).
Support for nameConstraints of type iPAddress are now supported by the x509, openssl and constraints plugins (#1991).
Support for encoding subjectAlternativeName extensions of type uniformResourceIdentifier in X.509 certificates has been added via the uri: prefix (e.g. for URNs, #1983).
Support for password-less PKCS#12 and PKCS#8 files has been added (#1955).
Enhancements and Optimizations
Because of a relatively recent NIAP requirement (TD0527, Test 8b), loading of certificates with ECDSA keys that explicitly encode the curve parameters is rejected if possible. Explicit encoding is pretty rare to begin with and e.g. wolfSSL already rejects such keys, by default. All crypto plugins that support ECDSA enforce this by rejecting such public keys, except when using older versions of OpenSSL (< 1.1.1h) or Botan (< 3.2.0) (#1949).
Make the NetworkManager plugin (charon-nm) actually use the XFRM interface it creates since 5.9.10. This involves setting interface IDs on SAs and policies, and installing routes via the interface. To avoid routing loops if the remote traffic selectors include the VPN server, IKE and ESP packets are marked to bypass the routing table that contains the routes via XFRM interface (69e0c11).
If available, the plugin now also adopts the interface name configured in connection.interface-name in a *.nmconnection file as name for the XFRM interface instead of generating one randomly (e8f8d32).
The resolve plugin tries to maintain the order of DNS servers it installs via resolvconf or resolv.conf (6440975, 8238ad4).
The kernel-libipsec plugin now always installs routes to remote networks even if no address is found in the local traffic selectors, which allows forwarding traffic from networks the VPN host is not part of (190d8cb).
Increased the default receive buffer size for Netlink sockets to 8 MiB (doubled by the kernel to account for overhead) and simplified the configuration (no need for a separate option to force overriding rmem_max). It’s now also set for event sockets, which previously could cause issues on hosts with e.g. lots of route changes (#1757).
When issuing certificates, the subjectKeyIdentifier of the issuing certificate, if available, is now copied as authorityKeyIdentifier, instead of always generating a SHA-1 hash of the issuer’s subjectPublicKey (#1992, 6941dcb).
Explicitly request permission to display notifications on Android 13+ (ddf84c1), also enabled hardware acceleration for the Android-specific OpenSSL build.
Fixes
- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with unrelated traffic selectors (#1855).
- Fixed an issue in watcher_t with handling errors on sockets (e.g. if the receive buffer is full), which caused an infinite loop if poll() only signaled POLLERR as event (#1757).
- Fixed an issue in the IKE_SA_INIT tracking code that was added with 5.9.6, which did not correctly untrack invalid messages with non-zero message IDs or SPIs (0b47357).
- Fixed a regression introduced with 5.9.8 when handling IKE redirects during IKE_AUTH (595fa07).
- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs in the kernel-netlink plugin, which prevented MOBIKE updates if a large anti-replay window was used (#1967).
- Fixed a race condition in the kernel-pfroute plugin when adding virtual IPs if the TUN device is activated after the address was already added internally, which caused the installed route not to go via TUN device in order to force the virtual IP as source address (#1807).
- Fixed an issue in libtls that could cause the wrong ECDH group to get instantiated (b5e4bf4).
- Fixed the encoding of the CHILD_SA_NOT_FOUND notify if a CHILD_SA is not found during rekeying. It was previously empty, now contains the SPI and sets the protocol to the values received in the REKEY_SA notify (849c2c9).
- Fixed a possible issue with MOBIKE in the Android client on certain devices (#1691).
For Developers
- The new ocsp_responder_t interface can be implemented to provide certificate status information to the pki --ocsp command. Responders can be (un-)registered via the ocsp_responders_t instance at lib->ocsp.
- For the watcher_t component, WATCHER_EXCEPT has been removed as there is no way to explicitly listen for errors on sockets and poll() actually can return POLLERR for any FD and it might even be the only signaled event (which caused an infinite loop previously). Now we simply notify the registered callbacks. The error is then reported by e.g. recvfrom(), which was already the case before if POLLERR was returned together with e.g. POLLIN.
- The reqids allocated for CHILD_SAs (including trap policies) via kernel_interface_t::alloc_reqid() are now refcounted. When recreating a CHILD_SA, a reference to the reqid can be requested via child_sa_t::get_reqid_ref(). If another reference is required afterwards, one can be acquired directly via kernel_interface_t::ref_reqid(). Each reference has to be released via kernel_interface_t::release_reqid(), whose interface was simplified.
- The testing environment is now based on Debian 12 (bookworm), by default. Also, when copying files to guests, the guest-specific files are now copied after the default files, which allows overriding files per guest (fixes an issue with winnetou’s /etc/fstab and mounting the test results).
Refer to the 5.9.12 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.11
A long-standing deadlock in the vici plugin has been fixed that could get triggered when multiple connections were initiated/terminated concurrently and control-log events were raised by the watcher_t component (#566).
To potentially improve the performance and reduce the chances of a similar deadlock, the logging calls in the watcher_t component have been reduced and moved out of its internal mutex (53208b0) and a change that caused the component to busy wait in some situations has also been reverted (30803f9). Also related is a change that avoids verbose log calls during initiate/terminate() (d96d15b, also see the developer notes below).
In compliance with RFC 5280, CRLs now have to be signed by a certificate that either encodes the cRLSign keyUsage bit (even if it is a CA certificate), or is a CA certificate without a keyUsage extension. strongSwan encodes a keyUsage extension with cRLSign bit set in all CA certificates since 13 years. And before that it didn’t encode the extension, so these certificates would also be accepted as CRL issuer in case they are still valid (7dc82de).
Support for optional CA labels in EST server URIs (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>) was added to the pki --est and pki --estca commands (#1614).
The pkcs7 and openssl plugins now support CMS-style signatures in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA signatures (#1615).
Fixed a regression in the server implementation of EAP-TLS when using TLS 1.2 or earlier that was introduced with 5.9.10 (#1613, 3d0d3f5).
The EAP-TLS client does now enforce that the TLS handshake is complete when using TLS 1.2 or earlier. It was possible to shortcut it by sending an early EAP-Success message. Note that this isn’t a security issue as the server is authenticated at that point (db87087).
On Linux, the kernel-libipsec plugin can now optionally handle ESP packets without UDP encapsulation (uses RAW sockets, disabled by default, e3cb756). The plugin and libipsec also gained support trap policies (23d20bb).
The dhcp plugin uses an alternative method to determine the source address when sending unicast DHCP requests, which is not affected by interface filtering that might be employed for the IKE sockets (#1573).
The selection of certificates and trust chains as initiator has been improved if the local trust chain is incomplete (i.e. the root CA certificate for the local certificate is not loaded) while a certificate request for a known but unrelated CA is received, which caused any local intermediate CA certificates not to get sent (efdcbd1).
ECDSA and EdDSA public keys are supported by the ipseckey plugin when parsing RFC 4025 IPSECKEY resource records (7be55ad).
The kernel-wfp plugin installs bypass policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer, which is necessary to bypass tunnel mode SAs/policies (8c0a67f).
The revocation plugin suppresses some log messages for cached OCSP responses (9e17a0e).
To further improve handling of cached OCSP responses, stale responses are now replaced in-place in the certificate cache (47e8b21).
Capabilities of a SCEP server are now correctly parsed by pki --scep and pki --scepca (#1607).
When renewing a certificate via SCEP, the --dn argument is now optional and gets copied from the previous certificate. This is helpful in case the CA added RDNs the user might not be aware of to the issued certificate (5f8eb09, #1689).
Fixed the fallback to the remote identity for mediated connections if no peer ID is configured (#1569, dd79253).
The log messages for the terminate() and rekey() commands have been improved to clarify what’s happening if combined filters are used (e.g. with both --ike and --child passed, only matching CHILD_SAs will be affected but previously a separate log message indicated that IKE_SAs would get targeted as well, 5e46e10).
Fixed a crash when charon-svc is terminated (8f5c0c9).
If IKEv1 SAs are reset during a reauthentication because of a timeout, the initiator SPI changes. CHILD_SAs are now correctly migrated to the new SPI (#1663).
For developers:
- Support for timeouts in the Python vici bindings has been improved so a default timeout that’s configured on the socket won’t be reset by vici.Transport.receive() and doesn’t cause partial reads (#1562).
- On Windows, the Python vici bindings now create a default TCP socket (00a75e3).
- The controller_t::initiate() and controller_t::terminate() methods now take the maximum log level for messages that are passed to the callback (if any). If controller_cb_empty() is passed as callback, LEVEL_SILENT should be used to avoid any useless calls to the callback.
- Disabling logging at compile-time via reduced DEBUG_LEVEL should again be possible (7fa85ff).
Refer to the 5.9.11 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.10
Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service but possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. Please refer to our blog for details.
Added support for full packet hardware offload for IPsec SAs and policies, which has been introduced with the Linux 6.2 kernel, to the kernel-netlink plugin (#1462). Bypass policies for the IKE ports are automatically offloaded to devices that support this type of offloading.
TLS-based EAP methods use the key derivation specified in draft-ietf-emu-tls-eap-types (currently in the RFC Editor’s publication queue) when used with TLS 1.3 (06abdf1).
The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the “protected success indication” (5401a74). Similarly, the eap-peap plugin correctly initiates Phase 2 with TLS 1.3 also if phase2_piggyback is disabled (default) (8aa13a1).
Routes via XFRM interfaces can now optionally be installed automatically by enabling the charon.plugins.kernel-netlink.install_routes_xfrmi option. Such routes are only installed if an interface with the ID referenced in if_id_out exists when the corresponding CHILD_SA is installed. If the traffic selectors include the IKE traffic to the peer, special care is required (please refer to the docs for details).
The NetworkManager backend charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel (#1048).
With the new prefer value for the childless setting, initiators will create a childless IKE_SA if the responder supports the extension (RFC 6023). As responder, it has the same effect as allow.
The pki --req command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request (CSR).
The pki --issue command adopts EKU flags that are either directly encoded in CSRs or derived from an encoded profile string (msCertificateTypeExtension). With the --flag option, these flags can either be overridden completely, or specific flags can be added and/or removed from the encoded set.
When running on a Linux 6.2 kernel, the last use times of CHILD_SAs are determined by querying the IPsec SAs and not the policies (older kernels don’t report the last use time per SA).
For libcurl with MultiSSL support, the curl plugin provides an option to select a specific SSL/TLS backend.
The swanctl --monitor-sa command exits with ECONNRESET if the daemon closes the VICI connection.
For developers:
- The default build of the Android app now relies on OpenSSL instead of the old BoringSSL version we previously used. A script to statically build libcrypto is provided in the repository (see the docs for details).
- Existing enum name lists (e.g. for algorithm or notify payload identifiers) can now be extended from plugins (0de4204).
- Implementations of kernel_ipsec_t that support reporting the last use time of an SA via query_sa(), should announce this via the KERNEL_SA_USE_TIME kernel feature.
- libvici provides a callback that’s invoked if the connection is closed by the daemon, which may be useful when listening for events.
Refer to the 5.9.10 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.9
- Fixed an issue that could cause OCSP requests to contain an incorrect serial number if the openssl plugin parsed the certificate (#1415). Also see below for changes regarding the unified handling of serial numbers in code.
- The path/command for resolvconf(8) used by the resolve plugin is now configurable (dee1916).
- The resolve plugin does not invoke resolvconf(8) with individual interface names for each name server anymore. Instead, it uses a single, configurable interface/protocol name and provides all available name servers to resolvconf(8) every time a name server is added or removed (#1353).
- The listen() operation in the VICI Python bindings may now optionally time out, which can be useful when listening for events in a separate thread as that can otherwise not be canceled easily (#1416). Support for Python 2 has been dropped.
- The first reqid that’s automatically assigned to a CHILD_SA is now configurable via charon.reqid_base in strongswan.conf. This allows reserving some low reqids for manual allocation.
- Default values for soft lifetimes of CHILD_SAs configured via swanctl.conf/VICI are now based on hard lifetimes if any are configured. Previously, it only worked the other way around (#1414).
- The kernel-netlink plugin now logs extended ACK error and warning messages provided by the Linux kernel if e.g. the installation of an SA or policy fails. This should give users a clearer indication of what might be wrong than the generic error messages for error codes like EINVAL or ENOSYS did previously.
- Several build conflicts with wolfSSL’s OpenSSL compatibility layer have been resolved (#1332).
- For developers:
- The get_serial() method of the x509_t, crl_t, and ac_t interfaces is now expected to return serial numbers in canonical form (i.e. without leading zeros). The existing plugins that implement or use these interfaces have been adapted accordingly, make sure to do the same with custom plugins/patches.
- If linked against libbfd (–enable-bfd-backtraces), our own leak detective can whitelist functions that are otherwise not visible.
Refer to the 5.9.9 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.8
Fixed a vulnerability related to online certificate revocation checking that was caused because the revocation plugin used potentially untrusted OCSP URIs and CRL distribution points in certificates. This allowed a remote attacker to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which could have lead to a denial-of-service attack. This vulnerability has been registered as CVE-2022-40617. Please refer to our blog for details.
The pki --scep|–scepca commands implement the HTTP-based “Simple Certificate Enrollment Protocol” (RFC 8894 SCEP) replacing the old and long deprecated scepclient that has been removed.
The pki --est|estca commands implement the HTTPS-based “Enrollment over Secure Transport” (RFC 7070 EST) protocol.
The pki --req command can create a certificate request based on an existing PKCS#10 template by replacing the public key and re-generating the signature with the new private key.
The ike_cfg_t object is now always replaced together with the peer_cfg_t object that’s set on an IKE_SA during authentication. This is more consistent and allows to properly take into account some settings that are also relevant during IKE_AUTH (e.g. childless) and it was actually already handled this way during rekeying/reestablishing of IKE_SAs and e.g. for the DSCP setting.
The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests (now indirectly enabled if the pki tool is built due to the implementation of EST) can be completed successfully with just the default plugins.
Our TLS client implementation now sends an empty certificate payload if a certificate request is received but no certificate is available. The encoding of TLS 1.3 certificate extensions for intermediate CA certificates has also been fixed.
The socket plugins don’t set the SO_REUSEADDR option anymore on the IKE UDP sockets, so an error is triggered if e.g. two daemons (e.g. charon and charon-systemd) are running concurrently using the same ports.
The charon.rsa_pss_trailerfield setting generates an algorithmIdentifier for RSASSA-PSS signatures with explicit trailerField, which might be necessary for interoperability with implementations of RFC 7427 that haven’t considered its errata.
A potential use-after-free issue has been fixed when caching credential encodings (e.g. fingerprints) if multiple threads operate on the same key concurrently (#1231).
A potential crash has been fixed caused by a race condition during shutdown between the main thread flushing the IKE_SA manager and worker threads still creating IKE_SAs (#1252).
A potential crash in the vici plugin has been fixed that was caused when events were triggered with messages that failed to get created successfully (#1278).
A file descriptor leak has been fixed in the Android client (#1160), plus some other issues related to targeting Android 12 (e.g. #1151 and 86b69f2).
For developers:
- For IKEv2, the ike_updown() “up” event and the state change to IKE_ESTABLISHED are now triggered after all IKE-related tasks are done. This ensures the IKE_SA is actually fully established, which now includes any assigned virtual IPs, additional MOBIKE peer addresses or a reauthentication time updated via AUTH_LIFETIME notify. This was an issue for the selinux plugin if virtual IPs were used.
- In the cert_validator_t interface, the online flag has been removed from the validate() method, which is called during basic certificate chain validation. Online validation is now instead triggered via the new validate_online() method, which is called after a trusted certificate chain has been built.
- pen_t is now used for EAP vendor IDs instead of uint32_t.
- The --enable-asan configure option enables building with AddressSanitizer (ASan).
- The TESTS_ITERATIONS environment variable allows running only specific iterations of loop-based test functions.
Refer to the 5.9.8 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.7
The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message. So instead of deriving the keys directly while processing an IKE_SA_INIT request (which could come from a spoofed address), it is delayed until the corresponding IKE_AUTH request is received. See below for required changes for Diffie-Hellman implementations.
Inbound IKEv2 messages, in particular requests, are now processed differently. Instead of parsing all inbound messages right away (which might trigger a key derivation or require keys we don’t have anymore in the multi-KE use case), we now first check a request’s message ID and compare its hash to that of the previous request to decide if it’s a valid retransmit. For fragmented messages we only keep track of the first fragment so we can send the corresponding response immediately if a retransmit of it is received, instead of waiting for all fragments and reconstructing the message, which we did before.
The retransmission logic in the dhcp plugin has been fixed (#1154). As originally intended, four retransmits are now sent over a total of 15 seconds for each DHCP request. Previously, it could happen that some or all of the five messages were sent at basically the same time, without any delay to wait for a response.
The connmark plugin now considers configured masks in installed firewall rules (#1087). For instance, with mark_in = mark_out = %unique/0x0000ffff, mark values in the upper two bytes would not get reset by the rules installed by the plugin and could be used for other purposes. However, note that in this example the daemon would have to get restarted after 65’535 CHILD_SAs (at the latest) to reset the global 32-bit counter for unique marks as that’s unaware of any masks.
Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).
The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).
The openssl plugin supports AES and Camellia in CTR mode (112bb46).
The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted (RFC 8247 only mentions AES-XCBC and recommends it exclusively for IoT deployments).
The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).
The CALLBACK macros (and some other issues) have been fixed when compiling with GCC 12 (#1053).
Support for GTK 4 was added to the NetworkManager plugin (#961), the necessary changes were released separately with version 1.6.0 of the plugin.
For developers:
- When building from the repository, the new --enable-warnings configure option is now automatically enabled. It adds -Wall -Wextra -Werror (and a bunch of -Wno-* flags for warnings that are difficult to avoid in our codebase) to the CFLAGS prepared by the script (CFLAGS passed to the script are added after the internal flags, so overriding these options is possible without having to disable --enable-warnings completely). This was mainly added to avoid passing -Werror to the configure script in our automated CI builds as that also affects the tests run by it.
- The diffie_hellman_t interface was renamed to key_exchange_t with the following additional changes to the interface:
- set_other_public_key() was renamed to set_public_key()
- this method must not do any costly public key validation or the actual key derivation anymore, which must instead be implemented in get_shared_secret()
- get_my_public_key() was renamed to get_public_key()
- set_private_value() was renamed to set_private_key()
- get_dh_group() was renamed to get_method()
- set_other_public_key() was renamed to set_public_key()
- The diffie_hellman_group_t enum was renamed to key_exchange_method_t, the corresponding enum_name_t instances were renamed similarly. MODP_NONE was renamed to KE_NONE.
- The has_dh_group() and promote_dh_group() methods on proposal_t were renamed and generalized to has_transform() and promote_transform(), respectively, which allow checking if any transform/algorithm (not only a DH group) is contained in a proposal or move it to the front. Similarly, the get_dh_group() method on ike_cfg_t and child_cfg_t was changed to get_algorithm().
- Two new callbacks for task_t enable tasks to do work after generating (post_build()) or processing (post_process()) a message.
- The post_build() hook is used by the ike-auth task to collect a copy of the sent IKE_SA_INIT message after it was generated. This avoids having to pre-generate the message in the task, allowing later-running tasks and plugins (via message() listener hook) to modify it (e.g. add notifies) before it’s eventually generated.
- The TESTS_VERBOSITY_<group> environment variables allow configuring the log level for individual log groups when running the unit tests (they default to TESTS_VERBOSITY).
Refer to the 5.9.7 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.6
The main two steps of the IKEv2 key derivation (PRF/prf+) have been modularized. In particular, prf+ is now provided by a plugin. This makes certification (e.g. FIPS-140) easier at it allows implementing them via an already certified third-party library.
For the most commonly used HMAC-based PRFs, the botan, openssl and wolfssl plugins implement the two steps via their respective implementations of RFC 5869’s HKDF-Extract (KDF_PRF) and HKDF-Expand (KDF_PRF_PLUS). A default implementation, based on generic PRFs from other plugins, is provided by the new kdf plugin (may be disabled if one of the mentioned third-party plugins is loaded and none of the rarely used non-HMAC PRFs, AES-XCBC or AES-CMAC, are used).
Support for labeled IPsec with IKEv2 (draft-ietf-ipsecme-labeled-ipsec) has been added. Two modes are currently supported:
- SELinux: When building with --enable-selinux, support for SELinux labels is enabled and the selinux plugin is built. If SELinux is usable on the system, the negotiated labels are installed on IPsec SAs and policies. The configured label is expected to be a generic context (e.g. system_u:object_r:ipsec_spd_t:s0), which is installed on trap policies. Either from the outset via start_action=trap, or dynamically by the selinux plugin after an IKE_SA has been established (e.g. in roadwarrior scenarios, in particular as responder). Once traffic hits such a policy and matches its context via association:polmatch, an acquire with the actual label is triggered by the kernel, for which a CHILD_SA is negotiated with the peer. A childless IKE_SA is created if the connection is not triggered by an acquire and no specific label is available. Labels received as responder are accepted if they match the configured label via association:polmatch.
- Simple: This proprietary mode, which is the default if SELinux support is disabled or not available on the system, allows exchanging arbitrary labels to identify specific child configs on the peer. These labels are not configured on the IPsec SAs or policies but are simply used during CHILD_SA creation to aid config selection (an example can be seen in the ikev2/net2net-dscp scenario).
Denial of Service (DoS) protection has been improved:
- The secrets used for generating COOKIE payloads are now switched based on a time limit (2 minutes) and not the previous usage limit (10’000 generated cookies). This avoids switching secrets multiple times a second under a heavy attack, preventing legitimate clients from successfully sending requests with valid cookies (they are valid for 10 seconds, by default).
- So far, sending and requiring COOKIE payloads was triggered only by the total number of half-open IKE_SAs. Because that global threshold is higher than the per-IP block threshold (5 half-open IKE_SAs are allowed per IP, by default), it was possible for an attacker to block a legitimate user by sending spoofed IKE_SA_INIT packets from that user’s IP. To prevent this, a new per-IP threshold has been added to trigger cookies (3 half-open IKE_SAs, by default). The default value for the global threshold has also been increased slightly (from 10 to 30).
- Unprocessed but queued initial messages (IKE_SA_INIT for IKEv2) are now already counted as half-open IKE_SAs. This makes the thresholds more accurate so it isn’t possible anymore for attackers to create thousands of jobs for packets from spoofed IP addresses before the daemon is able to process enough of them to create half-open IKE_SAs that would trigger the thresholds.
Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented. This can happen if trap policies are installed and an IKE_SA with its CHILD_SAs is reestablished (e.g. with break-before-make reauthentication or dpd_action=restart). This does not prevent duplicates if they are initiated by the two peers concurrently.
It’s now possible to combine trap and start in start_action (i.e. start_action=trap|start) to immediately initiate an SA for which trap policies are also installed.
Updates to reqids on policies are allowed again by the kernel-netlink plugin. The infamous error unable to install policy … for reqid …, the same policy for reqid … exists is replaced by a simple warning should the reqid for a policy actually get updated.
Compatibility with OpenSSL 3.0 has been improved (9aa7e12). Providers are not unloaded anymore to avoid issues with atexit() handlers (#921).
The client identity (e.g. the IKE or EAP identity for EAP-TLS) is again enforced by libtls (#873).
If the source address is unknown when initiating an IKEv2 SA, a NAT situation is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing asymmetric enabling of UDP-encapsulation (#861).
Installing unnecessary exclude routes for VPN servers on FreeBSD is now avoided (#910).
The default AEAD ESP proposal (sent since 5.9.0) now includes noesn to make it standards-compliant (#868).
Missing alerts were added to the error-notify plugin (801bb85).
The new map_level option for syslog loggers allows mapping log levels (0…4) to syslog levels starting at the specified number (by default, all messages are logged with LOG_INFO).
The addrblock plugin allows limiting the validation depth of issuer addrblock extensions (e3d1766).
Individual CHILD_SAs can be queried via the list-sas() vici command (or swanctl --list-sas), either by unique ID or name.
For developers:
- Plugins can provide the two IKEv2 key derivation steps (KDF_PRF/KDF_PRF_PLUS), see kdf.h for details.
- ike_sa_t::initiate() now takes a struct with optional arguments (such as traffic selectors). The same is the case for similar data from acquires (changed the signatures for acquire() on the kernel_listener_t and kernel_interface_t interfaces).
- The trap manager allows installing externally managed trap policies (see the selinux plugin for an example of how this could be used).
- If dynamic traffic selectors are updated due to an address change, the reqid of a CHILD_SA now changes, in which case kernel_ipsec_t::update_sa() is called with new_reqid set in the kernel_ipsec_update_sa_t struct. If a kernel interface doesn’t support this, NOT_SUPPORTED should be returned to trigger a rekeying.
- The fourth argument for ENUM_FLAGS now indicates the name used when no flags are set (previously, (unset) was used for all flag enums). Flags can now also be parsed via enum_flags_from_string() (expects the flags separated by |).
Refer to the 5.9.6 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.5
- Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079. Please refer to our blog for details.
- Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now establish a secure session via RSA OAEP public key encryption or an ephemeral ECDH key exchange, respectively. The session allows HMAC-based authenticated communication with the TPM 2.0 and the exchanged parameters can be encrypted with AES-CFB where necessary to guarantee confidentiality (e.g. when using the TPM 2.0 as RNG).
- Basic support for OpenSSL 3.0 has been added to the openssl plugin, in particular, the new load_legacy option (enabled by default) allows loading the “legacy” provider for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the existing fips_mode option allows explicitly loading the “fips” provider e.g. if it’s not activated in OpenSSL’s fipsmodule.cnf. All loaded providers are logged when the plugin is initialized.
- The MTU of TUN devices created by the kernel-pfroute plugin on macOS and FreeBSD is now configurable and reduced to 1400 bytes, by default. This also fixes an issue on macOS 12 that prevented the detection of virtual IPs installed on such TUN devices (#707).
- When rekeying CHILD_SAs, the old outbound SA is now uninstalled earlier on the initiator/winner. Instead of delaying this until the delete for the old CHILD_SA has been exchanged, we do this shortly after the new SA has been installed. This is useful for IPsec implementations where the ordering of SAs is unpredictable and we can’t set the SPI on the outbound policy to switch to the new SA while both are installed.
- The sw-collector utility may now iterate through APT history logs processed by logrotate.
- The openssl plugin now only announces the ECDH groups actually supported by OpenSSL (determined via EC_get_builtin_curves()).
- Added support for RSA encryption with OEAP padding with optional label via openssl and wolfssl plugins (the botan plugin supports OAEP padding, but only without labels, while the gcrypt only supports OEAP padding with SHA-1 and without labels). See below for the interface change this required.
- Added support for AES-CFB via botan, gcrypt, openssl and wolfssl plugins.
- Failure handling in unit tests for libtls has been improved (#752).
- Fixed the application of configured identities to raw public keys via vici/swanctl (e430528).
- Fixed the detection of several vendor IDs (broken since 5.9.3).
- Unit tests for charon-tkm now run automatically on GitHub (to test locally, refer to testing/tkm/Dockerfile).
- For developers:
- Custom EAP plugins that don’t generate an MSK have to return NOT_SUPPORTED from get_msk(). Those that do have to make sure to return FAILED until the EAP method is complete and an MSK has been established, see the blog post about the vulnerability above for more information.
- The public_key_t::encrypt() and private_key_t::decrypt() gained a void* argument for algorithm specific parameters. First application is the optional label for RSA with OEAP padding.
- A new metadata facility allows to attach arbitrary integer values to packet_t/message_t, which may be used to transport information from custom socket plugins to other plugins that later process IKE messages and back again.
Refer to the 5.9.5 milestone for a list of all closed issues and pull requests.
strongSwan 5.9.4
- Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
Please refer to our blog for details. - Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
Please refer to our blog for details. - Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
- AUTH_LIFETIME notifies are now only sent by a responder if it can’t reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
- Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
- Serial number generation in several pki sub-commands has been fixed so they don’t start with an unintended zero byte (#631).
- Loading SSH public keys via vici has been improved (#467).
- Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
- Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it’s used in FIPS-mode (#557).
- The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn’t do anything without a TSS 2.0.
- libtpmtss is initialized in all programs and libraries that use it.
- Migrated testing scripts to Python 3.
- The testing environment uses images based on Debian bullseye by default (support for jessie was removed).
Refer to the 5.9.4 milestone for a list of all closed issues and pull requests.
Related news
Gentoo Linux Security Advisory 202405-8 - Multiple vulnerabilities have been discovered in strongSwan, the worst of which could possibly lead to remote code execution. Versions greater than or equal to 5.9.10 are affected.
Ubuntu Security Notice 6488-2 - USN-6488-1 fixed a vulnerability in strongSwan. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Florian Picca discovered that strongSwan incorrectly handled certain DH public values. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service, or possibly execute arbitrary code.
An issue exists in SoftIron HyperCloud where compute nodes may come online immediately without following the correct initialization process. In this instance, workloads may be scheduled on these nodes and deploy to a failed or erroneous state, which impacts the availability of these workloads that may be deployed during this time window. This issue impacts HyperCloud versions from 2.0.0 to before 2.0.3.
Debian Linux Security Advisory 5560-1 - Florian Picca reported a bug the charon-tkm daemon in strongSwan an IKE/IPsec suite.
Ubuntu Security Notice 6488-1 - Florian Picca discovered that strongSwan incorrectly handled certain DH public values. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service, or possibly execute arbitrary code.
Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing cryptographic signature checks
Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing cryptographic signature checks
Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing cryptographic signature checks
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.
strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.
Ubuntu Security Notice 5651-2 - USN-5651-1 fixed a vulnerability in strongSwan. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Lahav Schlesinger discovered that strongSwan incorrectly handled certain OCSP URIs and and CRL distribution points in certificates. A remote attacker could possibly use this issue to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack.
Ubuntu Security Notice 5651-1 - Lahav Schlesinger discovered that strongSwan incorrectly handled certain OCSP URIs and and CRL distribution points in certificates. A remote attacker could possibly use this issue to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack.
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.