- Update from version 5.9.11 to 5.9.12
- Update of rootfile
- Changelog
5.9.12
Vulnerabilities
Fixed a vulnerability in charon-tkm (the TKM-backed version of the charon IKE
daemon) related to processing DH public values that can lead to a buffer
overflow and potentially remote code execution. This vulnerability has been
registered as CVE-2023-41913. Please refer to our blog for details.
New Feature Additions
The new pki --ocsp command produces OCSP responses based on certificate status
information provided by implementations of the new ocsp_responder_t interface
(#1958).
Two sources are currently available, the openxpki plugin that directly
accesses the OpenXPKI database and the command's --index argument, which
reads certificate status information from OpenSSL-style index.txt files
(multiple CAs are supported concurrently).
The new cert-enroll script handles the initial enrollment of an X.509 host
certificate with a PKI server via the EST or SCEP protocols.
Run as a systemd timer or via a crontab entry, the script checks the
expiration date of the host certificate daily. When a given deadline is
reached, the host certificate is automatically renewed via EST or SCEP
re-enrollment based on the possession of the old private key and the
matching certificate.
Added a global option (charon.reject_trusted_end_entity) to prevent peers
from authenticating with certificates that are locally trusted, in
particular, our own local certificate, which safeguards against accidental
reuse of certificates on multiple peers. As the name suggests, all trusted
end-entity certificates are rejected if enabled, so peer certificates can't
be configured explicitly anymore (e.g. via remote.certs in swanctl.conf).
The --priv argument for charon-cmd allows the use of any type of private key
(previously, only RSA keys were supported).
The openssl plugin now supports the nameConstraints extension in X.509
certificates (#1990).
Support for nameConstraints of type iPAddress are now supported by the x509,
openssl and constraints plugins (#1991).
Support for encoding subjectAlternativeName extensions of type
uniformResourceIdentifier in X.509 certificates has been added via the uri:
prefix (e.g. for URNs, #1983).
Support for password-less PKCS#12 and PKCS#8 files has been added (#1955).
Enhancements and Optimizations
Because of a relatively recent NIAP requirement (TD0527, Test 8b), loading of
certificates with ECDSA keys that explicitly encode the curve parameters is
rejected if possible. Explicit encoding is pretty rare to begin with and
e.g. wolfSSL already rejects such keys, by default. All crypto plugins that
support ECDSA enforce this by rejecting such public keys, except when using
older versions of OpenSSL (< 1.1.1h) or Botan (< 3.2.0) (#1949).
Make the NetworkManager plugin (charon-nm) actually use the XFRM interface it
creates since 5.9.10. This involves setting interface IDs on SAs and
policies, and installing routes via the interface. To avoid routing loops if
the remote traffic selectors include the VPN server, IKE and ESP packets are
marked to bypass the routing table that contains the routes via XFRM
interface (69e0c11).
If available, the plugin now also adopts the interface name configured in
connection.interface-name in a *.nmconnection file as name for the XFRM
interface instead of generating one randomly (e8f8d32).
The resolve plugin tries to maintain the order of DNS servers it installs via
resolvconf or resolv.conf (6440975, 8238ad4).
The kernel-libipsec plugin now always installs routes to remote networks even
if no address is found in the local traffic selectors, which allows
forwarding traffic from networks the VPN host is not part of (190d8cb).
Increased the default receive buffer size for Netlink sockets to 8 MiB
(doubled by the kernel to account for overhead) and simplified the
configuration (no need for a separate option to force overriding rmem_max).
It's now also set for event sockets, which previously could cause issues on
hosts with e.g. lots of route changes (#1757).
When issuing certificates, the subjectKeyIdentifier of the issuing
certificate, if available, is now copied as authorityKeyIdentifier, instead
of always generating a SHA-1 hash of the issuer's subjectPublicKey
(#1992, 6941dcb).
Explicitly request permission to display notifications on Android 13+
(ddf84c1), also enabled hardware acceleration for the Android-specific
OpenSSL build.
Fixes
Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
unrelated traffic selectors (#1855).
Fixed an issue in watcher_t with handling errors on sockets (e.g. if the
receive buffer is full), which caused an infinite loop if poll() only
signaled POLLERR as event (#1757).
Fixed an issue in the IKE_SA_INIT tracking code that was added with 5.9.6,
which did not correctly untrack invalid messages with non-zero message IDs
or SPIs (0b47357).
Fixed a regression introduced with 5.9.8 when handling IKE redirects during
IKE_AUTH (595fa07).
Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs in
the kernel-netlink plugin, which prevented MOBIKE updates if a large
anti-replay window was used (#1967).
Fixed a race condition in the kernel-pfroute plugin when adding virtual IPs
if the TUN device is activated after the address was already added
internally, which caused the installed route not to go via TUN device in
order to force the virtual IP as source address (#1807).
Fixed an issue in libtls that could cause the wrong ECDH group to get
instantiated (b5e4bf4).
Fixed the encoding of the CHILD_SA_NOT_FOUND notify if a CHILD_SA is not
found during rekeying. It was previously empty, now contains the SPI and
sets the protocol to the values received in the REKEY_SA notify (849c2c9).
Fixed a possible issue with MOBIKE in the Android client on certain devices
(#1691).
For Developers
The new ocsp_responder_t interface can be implemented to provide certificate
status information to the pki --ocsp command. Responders can be
(un-)registered via the ocsp_responders_t instance at lib->ocsp.
For the watcher_t component, WATCHER_EXCEPT has been removed as there is no
way to explicitly listen for errors on sockets and poll() actually can
return POLLERR for any FD and it might even be the only signaled event
(which caused an infinite loop previously). Now we simply notify the
registered callbacks. The error is then reported by e.g. recvfrom(), which
was already the case before if POLLERR was returned together with
e.g. POLLIN.
The reqids allocated for CHILD_SAs (including trap policies) via
kernel_interface_t::alloc_reqid() are now refcounted. When recreating a
CHILD_SA, a reference to the reqid can be requested via
child_sa_t::get_reqid_ref(). If another reference is required afterwards,
one can be acquired directly via kernel_interface_t::ref_reqid(). Each
reference has to be released via kernel_interface_t::release_reqid(), whose
interface was simplified.
The testing environment is now based on Debian 12 (bookworm), by default.
Also, when copying files to guests, the guest-specific files are now copied
after the default files, which allows overriding files per guest (fixes an
issue with winnetou's /etc/fstab and mounting the test results).
Refer to the 5.9.12 milestone for a list of all closed issues and pull requests.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 5.9.9 to 5.9.10
- Update of rootfile not required
- Changelog
strongswan-5.9.10
- Fixed a vulnerability related to certificate verification in TLS-based EAP
methods that leads to an authentication bypass followed by an expired pointer
dereference that results in a denial of service and possibly even remote code
execution.
This vulnerability has been registered as CVE-2023-26463.
- Added support for full packet hardware offload for IPsec SAs and policies with
Linux 6.2 kernels to the kernel-netlink plugin.
- TLS-based EAP methods now use the standardized key derivation when used
with TLS 1.3.
- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
implementing the "protected success indication".
- With the `prefer` value for the `childless` setting, initiators will create
a childless IKE_SA if the responder supports the extension.
- Routes via XFRM interfaces can optionally be installed automatically by
enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
issues with name resolution if they are supported by the kernel.
- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
PKCS#10 certificate signing request.
- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
(replace them completely, or adding/removing specific flags).
- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
IPsec SAs instead of the policies.
- For libcurl with MultiSSL support, the curl plugin provides an option to
select the SSL/TLS backend.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.9.4:
Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
Please refer to our blog for details.
Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
Please refer to our blog for details.
Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631).
Loading SSH public keys via vici has been improved (#467).
Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0.
libtpmtss is initialized in all programs and libraries that use it.
Migrated testing scripts to Python 3.
The testing environment uses images based on Debian bullseye by default (support for jessie was removed).
To my understanding, IPFire is not affected by CVE-2021-41990, as we do
not support creation of IPsec connections using RSASSA-PSS (please
correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire
installations indeed.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 5.9.2 to 5.9.3
- Update of rootfile not required
- Changelog
strongswan-5.9.3
- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
- Added AES_CCM and SHA-3 signature support to openssl plugin.
- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
available, before verifying signatures, which avoids unnecessary signature
verifications after a CA key rollover if both certificates are loaded.
- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
previously depended on a version check.
- charon-nm now supports using SANs as client identities, not only full DNs.
- charon-tkm now handles IKE encryption.
- A MOBIKE update is sent again if a a change in the NAT mappings is detected
but the endpoints stay the same.
- Converted most of the test case scenarios to the vici interface
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is a regression from disabling charon.install_routes.
VPNs are routing fine as long as traffic is passing through
the firewall. Traps are not propertly used as long as these
routes are not present and therefore we won't trigger any
tunnels when traffic originates from the firewall.
Fixes: #12045
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The RC2 plugin was never supported by the WebUI and is insecure,
so it became obsolete here. To support new ChaCha20/Poly1305, the
corresponding module needs to be enabled.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This also takes advantage of changed crypto plugins (see first
patch) and updates the rootfile.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
signatures that was caused by insufficient input validation.
One of the configurable parameters in algorithm identifier
structures for RSASSA-PSS signatures is the mask generation
function (MGF). Only MGF1 is currently specified for this purpose.
However, this in turn takes itself a parameter that specifies
the underlying hash function. strongSwan's parser did not
correctly handle the case of this parameter being absent,
causing an undefined data read.
This vulnerability has been registered as CVE-2018-6459.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Drop support for Padlock which is not in wide usage
any more and creates some rootfile trouble every time.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes CVE-2017-11185:
Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
when verifying RSA signatures, which requires decryption with the operation m^e mod n,
where m is the signature, and e and n are the exponent and modulus of the public key.
The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
This result wasn't handled properly causing a null-pointer dereference.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The build environment is using a number of variables which
occasionally conflicted with some other build systems.
This patch cleans that up by renaming some variables and
later unexporting them in the lfs files.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
IPFire 2 does not have IPv6 connectivity with exception of a
few systems for testing where IPsec connections become a little
bit unstable when trying to connect over IPv6.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It is not necessary to copy the init scripts and remove the symlinks for
runnlevel interaction.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Fixed a denial-of-service and potential remote code execution vulnerability
triggered by IKEv1/IKEv2 messages that contain payloads for the respective
other IKE version. Such payload are treated specially since 5.2.2 but because
they were still identified by their original payload type they were used as
such in some places causing invalid function pointer dereferences.
The vulnerability has been registered as CVE-2015-3991.
https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-%28cve-2015-3991%29.html
The increased buffer size has been fixed in bug #943 upstream
https://wiki.strongswan.org/issues/943
This reverts commit c1000c2cd4.
This commit has been merged from master to this branch, but
actually strongswan was already updated to version 5.2.2 which
does not need this fix any more.
