forked from strongswan/strongswan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
2956 lines (2128 loc) · 122 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
strongswan-5.4.0
----------------
- For the vici plugin a Vici:Session Perl CPAN module has been added to allow
Perl applications to control and/or monitor the IKE daemon using the VICI
interface, similar to the existing Python egg or Ruby gem.
strongswan-5.3.5
----------------
- Properly handle potential EINTR errors in sigwaitinfo(2) calls that replaced
sigwait(3) calls with 5.3.4.
- RADIUS retransmission timeouts are now configurable, courtesy of Thom Troy.
strongswan-5.3.4
----------------
- Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
was caused by insufficient verification of the internal state when handling
MSCHAPv2 Success messages received by the client.
This vulnerability has been registered as CVE-2015-8023.
- The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family.
Within the strongSwan framework SHA3 is currently used for BLISS signatures
only because the OIDs for other signature algorithms haven't been defined
yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
strongswan-5.3.3
----------------
- Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and
RFC 7634 using the chacha20poly1305 ike/esp proposal keyword. The new chapoly
plugin implements the cipher, if possible SSE-accelerated on x86/x64
architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP
backend. On Linux 4.2 or newer the kernel-netlink plugin can configure the
cipher for ESP SAs.
- The vici interface now supports the configuration of auxiliary certification
authority information as CRL and OCSP URIs.
- In the bliss plugin the c_indices derivation using a SHA-512 based random
oracle has been fixed, generalized and standardized by employing the MGF1 mask
generation function with SHA-512. As a consequence BLISS signatures unsing the
improved oracle are not compatible with the earlier implementation.
- Support for auto=route with right=%any for transport mode connections has
been added (the ikev2/trap-any scenario provides examples).
- The starter daemon does not flush IPsec policies and SAs anymore when it is
stopped. Already existing duplicate policies are now overwritten by the IKE
daemon when it installs its policies.
- Init limits (like charon.init_limit_half_open) can now optionally be enforced
when initiating SAs via VICI. For this, IKE_SAs initiated by the daemon are
now also counted as half-open SAs, which, as a side-effect, fixes the status
output while connecting (e.g. in ipsec status).
- Symmetric configuration of EAP methods in left|rightauth is now possible when
mutual EAP-only authentication is used (previously, the client had to
configure rightauth=eap or rightauth=any, which prevented it from using this
same config as responder).
- The initiator flag in the IKEv2 header is compared again (wasn't the case
since 5.0.0) and packets that have the flag set incorrectly are again ignored.
- Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy
Device Health Assessment Trusted Network Connect Binding" (HCD-TNC)
document drafted by the IEEE Printer Working Group (PWG).
- Fixed IF-M segmentation which failed in the presence of multiple small
attributes in front of a huge attribute to be segmented.
strongswan-5.3.2
----------------
- Fixed a vulnerability that allowed rogue servers with a valid certificate
accepted by the client to trick it into disclosing its username and even
password (if the client accepts EAP-GTC). This was caused because constraints
against the responder's authentication were enforced too late.
This vulnerability has been registered as CVE-2015-4171.
strongswan-5.3.1
----------------
- Fixed a denial-of-service and potential remote code execution vulnerability
triggered by IKEv1/IKEv2 messages that contain payloads for the respective
other IKE version. Such payload are treated specially since 5.2.2 but because
they were still identified by their original payload type they were used as
such in some places causing invalid function pointer dereferences.
The vulnerability has been registered as CVE-2015-3991.
- The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto
primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ
instructions and works on both x86 and x64 architectures. It provides
superior crypto performance in userland without any external libraries.
strongswan-5.3.0
----------------
- Added support for IKEv2 make-before-break reauthentication. By using a global
CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
This allows the use of make-before-break instead of the previously supported
break-before-make reauthentication, avoiding connectivity gaps during that
procedure. As the new mechanism may fail with peers not supporting it (such
as any previous strongSwan release) it must be explicitly enabled using
the charon.make_before_break strongswan.conf option.
- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added.
This allows the use of stronger hash algorithms for public key authentication.
By default, signature schemes are chosen based on the strength of the
signature key, but specific hash algorithms may be configured in leftauth.
- Key types and hash algorithms specified in rightauth are now also checked
against IKEv2 signature schemes. If such constraints are used for certificate
chain validation in existing configurations, in particular with peers that
don't support RFC 7427, it may be necessary to disable this feature with the
charon.signature_authentication_constraints setting, because the signature
scheme used in classic IKEv2 public key authentication may not be strong
enough.
- The new connmark plugin allows a host to bind conntrack flows to a specific
CHILD_SA by applying and restoring the SA mark to conntrack entries. This
allows a peer to handle multiple transport mode connections coming over the
same NAT device for client-initiated flows. A common use case is to protect
L2TP/IPsec, as supported by some systems.
- The forecast plugin can forward broadcast and multicast messages between
connected clients and a LAN. For CHILD_SA using unique marks, it sets up
the required Netfilter rules and uses a multicast/broadcast listener that
forwards such messages to all connected clients. This plugin is designed for
Windows 7 IKEv2 clients, which announces its services over the tunnel if the
negotiated IPsec policy allows it.
- For the vici plugin a Python Egg has been added to allow Python applications
to control or monitor the IKE daemon using the VICI interface, similar to the
existing ruby gem. The Python library has been contributed by Björn Schuberg.
- EAP server methods now can fulfill public key constraints, such as rightcert
or rightca. Additionally, public key and signature constraints can be
specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and
EAP-TTLS methods provide verification details to constraints checking.
- Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B
variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
algorithms with SHA512 being the default.
- The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
as seen by the TNC server available to all IMVs. This information can be
forwarded to policy enforcement points (e.g. firewalls or routers).
- The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
PT-TLS transport medium.
strongswan-5.2.2
----------------
- Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
payload that contains the Diffie-Hellman group 1025. This identifier was
used internally for DH groups with custom generator and prime. Because
these arguments are missing when creating DH objects based on the KE payload
an invalid pointer dereference occurred. This allowed an attacker to crash
the IKE daemon with a single IKE_SA_INIT message containing such a KE
payload. The vulnerability has been registered as CVE-2014-9221.
- The left/rightid options in ipsec.conf, or any other identity in strongSwan,
now accept prefixes to enforce an explicit type, such as email: or fqdn:.
Note that no conversion is done for the remaining string, refer to
ipsec.conf(5) for details.
- The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
an IKEv2 public key authentication method. The pki tool offers full support
for the generation of BLISS key pairs and certificates.
- Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
cause interoperability issues when connecting to older versions of charon.
strongswan-5.2.1
----------------
- The new charon-systemd IKE daemon implements an IKE daemon tailored for use
with systemd. It avoids the dependency on ipsec starter and uses swanctl
as configuration backend, building a simple and lightweight solution. It
supports native systemd journal logging.
- Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1
fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
- Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
and IETF/Installed Packages attributes can be processed incrementally on a
per segment basis.
- The new ext-auth plugin calls an external script to implement custom IKE_SA
authorization logic, courtesy of Vyronas Tsingaras.
- For the vici plugin a ruby gem has been added to allow ruby applications
to control or monitor the IKE daemon. The vici documentation has been updated
to include a description of the available operations and some simple examples
using both the libvici C interface and the ruby gem.
strongswan-5.2.0
----------------
- strongSwan has been ported to the Windows platform. Using a MinGW toolchain,
many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2
and newer releases. charon-svc implements a Windows IKE service based on
libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec
backend on the Windows platform. socket-win provides a native IKE socket
implementation, while winhttp fetches CRL and OCSP information using the
WinHTTP API.
- The new vici plugin provides a Versatile IKE Configuration Interface for
charon. Using the stable IPC interface, external applications can configure,
control and monitor the IKE daemon. Instead of scripting the ipsec tool
and generating ipsec.conf, third party applications can use the new interface
for more control and better reliability.
- Built upon the libvici client library, swanctl implements the first user of
the VICI interface. Together with a swanctl.conf configuration file,
connections can be defined, loaded and managed. swanctl provides a portable,
complete IKE configuration and control interface for the command line.
The first six swanctl example scenarios have been added.
- The SWID IMV implements a JSON-based REST API which allows the exchange
of SWID tags and Software IDs with the strongTNC policy manager.
- The SWID IMC can extract all installed packages from the dpkg (Debian,
Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or
pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using the
swidGenerator (https://github.com/strongswan/swidGenerator) which generates
SWID tags according to the new ISO/IEC 19770-2:2014 standard.
- All IMVs now share the access requestor ID, device ID and product info
of an access requestor via a common imv_session object.
- The Attestation IMC/IMV pair supports the IMA-NG measurement format
introduced with the Linux 3.13 kernel.
- The aikgen tool generates an Attestation Identity Key bound to a TPM.
- Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
Connect.
- The ipsec.conf replay_window option defines connection specific IPsec replay
windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from
6Wind.
strongswan-5.1.3
----------------
- Fixed an authentication bypass vulnerability triggered by rekeying an
unestablished IKEv2 SA while it gets actively initiated. This allowed an
attacker to trick a peer's IKE_SA state to established, without the need to
provide any valid authentication credentials. The vulnerability has been
registered as CVE-2014-2338.
- The acert plugin evaluates X.509 Attribute Certificates. Group membership
information encoded as strings can be used to fulfill authorization checks
defined with the rightgroups option. Attribute Certificates can be loaded
locally or get exchanged in IKEv2 certificate payloads.
- The pki command gained support to generate X.509 Attribute Certificates
using the --acert subcommand, while the --print command supports the ac type.
The openac utility has been removed in favor of the new pki functionality.
- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
has been extended by AEAD mode support, currently limited to AES-GCM.
strongswan-5.1.2
----------------
- A new default configuration file layout is introduced. The new default
strongswan.conf file mainly includes config snippets from the strongswan.d
and strongswan.d/charon directories (the latter containing snippets for all
plugins). The snippets, with commented defaults, are automatically
generated and installed, if they don't exist yet. They are also installed
in $prefix/share/strongswan/templates so existing files can be compared to
the current defaults.
- As an alternative to the non-extensible charon.load setting, the plugins
to load in charon (and optionally other applications) can now be determined
via the charon.plugins.<name>.load setting for each plugin (enabled in the
new default strongswan.conf file via the charon.load_modular option).
The load setting optionally takes a numeric priority value that allows
reordering the plugins (otherwise the default plugin order is preserved).
- All strongswan.conf settings that were formerly defined in library specific
"global" sections are now application specific (e.g. settings for plugins in
libstrongswan.plugins can now be set only for charon in charon.plugins).
The old options are still supported, which now allows to define defaults for
all applications in the libstrongswan section.
- The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
computer IKE key exchange mechanism. The implementation is based on the
ntru-crypto library from the NTRUOpenSourceProject. The supported security
strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH
group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be
sent (charon.send_vendor_id = yes) in order to use NTRU.
- Defined a TPMRA remote attestation workitem and added support for it to the
Attestation IMV.
- Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as
well as multiple subnets in left|rightsubnet have been fixed.
- When enabling its "session" strongswan.conf option, the xauth-pam plugin opens
and closes a PAM session for each established IKE_SA. Patch courtesy of
Andrea Bonomi.
- The strongSwan unit testing framework has been rewritten without the "check"
dependency for improved flexibility and portability. It now properly supports
multi-threaded and memory leak testing and brings a bunch of new test cases.
strongswan-5.1.1
----------------
- Fixed a denial-of-service vulnerability and potential authorization bypass
triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an insufficient
length check when comparing such identities. The vulnerability has been
registered as CVE-2013-6075.
- Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
fragmentation payload. The cause is a NULL pointer dereference. The
vulnerability has been registered as CVE-2013-6076.
- The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session
with a strongSwan policy enforcement point which uses the tnc-pdp charon
plugin.
- The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either
full SWID Tag or concise SWID Tag ID inventories.
- The XAuth backend in eap-radius now supports multiple XAuth exchanges for
different credential types and display messages. All user input gets
concatenated and verified with a single User-Password RADIUS attribute on
the AAA. With an AAA supporting it, one for example can implement
Password+Token authentication with proper dialogs on iOS and OS X clients.
- charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf
modeconfig=push option enables it for both client and server, the same way
as pluto used it.
- Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 connections,
charon can negotiate and install Security Associations integrity-protected by
the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only,
but not the deprecated RFC2401 style ESP+AH bundles.
- The generation of initialization vectors for IKE and ESP (when using libipsec)
is now modularized and IVs for e.g. AES-GCM are now correctly allocated
sequentially, while other algorithms like AES-CBC still use random IVs.
- The left and right options in ipsec.conf can take multiple address ranges
and subnets. This allows connection matching against a larger set of
addresses, for example to use a different connection for clients connecting
from a internal network.
- For all those who have a queasy feeling about the NIST elliptic curve set,
the Brainpool curves introduced for use with IKE by RFC 6932 might be a
more trustworthy alternative.
- The kernel-libipsec userland IPsec backend now supports usage statistics,
volume based rekeying and accepts ESPv3 style TFC padded packets.
- With two new strongswan.conf options fwmarks can be used to implement
host-to-host tunnels with kernel-libipsec.
- load-tester supports transport mode connections and more complex traffic
selectors, including such using unique ports for each tunnel.
- The new dnscert plugin provides support for authentication via CERT RRs that
are protected via DNSSEC. The plugin was created by Ruslan N. Marchenko.
- The eap-radius plugin supports forwarding of several Cisco Unity specific
RADIUS attributes in corresponding configuration payloads.
- Database transactions are now abstracted and implemented by the two backends.
If you use MySQL make sure all tables use the InnoDB engine.
- libstrongswan now can provide an experimental custom implementation of the
printf family functions based on klibc if neither Vstr nor glibc style printf
hooks are available. This can avoid the Vstr dependency on some systems at
the cost of slower and less complete printf functions.
strongswan-5.1.0
----------------
- Fixed a denial-of-service vulnerability triggered by specific XAuth usernames
and EAP identities (since 5.0.3), and PEM files (since 4.1.11). The crash
was caused by insufficient error handling in the is_asn1() function.
The vulnerability has been registered as CVE-2013-5018.
- The new charon-cmd command line IKE client can establish road warrior
connections using IKEv1 or IKEv2 with different authentication profiles.
It does not depend on any configuration files and can be configured using a
few simple command line options.
- The kernel-pfroute networking backend has been greatly improved. It now
can install virtual IPs on TUN devices on OS X and FreeBSD, allowing these
systems to act as a client in common road warrior scenarios.
- The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec
processing in userland on Linux, FreeBSD and Mac OS X.
- The eap-radius plugin can now serve as an XAuth backend called xauth-radius,
directly verifying XAuth credentials using RADIUS User-Name/User-Password
attributes. This is more efficient than the existing xauth-eap+eap-radius
combination, and allows RADIUS servers without EAP support to act as AAA
backend for IKEv1.
- The new osx-attr plugin installs configuration attributes (currently DNS
servers) via SystemConfiguration on Mac OS X. The keychain plugin provides
certificates from the OS X keychain service.
- The sshkey plugin parses SSH public keys, which, together with the --agent
option for charon-cmd, allows the use of ssh-agent for authentication.
To configure SSH keys in ipsec.conf the left|rightrsasigkey options are
replaced with left|rightsigkey, which now take public keys in one of three
formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and
PKCS#1 (the default, no prefix).
- Extraction of certificates and private keys from PKCS#12 files is now provided
by the new pkcs12 plugin or the openssl plugin. charon-cmd (--p12) as well
as charon (via P12 token in ipsec.secrets) can make use of this.
- IKEv2 can now negotiate transport mode and IPComp in NAT situations.
- IKEv2 exchange initiators now properly close an established IKE or CHILD_SA
on error conditions using an additional exchange, keeping state in sync
between peers.
- Using a SQL database interface a Trusted Network Connect (TNC) Policy Manager
can generate specific measurement workitems for an arbitrary number of
Integrity Measurement Verifiers (IMVs) based on the history of the VPN user
and/or device.
- Several core classes in libstrongswan are now tested with unit tests. These
can be enabled with --enable-unit-tests and run with 'make check'. Coverage
reports can be generated with --enable-coverage and 'make coverage' (this
disables any optimization, so it should not be enabled when building
production releases).
- The leak-detective developer tool has been greatly improved. It works much
faster/stabler with multiple threads, does not use deprecated malloc hooks
anymore and has been ported to OS X.
- chunk_hash() is now based on SipHash-2-4 with a random key. This provides
better distribution and prevents hash flooding attacks when used with
hashtables.
- All default plugins implement the get_features() method to define features
and their dependencies. The plugin loader has been improved, so that plugins
in a custom load statement can be ordered freely or to express preferences
without being affected by dependencies between plugin features.
- A centralized thread can take care for watching multiple file descriptors
concurrently. This removes the need for a dedicated listener threads in
various plugins. The number of "reserved" threads for such tasks has been
reduced to about five, depending on the plugin configuration.
- Plugins that can be controlled by a UNIX socket IPC mechanism gained network
transparency. Third party applications querying these plugins now can use
TCP connections from a different host.
- libipsec now supports AES-GCM.
strongswan-5.0.4
----------------
- Fixed a security vulnerability in the openssl plugin which was reported by
Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944.
Before the fix, if the openssl plugin's ECDSA signature verification was used,
due to a misinterpretation of the error code returned by the OpenSSL
ECDSA_verify() function, an empty or zeroed signature was accepted as a
legitimate one.
- The handling of a couple of other non-security relevant openssl return codes
was fixed as well.
- The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its
TCG TNC IF-MAP 2.1 interface.
- The charon.initiator_only option causes charon to ignore IKE initiation
requests.
- The openssl plugin can now use the openssl-fips library.
strongswan-5.0.3
----------------
- The new ipseckey plugin enables authentication based on trustworthy public
keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
To do so it uses a DNSSEC enabled resolver, like the one provided by the new
unbound plugin, which is based on libldns and libunbound. Both plugins were
created by Reto Guadagnini.
- Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
available to an IMV. The OS IMV stores the AR identity together with the
device ID in the attest database.
- The openssl plugin now uses the AES-NI accelerated version of AES-GCM
if the hardware supports it.
- The eap-radius plugin can now assign virtual IPs to IKE clients using the
Framed-IP-Address attribute by using the "%radius" named pool in the
rightsourceip ipsec.conf option. Cisco Banner attributes are forwarded to
Unity-capable IKEv1 clients during mode config. charon now sends Interim
Accounting updates if requested by the RADIUS server, reports
sent/received packets in Accounting messages, and adds a Terminate-Cause
to Accounting-Stops.
- The recently introduced "ipsec listcounters" command can report connection
specific counters by passing a connection name, and global or connection
counters can be reset by the "ipsec resetcounters" command.
- The strongSwan libpttls library provides an experimental implementation of
PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
- The charon systime-fix plugin can disable certificate lifetime checks on
embedded systems if the system time is obviously out of sync after bootup.
Certificates lifetimes get checked once the system time gets sane, closing
or reauthenticating connections using expired certificates.
- The "ikedscp" ipsec.conf option can set DiffServ code points on outgoing
IKE packets.
- The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
clients that cannot be configured without XAuth authentication. The plugin
simply concludes the XAuth exchange successfully without actually performing
any authentication. Therefore, to use this backend it has to be selected
explicitly with rightauth2=xauth-noauth.
- The new charon-tkm IKEv2 daemon delegates security critical operations to a
separate process. This has the benefit that the network facing daemon has no
knowledge of keying material used to protect child SAs. Thus subverting
charon-tkm does not result in the compromise of cryptographic keys.
The extracted functionality has been implemented from scratch in a minimal TCB
(trusted computing base) in the Ada programming language. Further information
can be found at http://www.codelabs.ch/tkm/.
strongswan-5.0.2
----------------
- Implemented all IETF Standard PA-TNC attributes and an OS IMC/IMV
pair using them to transfer operating system information.
- The new "ipsec listcounters" command prints a list of global counter values
about received and sent IKE messages and rekeyings.
- A new lookip plugin can perform fast lookup of tunnel information using a
clients virtual IP and can send notifications about established or deleted
tunnels. The "ipsec lookip" command can be used to query such information
or receive notifications.
- The new error-notify plugin catches some common error conditions and allows
an external application to receive notifications for them over a UNIX socket.
- IKE proposals can now use a PRF algorithm different to that defined for
integrity protection. If an algorithm with a "prf" prefix is defined
explicitly (such as prfsha1 or prfsha256), no implicit PRF algorithm based on
the integrity algorithm is added to the proposal.
- The pkcs11 plugin can now load leftcert certificates from a smartcard for a
specific ipsec.conf conn section and cacert CA certificates for a specific ca
section.
- The load-tester plugin gained additional options for certificate generation
and can load keys and multiple CA certificates from external files. It can
install a dedicated outer IP address for each tunnel and tunnel initiation
batches can be triggered and monitored externally using the
"ipsec load-tester" tool.
- PKCS#7 container parsing has been modularized, and the openssl plugin
gained an alternative implementation to decrypt and verify such files.
In contrast to our own DER parser, OpenSSL can handle BER files, which is
required for interoperability of our scepclient with EJBCA.
- Support for the proprietary IKEv1 fragmentation extension has been added.
Fragments are always handled on receipt but only sent if supported by the peer
and if enabled with the new fragmentation ipsec.conf option.
- IKEv1 in charon can now parse certificates received in PKCS#7 containers and
supports NAT traversal as used by Windows clients. Patches courtesy of
Volker Rümelin.
- The new rdrand plugin provides a high quality / high performance random
source using the Intel rdrand instruction found on Ivy Bridge processors.
- The integration test environment was updated and now uses KVM and reproducible
guest images based on Debian.
strongswan-5.0.1
----------------
- Introduced the sending of the standard IETF Assessment Result
PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
- Extended PTS Attestation IMC/IMV pair to provide full evidence of
the Linux IMA measurement process. All pertinent file information
of a Linux OS can be collected and stored in an SQL database.
- The PA-TNC and PB-TNC protocols can now process huge data payloads
>64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
and these messages over several PB-TNC batches. As long as no
consolidated recommandation from all IMVs can be obtained, the TNC
server requests more client data by sending an empty SDATA batch.
- The rightgroups2 ipsec.conf option can require group membership during
a second authentication round, for example during XAuth authentication
against a RADIUS server.
- The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated
clients against any PAM service. The IKEv2 eap-gtc plugin does not use
PAM directly anymore, but can use any XAuth backend to verify credentials,
including xauth-pam.
- The new unity plugin brings support for some parts of the IKEv1 Cisco Unity
Extension. As client, charon narrows traffic selectors to the received
Split-Include attributes and automatically installs IPsec bypass policies
for received Local-LAN attributes. As server, charon sends Split-Include
attributes for leftsubnet definitions containing multiple subnets to Unity-
aware clients.
- An EAP-Nak payload is returned by clients if the gateway requests an EAP
method that the client does not support. Clients can also request a specific
EAP method by configuring that method with leftauth.
- The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses
these to select a different EAP method supported/requested by the client.
The plugin initially requests the first registered method or the first method
configured with charon.plugins.eap-dynamic.preferred.
- The new left/rightdns options specify connection specific DNS servers to
request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns
can be any (comma separated) combination of %config4 and %config6 to request
multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server
IP addresses to return.
- The left/rightsourceip options now accept multiple addresses or pools.
leftsourceip can be any (comma separated) combination of %config4, %config6
or fixed IP addresses to request. rightsourceip accepts multiple explicitly
specified or referenced named pools.
- Multiple connections can now share a single address pool when they use the
same definition in one of the rightsourceip pools.
- The options charon.interfaces_ignore and charon.interfaces_use allow one to
configure the network interfaces used by the daemon.
- The kernel-netlink plugin supports the charon.install_virtual_ip_on option,
which specifies the interface on which virtual IP addresses will be installed.
If it is not specified the current behavior of using the outbound interface
is preserved.
- The kernel-netlink plugin tries to keep the current source address when
looking for valid routes to reach other hosts.
- The autotools build has been migrated to use a config.h header. strongSwan
development headers will get installed during "make install" if
--with-dev-headers has been passed to ./configure.
- All crypto primitives gained return values for most operations, allowing
crypto backends to fail, for example when using hardware accelerators.
strongswan-5.0.0
----------------
- The charon IKE daemon gained experimental support for the IKEv1 protocol.
Pluto has been removed from the 5.x series, and unless strongSwan is
configured with --disable-ikev1 or --disable-ikev2, charon handles both
keying protocols. The feature-set of IKEv1 in charon is almost on par with
pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
mode. Informations for interoperability and migration is available at
http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
- Charon's bus_t has been refactored so that loggers and other listeners are
now handled separately. The single lock was previously cause for deadlocks
if extensive listeners, such as the one provided by the updown plugin, wanted
to acquire locks that were held by other threads which in turn tried to log
messages, and thus were waiting to acquire the same lock currently held by
the thread calling the listener.
The implemented changes also allow the use of a read/write-lock for the
loggers which increases performance if multiple loggers are registered.
Besides several interface changes this last bit also changes the semantics
for loggers as these may now be called by multiple threads at the same time.
- Source routes are reinstalled if interfaces are reactivated or IP addresses
reappear.
- The thread pool (processor_t) now has more control over the lifecycle of
a job (see job.h for details). In particular, it now controls the destruction
of jobs after execution and the cancellation of jobs during shutdown. Due to
these changes the requeueing feature, previously available to callback_job_t
only, is now available to all jobs (in addition to a new rescheduling
feature).
- In addition to trustchain key strength definitions for different public key
systems, the rightauth option now takes a list of signature hash algorithms
considered save for trustchain validation. For example, the setting
rightauth=rsa-2048-ecdsa-256-sha256-sha384-sha512 requires a trustchain
that uses at least RSA-2048 or ECDSA-256 keys and certificate signatures
using SHA-256 or better.
strongswan-4.6.4
----------------
- Fixed a security vulnerability in the gmp plugin. If this plugin was used
for RSA signature verification an empty or zeroed signature was handled as
a legitimate one.
- Fixed several issues with reauthentication and address updates.
strongswan-4.6.3
----------------
- The tnc-pdp plugin implements a RADIUS server interface allowing
a strongSwan TNC server to act as a Policy Decision Point.
- The eap-radius authentication backend enforces Session-Timeout attributes
using RFC4478 repeated authentication and acts upon RADIUS Dynamic
Authorization extensions, RFC 5176. Currently supported are disconnect
requests and CoA messages containing a Session-Timeout.
- The eap-radius plugin can forward arbitrary RADIUS attributes from and to
clients using custom IKEv2 notify payloads. The new radattr plugin reads
attributes to include from files and prints received attributes to the
console.
- Added support for untruncated MD5 and SHA1 HMACs in ESP as used in
RFC 4595.
- The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 algorithms
as defined in RFC 4494 and RFC 4615, respectively.
- The resolve plugin automatically installs nameservers via resolvconf(8),
if it is installed, instead of modifying /etc/resolv.conf directly.
- The IKEv2 charon daemon supports now raw RSA public keys in RFC 3110
DNSKEY and PKCS#1 file format.
strongswan-4.6.2
----------------
- Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3
which supports IF-TNCCS 2.0 long message types, the exclusive flags
and multiple IMC/IMV IDs. Both the TNC Client and Server as well as
the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated.
- Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M"
standard (TLV-based messages only). TPM-based remote attestation of
Linux IMA (Integrity Measurement Architecture) possible. Measurement
reference values are automatically stored in an SQLite database.
- The EAP-RADIUS authentication backend supports RADIUS accounting. It sends
start/stop messages containing Username, Framed-IP and Input/Output-Octets
attributes and has been tested against FreeRADIUS and Microsoft NPS.
- Added support for PKCS#8 encoded private keys via the libstrongswan
pkcs8 plugin. This is the default format used by some OpenSSL tools since
version 1.0.0 (e.g. openssl req with -keyout).
- Added session resumption support to the strongSwan TLS stack.
strongswan-4.6.1
----------------
- Because of changing checksums before and after installation which caused
the integrity tests to fail we avoided directly linking libsimaka, libtls and
libtnccs to those libcharon plugins which make use of these dynamic libraries.
Instead we linked the libraries to the charon daemon. Unfortunately Ubuntu
11.10 activated the --as-needed ld option which discards explicit links
to dynamic libraries that are not actually used by the charon daemon itself,
thus causing failures during the loading of the plugins which depend on these
libraries for resolving external symbols.
- Therefore our approach of computing integrity checksums for plugins had to be
changed radically by moving the hash generation from the compilation to the
post-installation phase.
strongswan-4.6.0
----------------
- The new libstrongswan certexpire plugin collects expiration information of
all used certificates and exports them to CSV files. It either directly
exports them or uses cron style scheduling for batch exports.
- starter passes unresolved hostnames to charon, allowing it to do name
resolution not before the connection attempt. This is especially useful with
connections between hosts using dynamic IP addresses. Thanks to Mirko Parthey
for the initial patch.
- The android plugin can now be used without the Android frontend patch and
provides DNS server registration and logging to logcat.
- Pluto and starter (plus stroke and whack) have been ported to Android.
- Support for ECDSA private and public key operations has been added to the
pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 and can
use tokens as random number generators (RNG). By default only private key
operations are enabled, more advanced features have to be enabled by their
option in strongswan.conf. This also applies to public key operations (even
for keys not stored on the token) which were enabled by default before.
- The libstrongswan plugin system now supports detailed plugin dependencies.
Many plugins have been extended to export its capabilities and requirements.
This allows the plugin loader to resolve plugin loading order automatically,
and in future releases, to dynamically load the required features on demand.
Existing third party plugins are source (but not binary) compatible if they
properly initialize the new get_features() plugin function to NULL.
- The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can deliver
metadata about IKE_SAs via a SOAP interface to a MAP server. The tnc-ifmap
plugin requires the Apache Axis2/C library.
strongswan-4.5.3
----------------
- Our private libraries (e.g. libstrongswan) are not installed directly in
prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by
default). The plugins directory is also moved from libexec/ipsec/ to that
directory.
- The dynamic IMC/IMV libraries were moved from the plugins directory to
a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
- Job priorities were introduced to prevent thread starvation caused by too
many threads handling blocking operations (such as CRL fetching). Refer to
strongswan.conf(5) for details.
- Two new strongswan.conf options allow to fine-tune performance on IKEv2
gateways by dropping IKE_SA_INIT requests on high load.
- IKEv2 charon daemon supports start PASS and DROP shunt policies
preventing traffic to go through IPsec connections. Installation of the
shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel
interfaces.
- The history of policies installed in the kernel is now tracked so that e.g.
trap policies are correctly updated when reauthenticated SAs are terminated.
- IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
Using "netstat -l" the IMC scans open listening ports on the TNC client
and sends a port list to the IMV which based on a port policy decides if
the client is admitted to the network.
(--enable-imc-scanner/--enable-imv-scanner).
- IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
(--enable-imc-test/--enable-imv-test).
- The IKEv2 close action does not use the same value as the ipsec.conf dpdaction
setting, but the value defined by its own closeaction keyword. The action
is triggered if the remote peer closes a CHILD_SA unexpectedly.
strongswan-4.5.2
----------------
- The whitelist plugin for the IKEv2 daemon maintains an in-memory identity
whitelist. Any connection attempt of peers not whitelisted will get rejected.
The 'ipsec whitelist' utility provides a simple command line frontend for
whitelist administration.
- The duplicheck plugin provides a specialized form of duplicate checking,
doing a liveness check on the old SA and optionally notify a third party
application about detected duplicates.
- The coupling plugin permanently couples two or more devices by limiting
authentication to previously used certificates.
- In the case that the peer config and child config don't have the same name
(usually in SQL database defined connections), ipsec up|route <peer config>
starts|routes all associated child configs and ipsec up|route <child config>
only starts|routes the specific child config.
- fixed the encoding and parsing of X.509 certificate policy statements (CPS).
- Duncan Salerno contributed the eap-sim-pcsc plugin implementing a
pcsc-lite based SIM card backend.
- The eap-peap plugin implements the EAP PEAP protocol. Interoperates
successfully with a FreeRADIUS server and Windows 7 Agile VPN clients.
- The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs
all plugins to reload. Currently only the eap-radius and the attr plugins
support configuration reloading.
- Added userland support to the IKEv2 daemon for Extended Sequence Numbers
support coming with Linux 2.6.39. To enable ESN on a connection, add
the 'esn' keyword to the proposal. The default proposal uses 32-bit sequence
numbers only ('noesn'), and the same value is used if no ESN mode is
specified. To negotiate ESN support with the peer, include both, e.g.
esp=aes128-sha1-esn-noesn.
- In addition to ESN, Linux 2.6.39 gained support for replay windows larger
than 32 packets. The new global strongswan.conf option 'charon.replay_window'
configures the size of the replay window, in packets.
strongswan-4.5.1
----------------
- Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (BP)
compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol
requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend
on the libtnc library. Any available IMV/IMC pairs conforming to the
Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification
can be loaded via /etc/tnc_config.
- Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv
in place of the external libtnc library.
- The tnccs_dynamic plugin loaded on a TNC server in addition to the
tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS
protocol version used by a TNC client and invokes an instance of
the corresponding protocol stack.
- IKE and ESP proposals can now be stored in an SQL database using a
new proposals table. The start_action field in the child_configs
tables allows the automatic starting or routing of connections stored
in an SQL database.
- The new certificate_authorities and certificate_distribution_points
tables make it possible to store CRL and OCSP Certificate Distribution
points in an SQL database.
- The new 'include' statement allows to recursively include other files in
strongswan.conf. Existing sections and values are thereby extended and
replaced, respectively.
- Due to the changes in the parser for strongswan.conf, the configuration
syntax for the attr plugin has changed. Previously, it was possible to
specify multiple values of a specific attribute type by adding multiple
key/value pairs with the same key (e.g. dns) to the plugins.attr section.
Because values with the same key now replace previously defined values
this is not possible anymore. As an alternative, multiple values can be
specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5).
- ipsec listalgs now appends (set in square brackets) to each crypto
algorithm listed the plugin that registered the function.
- Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used
by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given
boundary, the special value '%mtu' pads all packets to the path MTU.
- The new af-alg plugin can use various crypto primitives of the Linux Crypto
API using the AF_ALG interface introduced with 2.6.38. This removes the need
for additional userland implementations of symmetric cipher, hash, hmac and
xcbc algorithms.
- The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and
responder. The notify is sent when initiating configurations with a unique
policy, set in ipsec.conf via the global 'uniqueids' option.
- The conftest conformance testing framework enables the IKEv2 stack to perform
many tests using a distinct tool and configuration frontend. Various hooks
can alter reserved bits, flags, add custom notifies and proposals, reorder
or drop messages and much more. It is enabled using the --enable-conftest
./configure switch.
- The new libstrongswan constraints plugin provides advanced X.509 constraint
checking. In addition to X.509 pathLen constraints, the plugin checks for
nameConstraints and certificatePolicies, including policyMappings and
policyConstraints. The x509 certificate plugin and the pki tool have been
enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf
connection keywords take OIDs a peer certificate must have.
- The left/rightauth ipsec.conf keywords accept values with a minimum strength
for trustchain public keys in bits, such as rsa-2048 or ecdsa-256.
- The revocation and x509 libstrongswan plugins and the pki tool gained basic
support for delta CRLs.
strongswan-4.5.0
----------------