strongSwan - IPsec-based VPN
Support for the IKEv2 OCSP extensions (RFC 4806) has been added, which allows peers to request and send OCSP responses together with their certificate chain directly in IKEv2 (#2016). The OCSP responses for local certificates are currently retrieved via revocation plugin, either from the cache or fetched from an OCSP server (see the developer notes for details). The feature can be controlled via <conn>.ocsp
setting in swanctl.conf. By default, OCSP responses are sent if the peer requests any and a response can be retrieved.
If sending requests is enabled, the implementation generally sends an empty OCSP certificate request payload. Only if self-signed OCSP signer certificates are found locally will their public key's hash be added to the payload. Such certificates must either have the OCSPSigning
extended key usage flag set, or be placed in the x509ocsp
directory so that they are flagged when loaded.
The Android app now supports managed configurations via enterprise mobility management (EMM) systems (#2005). Besides configuring global settings and VPN profiles (with settings similar to those supported in profile files, including certificates), this also provides management options for disabling certain features of the app (e.g. to prevent users from creating and/or importing custom profiles or to only display managed profiles).
Added support for PSS padding for smartcard-based RSA signatures to the pkcs11 plugin, using either on-chip or external data hashing.
Added keyid and certid handles to the pki --ocsp
command so that keys and/or certificates can be stored on a smartcard or in a TPM 2.0 device (note that this may add quite a delay to generating OCSP responses).
Validation of X.509 name constraints has been refactored to align with RFC 5280 (#2114). This fixes several limitations of the previous implementation. Name constraints are now correctly propagated from the root of the certificate chain so that intermediate CA certificates don't have to explicitly inherit the name constraints of their parents anymore. The latter previously prevented adding constraints in an intermediate CA certificate that's followed by another that doesn't contain any name constraints. This is perfectly fine as the set of constraints specified by the parent continue to apply to that intermediate CA certificate and the children it issues.
Identities also don't have to match all name constraints of the same type anymore, which prevented actually encoding multiple constraints of the same type because e.g. for the permitted name constraints for example.org
and example.com
no acceptable certificates could be issued as any SAN with one domain would get rejected by the other constraint. In compliance with the RFC, matching a single constraint is now enough.
Also resolved is an issue with name constraints for IP addresses (added with 5.9.12), which were previously only supported for a single level.
The dhcp plugin has been ported to FreeBSD/macOS (#2047). The code for BPF handling has been refactored and is now shared between dhcp and farp plugin.
The openssl plugin is now compatible to AWS-LC, a crypto library based on code from BoringSSL and OpenSSL (#1907).
The identity enforced by the configuration was added to the message logged when identities don't match (#2088).
ocsp()
method of the cert_validator_t
interface is used to retrieve an OCSP response for a local X.509 certificate when responding to an OCSP certificate request. It's currently only implemented by the revocation plugin, which uses the same code that's used when verifying remote certificates via OCSP.malloc_usable_size()
, which is used by systemd and the libraries it provides (e.g. nss-systemd) (#2045).build.gradle
file for the Android app now declares the NDK version and uses the default NDK invocation instead of the custom tasks that were used before (1cab544c759749a899b439acb4fae1fb58279db8).org.strongswan.android.VPN_PROFILE_UUID
(the old one is still supported as fallback, though).Refer to the 5.9.14 milestone for a list of all closed issues and pull requests.
charon.ocsp_nonce_len
setting that allows specifying the length of nonce values in OCSP requests. Since 5.9.12, the default length is set to 32 bytes, as required by RFC 8954 for newer clients. However, there might be older OCSP servers that don't support that, in which case reducing the length to e.g. 16, which was the previous default, might be necessary (f3af1704d94ed1db5277151d17e0d2661970d3a8).pki --ocsp --respond
replies with an internal error OCSP response if no signer certificate is found (e.g. if the request is sent to the wrong server) instead of failing silently (945be4ece57d92d9c3011efbdf9f27dd60279bc1).cert-install-ssl
cert-enroll script script (da45cf9f38207af7dced1762747c2d79ef3a3d02).Refer to the 5.9.13 milestone for a list of all closed issues and pull requests.
charon-tkm
(the TKM-backed version of the charon IKE daemon) related to processing DH public values that can lead to a buffer overflow and potentially remote code execution. This vulnerability has been registered as CVE-2023-41913. Please refer to our blog for details.The new pki --ocsp
command produces OCSP responses based on certificate status information provided by implementations of the new ocsp_responder_t
interface (#1958).
Two sources are currently available, the openxpki plugin that directly accesses the OpenXPKI database and the command's --index
argument, which reads certificate status information from OpenSSL-style index.txt
files (multiple CAs are supported concurrently).
The new cert-enroll script handles the initial enrollment of an X.509 host certificate with a PKI server via the EST or SCEP protocols.
Run as a systemd timer or via a crontab entry, the script checks the expiration date of the host certificate daily. When a given deadline is reached, the host certificate is automatically renewed via EST or SCEP re-enrollment based on the possession of the old private key and the matching certificate.
Added a global option (charon.reject_trusted_end_entity
) to prevent peers from authenticating with certificates that are locally trusted, in particular, our own local certificate, which safeguards against accidental reuse of certificates on multiple peers. As the name suggests, all trusted end-entity certificates are rejected if enabled, so peer certificates can't be configured explicitly anymore (e.g. via remote.certs
in swanctl.conf).
The --priv
argument for charon-cmd
allows the use of any type of private key (previously, only RSA keys were supported).
The openssl plugin now supports the nameConstraints
extension in X.509 certificates (#1990).
Support for nameConstraints
of type iPAddress
are now supported by the x509, openssl and constraints plugins (#1991).
Support for encoding subjectAlternativeName
extensions of type uniformResourceIdentifier
in X.509 certificates has been added via the uri:
prefix (e.g. for URNs, #1983).
Support for password-less PKCS#12 and PKCS#8 files has been added (#1955).
Because of a relatively recent NIAP requirement (TD0527, Test 8b), loading of certificates with ECDSA keys that explicitly encode the curve parameters is rejected if possible. Explicit encoding is pretty rare to begin with and e.g. wolfSSL already rejects such keys, by default. All crypto plugins that support ECDSA enforce this by rejecting such public keys, except when using older versions of OpenSSL (< 1.1.1h) or Botan (< 3.2.0) (#1949).
Make the NetworkManager plugin (charon-nm
) actually use the XFRM interface it creates since 5.9.10. This involves setting interface IDs on SAs and policies, and installing routes via the interface. To avoid routing loops if the remote traffic selectors include the VPN server, IKE and ESP packets are marked to bypass the routing table that contains the routes via XFRM interface (69e0c1161d54f0ecb5d18b0e0c5e39dcc69fba93).
If available, the plugin now also adopts the interface name configured in connection.interface-name
in a *.nmconnection
file as name for the XFRM interface instead of generating one randomly (e8f8d32494e2945f6f43b7ac46fa5d0491b417ec).
The resolve plugin tries to maintain the order of DNS servers it installs via resolvconf
or resolv.conf
(6440975bb40609e4894931ae3d679ecea73784c8, 8238ad480aa7b404e345cee06bc49389141ca269).
The kernel-libipsec plugin now always installs routes to remote networks even if no address is found in the local traffic selectors, which allows forwarding traffic from networks the VPN host is not part of (190d8cbe1931ec57484d9bb451824a7fc57979bd).
Increased the default receive buffer size for Netlink sockets to 8 MiB (doubled by the kernel to account for overhead) and simplified the configuration (no need for a separate option to force overriding rmem_max
). It's now also set for event sockets, which previously could cause issues on hosts with e.g. lots of route changes (#1757).
When issuing certificates, the subjectKeyIdentifier
of the issuing certificate, if available, is now copied as authorityKeyIdentifier
, instead of always generating a SHA-1 hash of the issuer's subjectPublicKey (#1992, 6941dcb17aa5fb51b6fe7831794a4c3593480c3c).
Explicitly request permission to display notifications on Android 13+ (ddf84c165d94811a025f128fb6016f5911d6b179), also enabled hardware acceleration for the Android-specific OpenSSL build.
watcher_t
with handling errors on sockets (e.g. if the receive buffer is full), which caused an infinite loop if poll()
only signaled POLLERR
as event (#1757).XFRMA_REPLAY_ESN_VAL
attribute twice when updating SAs in the kernel-netlink plugin, which prevented MOBIKE updates if a large anti-replay window was used (#1967).CHILD_SA_NOT_FOUND
notify if a CHILD_SA is not found during rekeying. It was previously empty, now contains the SPI and sets the protocol to the values received in the REKEY_SA
notify (849c2c9707e00fc5210bd389631a2fc1a97089e6).ocsp_responder_t
interface can be implemented to provide certificate status information to the pki --ocsp
command. Responders can be (un-)registered via the ocsp_responders_t
instance at lib->ocsp
.watcher_t
component, WATCHER_EXCEPT
has been removed as there is no way to explicitly listen for errors on sockets and poll()
actually can return POLLERR
for any FD and it might even be the only signaled event (which caused an infinite loop previously). Now we simply notify the registered callbacks. The error is then reported by e.g. recvfrom()
, which was already the case before if POLLERR
was returned together with e.g. POLLIN
.kernel_interface_t::alloc_reqid()
are now refcounted. When recreating a CHILD_SA, a reference to the reqid can be requested via child_sa_t::get_reqid_ref()
. If another reference is required afterwards, one can be acquired directly via kernel_interface_t::ref_reqid()
. Each reference has to be released via kernel_interface_t::release_reqid()
, whose interface was simplified./etc/fstab
and mounting the test results).Refer to the 5.9.12 milestone for a list of all closed issues and pull requests.
A long-standing deadlock in the vici plugin has been fixed that could get triggered when multiple connections were initiated/terminated concurrently and control-log events were raised by the watcher_t
component (#566).
To potentially improve the performance and reduce the chances of a similar deadlock, the logging calls in the watcher_t
component have been reduced and moved out of its internal mutex (53208b0ba4c17f6efc9df3007ecf9626471fd78d) and a change that caused the component to busy wait in some situations has also been reverted (30803f90eb3721db178822bca203fb14696cfced). Also related is a change that avoids verbose log calls during initiate/terminate()
(d96d15b5882f5f67f6b22fdbbf956ec63cbc94ec, also see the developer notes below).
In compliance with RFC 5280, CRLs now have to be signed by a certificate that either encodes the cRLSign
keyUsage bit (even if it is a CA certificate), or is a CA certificate without a keyUsage extension. strongSwan encodes a keyUsage extension with cRLSign
bit set in all CA certificates since 13 years. And before that it didn't encode the extension, so these certificates would also be accepted as CRL issuer in case they are still valid (7dc82dea34167c1585a95f38b532e11a67a53ee8).
Support for optional CA labels in EST server URIs (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>
) was added to the pki --est
and pki --estca
commands (#1614).
The pkcs7 and openssl plugins now support CMS-style signatures in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA signatures (#1615).
Fixed a regression in the server implementation of EAP-TLS when using TLS 1.2 or earlier that was introduced with 5.9.10 (#1613, 3d0d3f5d028a0c630f89cb4fec5b2cd5364f568b).
The EAP-TLS client does now enforce that the TLS handshake is complete when using TLS 1.2 or earlier. It was possible to shortcut it by sending an early EAP-Success message. Note that this isn't a security issue as the server is authenticated at that point (db87087fae6b4d1761dfba4eae3bd4880f5d23ab).
On Linux, the kernel-libipsec plugin can now optionally handle ESP packets without UDP encapsulation (uses RAW sockets, disabled by default, e3cb756dbf7bd2e7734103ecea599c1d9970baa4). The plugin and libipsec also gained support trap policies (23d20bbb96dde1f63f2a53e2dd099b2fb3908bda).
The dhcp plugin uses an alternative method to determine the source address when sending unicast DHCP requests, which is not affected by interface filtering that might be employed for the IKE sockets (#1573).
The selection of certificates and trust chains as initiator has been improved if the local trust chain is incomplete (i.e. the root CA certificate for the local certificate is not loaded) while a certificate request for a known but unrelated CA is received, which caused any local intermediate CA certificates not to get sent (efdcbd13cb65528a91867118521595ac22623654).
ECDSA and EdDSA public keys are supported by the ipseckey plugin when parsing RFC 4025 IPSECKEY
resource records (7be55adf051049aaf48d9f1d4fd69abe422bb7e9).
The kernel-wfp plugin installs bypass policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL
sublayer, which is necessary to bypass tunnel mode SAs/policies (8c0a67f700c8feb9a00312b230a41352f9e1b124).
The revocation plugin suppresses some log messages for cached OCSP responses (9e17a0ed88ee6c9c2c77fbb747e667a339819b49).
To further improve handling of cached OCSP responses, stale responses are now replaced in-place in the certificate cache (47e8b21c76366dcdfb1064fb4e1fdb619e684684).
Capabilities of a SCEP server are now correctly parsed by pki --scep
and pki --scepca
(#1607).
When renewing a certificate via SCEP, the --dn
argument is now optional and gets copied from the previous certificate. This is helpful in case the CA added RDNs the user might not be aware of to the issued certificate (5f8eb09dd665a242fbebd55e47a0080c2f983704, #1689).
Fixed the fallback to the remote identity for mediated connections if no peer ID is configured (#1569, dd79253e2d3a2d2f61689305cc02c506e2a5f746).
The log messages for the terminate()
and rekey()
commands have been improved to clarify what's happening if combined filters are used (e.g. with both --ike
and --child
passed, only matching CHILD_SAs will be affected but previously a separate log message indicated that IKE_SAs would get targeted as well, 5e46e101a6f1f7ab24549679b15d0ff2c98c3081).
Fixed a crash when charon-svc
is terminated (8f5c0c9ca926b9f936ada13f72f4b73756ecbc62).
If IKEv1 SAs are reset during a reauthentication because of a timeout, the initiator SPI changes. CHILD_SAs are now correctly migrated to the new SPI (#1663).
For developers:
vici.Transport.receive()
and doesn't cause partial reads (#1562).controller_t::initiate()
and controller_t::terminate()
methods now take the maximum log level for messages that are passed to the callback (if any). If controller_cb_empty()
is passed as callback, LEVEL_SILENT
should be used to avoid any useless calls to the callback.DEBUG_LEVEL
should again be possible (7fa85ff379da8ffe5264c109723dd20f5f579821).Refer to the 5.9.11 milestone for a list of all closed issues and pull requests.
Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service but possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. Please refer to our blog for details.
Added support for full packet hardware offload for IPsec SAs and policies, which has been introduced with the Linux 6.2 kernel, to the kernel-netlink plugin (#1462). Bypass policies for the IKE ports are automatically offloaded to devices that support this type of offloading.
TLS-based EAP methods use the key derivation specified in draft-ietf-emu-tls-eap-types (currently in the RFC Editor's publication queue) when used with TLS 1.3 (06abdf1d31f5cee7ee90611e2ee7f390b2a3c9a4).
The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication" (5401a74d3608be19a4a883c10d4bd89e73c6ee60). Similarly, the eap-peap plugin correctly initiates Phase 2 with TLS 1.3 also if phase2_piggyback
is disabled (default) (8aa13a1797eb7472b763a9b8e60d906261c6b243).
Routes via XFRM interfaces can now optionally be installed automatically by enabling the charon.plugins.kernel-netlink.install_routes_xfrmi
option. Such routes are only installed if an interface with the ID referenced in if_id_out
exists when the corresponding CHILD_SA is installed. If the traffic selectors include the IKE traffic to the peer, special care is required (please refer to the docs for details).
The NetworkManager backend charon-nm
now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel (#1048).
With the new prefer
value for the childless
setting, initiators will create a childless IKE_SA if the responder supports the extension (RFC 6023). As responder, it has the same effect as allow
.
The pki --req
command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request (CSR).
The pki --issue
command adopts EKU flags that are either directly encoded in CSRs or derived from an encoded profile string (msCertificateTypeExtension). With the --flag
option, these flags can either be overridden completely, or specific flags can be added and/or removed from the encoded set.
When running on a Linux 6.2 kernel, the last use times of CHILD_SAs are determined by querying the IPsec SAs and not the policies (older kernels don't report the last use time per SA).
For libcurl
with MultiSSL support, the curl plugin provides an option to select a specific SSL/TLS backend.
The swanctl --monitor-sa
command exits with ECONNRESET
if the daemon closes the VICI connection.
For developers:
libcrypto
is provided in the repository (see the docs for details).kernel_ipsec_t
that support reporting the last use time of an SA via query_sa()
, should announce this via the KERNEL_SA_USE_TIME
kernel feature.libvici
provides a callback that's invoked if the connection is closed by the daemon, which may be useful when listening for events.Refer to the 5.9.10 milestone for a list of all closed issues and pull requests.
resolvconf(8)
used by the resolve plugin is now configurable (dee1916e4cf3cb3baafc3b01118a56a38b4d936c).resolvconf(8)
with individual interface names for each name server anymore. Instead, it uses a single, configurable interface/protocol name and provides all available name servers to resolvconf(8)
every time a name server is added or removed (#1353).listen()
operation in the VICI Python bindings may now optionally time out, which can be useful when listening for events in a separate thread as that can otherwise not be canceled easily (#1416). Support for Python 2 has been dropped.charon.reqid_base
in strongswan.conf. This allows reserving some low reqids for manual allocation.EINVAL
or ENOSYS
did previously.get_serial()
method of the x509_t
, crl_t
, and ac_t
interfaces is now expected to return serial numbers in canonical form (i.e. without leading zeros). The existing plugins that implement or use these interfaces have been adapted accordingly, make sure to do the same with custom plugins/patches.libbfd
(--enable-bfd-backtraces
), our own leak detective can whitelist functions that are otherwise not visible.Refer to the 5.9.9 milestone for a list of all closed issues and pull requests.
Fixed a vulnerability related to online certificate revocation checking that was caused because the revocation plugin used potentially untrusted OCSP URIs and CRL distribution points in certificates. This allowed a remote attacker to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which could have lead to a denial-of-service attack. This vulnerability has been registered as CVE-2022-40617. Please refer to our blog for details.
The pki --scep|--scepca
commands implement the HTTP-based "Simple Certificate Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecated scepclient
that has been removed.
The pki --est|estca
commands implement the HTTPS-based "Enrollment over Secure Transport" (RFC 7070 EST) protocol.
The pki --req
command can create a certificate request based on an existing PKCS#10 template by replacing the public key and re-generating the signature with the new private key.
The ike_cfg_t
object is now always replaced together with the peer_cfg_t
object that's set on an IKE_SA during authentication. This is more consistent and allows to properly take into account some settings that are also relevant during IKE_AUTH (e.g. childless
) and it was actually already handled this way during rekeying/reestablishing of IKE_SAs and e.g. for the DSCP setting.
The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests (now indirectly enabled if the pki
tool is built due to the implementation of EST) can be completed successfully with just the default plugins.
Our TLS client implementation now sends an empty certificate payload if a certificate request is received but no certificate is available. The encoding of TLS 1.3 certificate extensions for intermediate CA certificates has also been fixed.
The socket plugins don't set the SO_REUSEADDR
option anymore on the IKE UDP sockets, so an error is triggered if e.g. two daemons (e.g. charon
and charon-systemd
) are running concurrently using the same ports.
The charon.rsa_pss_trailerfield
setting generates an algorithmIdentifier for RSASSA-PSS signatures with explicit trailerField, which might be necessary for interoperability with implementations of RFC 7427 that haven't considered its errata.
A potential use-after-free issue has been fixed when caching credential encodings (e.g. fingerprints) if multiple threads operate on the same key concurrently (#1231).
A potential crash has been fixed caused by a race condition during shutdown between the main thread flushing the IKE_SA manager and worker threads still creating IKE_SAs (#1252).
A potential crash in the vici plugin has been fixed that was caused when events were triggered with messages that failed to get created successfully (#1278).
A file descriptor leak has been fixed in the Android client (#1160), plus some other issues related to targeting Android 12 (e.g. #1151 and 86b69f26e49f93f94f6ab84b48feac8716a719cc).
For developers:
ike_updown()
"up" event and the state change to IKE_ESTABLISHED
are now triggered after all IKE-related tasks are done. This ensures the IKE_SA is actually fully established, which now includes any assigned virtual IPs, additional MOBIKE peer addresses or a reauthentication time updated via AUTH_LIFETIME
notify. This was an issue for the selinux plugin if virtual IPs were used.cert_validator_t
interface, the online
flag has been removed from the validate()
method, which is called during basic certificate chain validation. Online validation is now instead triggered via the new validate_online()
method, which is called after a trusted certificate chain has been built.pen_t
is now used for EAP vendor IDs instead of uint32_t
.--enable-asan
configure option enables building with AddressSanitizer (ASan).TESTS_ITERATIONS
environment variable allows running only specific iterations of loop-based test functions.Refer to the 5.9.8 milestone for a list of all closed issues and pull requests.
The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message. So instead of deriving the keys directly while processing an IKE_SA_INIT request (which could come from a spoofed address), it is delayed until the corresponding IKE_AUTH request is received. See below for required changes for Diffie-Hellman implementations.
Inbound IKEv2 messages, in particular requests, are now processed differently. Instead of parsing all inbound messages right away (which might trigger a key derivation or require keys we don't have anymore in the multi-KE use case), we now first check a request's message ID and compare its hash to that of the previous request to decide if it's a valid retransmit. For fragmented messages we only keep track of the first fragment so we can send the corresponding response immediately if a retransmit of it is received, instead of waiting for all fragments and reconstructing the message, which we did before.
The retransmission logic in the dhcp plugin has been fixed (#1154). As originally intended, four retransmits are now sent over a total of 15 seconds for each DHCP request. Previously, it could happen that some or all of the five messages were sent at basically the same time, without any delay to wait for a response.
The connmark plugin now considers configured masks in installed firewall rules (#1087). For instance, with mark_in = mark_out = %unique/0x0000ffff
, mark values in the upper two bytes would not get reset by the rules installed by the plugin and could be used for other purposes. However, note that in this example the daemon would have to get restarted after 65'535 CHILD_SAs (at the latest) to reset the global 32-bit counter for unique marks as that's unaware of any masks.
Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).
The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).
The openssl plugin supports AES and Camellia in CTR mode (112bb465fb531cb164c6c2dec3c49a7fe9c853fa).
The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted (RFC 8247 only mentions AES-XCBC and recommends it exclusively for IoT deployments).
The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).
The CALLBACK
macros (and some other issues) have been fixed when compiling with GCC 12 (#1053).
Support for GTK 4 was added to the NetworkManager plugin (#961), the necessary changes were released separately with version 1.6.0 of the plugin.
For developers:
--enable-warnings
configure option is now automatically enabled. It adds -Wall -Wextra -Werror
(and a bunch of -Wno-*
flags for warnings that are difficult to avoid in our codebase) to the CFLAGS
prepared by the script (CFLAGS
passed to the script are added after the internal flags, so overriding these options is possible without having to disable --enable-warnings
completely). This was mainly added to avoid passing -Werror
to the configure script in our automated CI builds as that also affects the tests run by it.diffie_hellman_t
interface was renamed to key_exchange_t
with the following additional changes to the interface:
set_other_public_key()
was renamed to set_public_key()
get_shared_secret()
get_my_public_key()
was renamed to get_public_key()
set_private_value()
was renamed to set_private_key()
get_dh_group()
was renamed to get_method()
diffie_hellman_group_t
enum was renamed to key_exchange_method_t
, the corresponding enum_name_t
instances were renamed similarly. MODP_NONE
was renamed to KE_NONE
.has_dh_group()
and promote_dh_group()
methods on proposal_t
were renamed and generalized to has_transform()
and promote_transform()
, respectively, which allow checking if any transform/algorithm (not only a DH group) is contained in a proposal or move it to the front. Similarly, the get_dh_group()
method on ike_cfg_t
and child_cfg_t
was changed to get_algorithm()
.task_t
enable tasks to do work after generating (post_build()
) or processing (post_process()
) a message.
post_build()
hook is used by the ike-auth task to collect a copy of the sent IKE_SA_INIT message after it was generated. This avoids having to pre-generate the message in the task, allowing later-running tasks and plugins (via message()
listener hook) to modify it (e.g. add notifies) before it's eventually generated.TESTS_VERBOSITY_<group>
environment variables allow configuring the log level for individual log groups when running the unit tests (they default to TESTS_VERBOSITY
).Refer to the 5.9.7 milestone for a list of all closed issues and pull requests.
The main two steps of the IKEv2 key derivation (PRF/prf+) have been modularized. In particular, prf+ is now provided by a plugin. This makes certification (e.g. FIPS-140) easier at it allows implementing them via an already certified third-party library.
For the most commonly used HMAC-based PRFs, the botan, openssl and wolfssl plugins implement the two steps via their respective implementations of RFC 5869's HKDF-Extract
(KDF_PRF
) and HKDF-Expand
(KDF_PRF_PLUS
). A default implementation, based on generic PRFs from other plugins, is provided by the new kdf plugin (may be disabled if one of the mentioned third-party plugins is loaded and none of the rarely used non-HMAC PRFs, AES-XCBC or AES-CMAC, are used).
Support for labeled IPsec with IKEv2 (draft-ietf-ipsecme-labeled-ipsec) has been added. Two modes are currently supported:
--enable-selinux
, support for SELinux labels is enabled and the selinux plugin is built. If SELinux is usable on the system, the negotiated labels are installed on IPsec SAs and policies. The configured label is expected to be a generic context (e.g. system_u:object_r:ipsec_spd_t:s0
), which is installed on trap policies. Either from the outset via start_action=trap
, or dynamically by the selinux plugin after an IKE_SA has been established (e.g. in roadwarrior scenarios, in particular as responder). Once traffic hits such a policy and matches its context via association:polmatch
, an acquire with the actual label is triggered by the kernel, for which a CHILD_SA is negotiated with the peer. A childless IKE_SA is created if the connection is not triggered by an acquire and no specific label is available. Labels received as responder are accepted if they match the configured label via association:polmatch
.Denial of Service (DoS) protection has been improved:
Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented. This can happen if trap policies are installed and an IKE_SA with its CHILD_SAs is reestablished (e.g. with break-before-make reauthentication or dpd_action=restart
). This does not prevent duplicates if they are initiated by the two peers concurrently.
It's now possible to combine trap
and start
in start_action
(i.e. start_action=trap|start
) to immediately initiate an SA for which trap policies are also installed.
Updates to reqids on policies are allowed again by the kernel-netlink plugin. The infamous error unable to install policy ... for reqid ..., the same policy for reqid ... exists
is replaced by a simple warning should the reqid for a policy actually get updated.
Compatibility with OpenSSL 3.0 has been improved (9aa7e126b2e2ee23c06fc628d95012e2c87c094c). Providers are not unloaded anymore to avoid issues with atexit()
handlers (#921).
The client identity (e.g. the IKE or EAP identity for EAP-TLS) is again enforced by libtls (#873).
If the source address is unknown when initiating an IKEv2 SA, a NAT situation is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing asymmetric enabling of UDP-encapsulation (#861).
Installing unnecessary exclude routes for VPN servers on FreeBSD is now avoided (#910).
The default AEAD ESP proposal (sent since 5.9.0) now includes noesn
to make it standards-compliant (#868).
Missing alerts were added to the error-notify plugin (801bb8536a2b23736232ff26ee26b76f92ce2da8).
The new map_level
option for syslog loggers allows mapping log levels (0..4) to syslog levels starting at the specified number (by default, all messages are logged with LOG_INFO
).
The addrblock plugin allows limiting the validation depth of issuer addrblock extensions (e3d1766aff96324a48612fa64e6fb36475c71afc).
Individual CHILD_SAs can be queried via the list-sas()
vici command (or swanctl --list-sas
), either by unique ID or name.
For developers:
KDF_PRF/KDF_PRF_PLUS
), see kdf.h for details.ike_sa_t::initiate()
now takes a struct with optional arguments (such as traffic selectors). The same is the case for similar data from acquires (changed the signatures for acquire()
on the kernel_listener_t
and kernel_interface_t
interfaces).kernel_ipsec_t::update_sa()
is called with new_reqid
set in the kernel_ipsec_update_sa_t
struct. If a kernel interface doesn't support this, NOT_SUPPORTED
should be returned to trigger a rekeying.ENUM_FLAGS
now indicates the name used when no flags are set (previously, (unset)
was used for all flag enums). Flags can now also be parsed via enum_flags_from_string()
(expects the flags separated by |
).Refer to the 5.9.6 milestone for a list of all closed issues and pull requests.
fipsmodule.cnf
. All loaded providers are logged when the plugin is initialized.EC_get_builtin_curves()
).testing/tkm/Dockerfile
).NOT_SUPPORTED
from get_msk()
. Those that do have to make sure to return FAILED
until the EAP method is complete and an MSK has been established, see the blog post about the vulnerability above for more information.public_key_t::encrypt()
and private_key_t::decrypt()
gained a void*
argument for algorithm specific parameters. First application is the optional label for RSA with OEAP padding.packet_t
/message_t
, which may be used to transport information from custom socket plugins to other plugins that later process IKE messages and back again.Refer to the 5.9.5 milestone for a list of all closed issues and pull requests.