We are happy to announce the release of strongSwan 5.2.2, which brings a new post-quantum signature scheme, identity type prefixes and fixes a DoS vulnerability and several other issues.
Denial-of Service Vulnerability (CVE-2014-9221)
A denial-of-service vulnerability was fixed that could be triggered by an IKEv2 Key Exchange (KE) payload that contains the Diffie-Hellman group 1025. All versions since 4.5.0 are affected.
More information is provided in a separate blog entry.
Post-quantum Bimodal Lattice Signature Scheme (BLISS)
BLISS provides an alternative next generation public key authentication method for IKEv2 connections. Together with the NTRU Encryption based IKE key exchange methods released with strongSwan 5.1.2 it has become possible to set up IPsec connections with either 128-bit or 192-bit cryptographic strength that are resistant against attacks by quantum computers. The rw-ntru-bliss scenario shows the BLISS/NTRU combination at work.
Explicit type prefixes for identities
The left|rightid options in ipsec.conf, or any other identity in strongSwan now accepts prefixes to enforce an explicit type, such as email: or fqdn:. Note that no conversion is done for the remaining string, refer to the conn section reference (or the ipsec.conf(5) man page) for details.
Use correct mapping of AH integrity algorithms with IKEv1
We fixed the mapping of integrity algorithms negotiated for AH via IKEv1. This could cause interoperability issues when connecting to older versions of charon.
Other Notable Changes
- Fixed rekeying when fragmentation=yes is used for IKEv2 connections.
- Fix handling of invalid policies in end-entity certificates by not rejecting the full certificate but just invalidating the affected policy (see #453).
- Support for IP address pools defined as ranges (<from>-<to>) in ipsec.conf and swanctl.conf. Also fixed pool size calculation and reassigning leases.
- Send and handle INITIAL_CONTACT notifies in IKEv1 Main Mode.