We are happy to announce the release of strongSwan 5.3.1, which brings AES-NI support and fixes a vulnerability and several other issues.
Denial-of Service and Possible Remote Code Execution Vulnerability (CVE-2015-3991)
A denial-of-service and possible remote code execution vulnerability was fixed that could be triggered by crafted IKE messages. Versions 5.2.2 and 5.3.0 are affected.
More information is provided in a separate blog entry.
Support for AES-NI and PCLMULQDQ instructions
The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ instructions and works on both x86 and x64 architectures. It provides superior crypto performance in userland without any external libraries.
Fixed IKEv2 Fragmentation Causing Duplicate IVs
An issue that occurred with IKEv2 fragmentation (introduced with 5.2.1) and encryption algorithms that use sequential IVs (e.g. AES-GCM) has been fixed. Previously the IKE message ID was used as IV, but with IKEv2 fragmentation this ID is not unique anymore, causing the same IV to get used for fragments of the same message. This was fixed by including the fragment identifier in the IV (62e0abe759).
Increased Accuracy for RADIUS Accounting
The accuracy of usage statistics reported via RADIUS Accounting has been increased in several situations (e.g. if interim updates occur while rekeying a CHILD_SA).
Other Notable Changes
- The TLS client in libtls now rejects Diffie-Hellman groups with primes < 1024 bit.
- The interface for DH implementations was extended to enable unit tests.