Release and vulnerability announcements for strongSwan

strongSwan 5.7.0 Released

We are happy to announce the release of strongSwan 5.7.0, which brings support for SWIMA for PA-TNC, swanctl.conf/strongswan.conf syntax changes, a Botan crypto library plugin, support for Postquantum Preshared Keys for IKEv2, fixes a potential authorization bypass vulnerability, and comes with several other new features and fixes.

Potential Authorization Bypass Vulnerability in the gmp Plugin (CVE-2018-16151, CVE-2018-16152)

A potential authorization bypass vulnerability in the gmp plugin was fixed. Several flaws in the verification of PKCS#1 v1.5 RSA signatures in the plugin may allow for Bleichenbacher-style low-exponent signature forgery in certificates and during IKE authentication. All strongSwan versions may be affected if the plugin is enabled and low-exponent RSA keys (i.e. with e=3) are in use.

More information is provided in a separate blog entry.

Software Inventory Message and Attributes (SWIMA) for PA-TNC

RFC 8412 "Software Inventory Message and Attributes (SWIMA) for PA-TNC" has been implemented. The SWIMA subscription option sets a CLOSE_WRITE trigger on the apt history.log file resulting in a ClientRetry PB-TNC batch to initialize a new measurement cycle. The new imv/imc-swima plugins replace the previous imv/imc-swid plugins, which were removed.

swanctl.conf and strongswan.conf Syntax Changes

Dots are not allowed anymore in section names in swanctl.conf and strongswan.conf. This mainly affects the configuration of file loggers. If the path for such a log file contains dots, it now has to be configured in the new path setting within the arbitrarily renamed subsection in the filelog section.

Sections in these config files may now reference other sections. All settings and subsections from such a section are inherited. This allows to simplify configs in swanctl.conf as redundant information has only to be specified once and may then be included in other sections (see the syntax documentation on strongswan.conf for an example).

Botan Crypto Library Plugin

The new botan plugin is a wrapper around the Botan C++ crypto library. It requires a fairly recent build from Botan's master branch (or the upcoming 2.8.0 release). Thanks to René Korthaus and his team from Rohde & Schwarz Cybersecurity for the initial patch and to Jack Lloyd for quickly adding missing functions to Botan's FFI (C89) interface.

Postquantum Preshared Keys for IKEv2 (PPK)

Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2) has been added. For an example refer to the swanctl/rw-cert-ppk scenario (or the one using EAP, or PSK authentication).

Algorithm Proposal Matching for IKE Configs

The originally selected IKE config (based on the IPs and IKE version) can now change if no matching algorithm proposal is found. This way the order of the configs doesn't matter that much anymore and it's easily possible to specify separate configs for clients that require weaker algorithms (instead of having to also add them in other configs that might be selected).

New Linux Kernel IPsec Configuration Options

swanctl.conf supports the configuration of marks that the in- and/or outbound SA should apply to packets after processing on Linux. Configuring such a mark for outbound SAs requires at least a 4.14 kernel. The ability to set a mask and to configure a mark/mask for inbound SAs will be added with the upcoming 4.19 kernel.

Several other new options allow configuring how/whether DF, ECN and DS fields in the IP headers are copied during IPsec processing on Linux.

Other Notable Features and Fixes

Download Complete Changelog