github strongswan/strongswan 5.9.6
strongSwan 5.9.6
on GitHub

latest releases: 6.0.0beta6, 5.9.14, 5.9.14rc1...
2 years ago

  • The main two steps of the IKEv2 key derivation (PRF/prf+) have been modularized. In particular, prf+ is now provided by a plugin. This makes certification (e.g. FIPS-140) easier at it allows implementing them via an already certified third-party library.

    For the most commonly used HMAC-based PRFs, the botan, openssl and wolfssl plugins implement the two steps via their respective implementations of RFC 5869's HKDF-Extract (KDF_PRF) and HKDF-Expand (KDF_PRF_PLUS). A default implementation, based on generic PRFs from other plugins, is provided by the new kdf plugin (may be disabled if one of the mentioned third-party plugins is loaded and none of the rarely used non-HMAC PRFs, AES-XCBC or AES-CMAC, are used).

  • Support for labeled IPsec with IKEv2 (draft-ietf-ipsecme-labeled-ipsec) has been added. Two modes are currently supported:

    • SELinux: When building with --enable-selinux, support for SELinux labels is enabled and the selinux plugin is built. If SELinux is usable on the system, the negotiated labels are installed on IPsec SAs and policies. The configured label is expected to be a generic context (e.g. system_u:object_r:ipsec_spd_t:s0), which is installed on trap policies. Either from the outset via start_action=trap, or dynamically by the selinux plugin after an IKE_SA has been established (e.g. in roadwarrior scenarios, in particular as responder). Once traffic hits such a policy and matches its context via association:polmatch, an acquire with the actual label is triggered by the kernel, for which a CHILD_SA is negotiated with the peer. A childless IKE_SA is created if the connection is not triggered by an acquire and no specific label is available. Labels received as responder are accepted if they match the configured label via association:polmatch.
    • Simple: This proprietary mode, which is the default if SELinux support is disabled or not available on the system, allows exchanging arbitrary labels to identify specific child configs on the peer. These labels are not configured on the IPsec SAs or policies but are simply used during CHILD_SA creation to aid config selection (an example can be seen in the ikev2/net2net-dscp scenario).

  • Denial of Service (DoS) protection has been improved:

    • The secrets used for generating COOKIE payloads are now switched based on a time limit (2 minutes) and not the previous usage limit (10'000 generated cookies). This avoids switching secrets multiple times a second under a heavy attack, preventing legitimate clients from successfully sending requests with valid cookies (they are valid for 10 seconds, by default).
    • So far, sending and requiring COOKIE payloads was triggered only by the total number of half-open IKE_SAs. Because that global threshold is higher than the per-IP block threshold (5 half-open IKE_SAs are allowed per IP, by default), it was possible for an attacker to block a legitimate user by sending spoofed IKE_SA_INIT packets from that user's IP. To prevent this, a new per-IP threshold has been added to trigger cookies (3 half-open IKE_SAs, by default). The default value for the global threshold has also been increased slightly (from 10 to 30).
    • Unprocessed but queued initial messages (IKE_SA_INIT for IKEv2) are now already counted as half-open IKE_SAs. This makes the thresholds more accurate so it isn't possible anymore for attackers to create thousands of jobs for packets from spoofed IP addresses before the daemon is able to process enough of them to create half-open IKE_SAs that would trigger the thresholds.

  • Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented. This can happen if trap policies are installed and an IKE_SA with its CHILD_SAs is reestablished (e.g. with break-before-make reauthentication or dpd_action=restart). This does not prevent duplicates if they are initiated by the two peers concurrently.

  • It's now possible to combine trap and start in start_action (i.e. start_action=trap|start) to immediately initiate an SA for which trap policies are also installed.

  • Updates to reqids on policies are allowed again by the kernel-netlink plugin. The infamous error unable to install policy ... for reqid ..., the same policy for reqid ... exists is replaced by a simple warning should the reqid for a policy actually get updated.

  • Compatibility with OpenSSL 3.0 has been improved (9aa7e12). Providers are not unloaded anymore to avoid issues with atexit() handlers (#921).

  • The client identity (e.g. the IKE or EAP identity for EAP-TLS) is again enforced by libtls (#873).

  • If the source address is unknown when initiating an IKEv2 SA, a NAT situation is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing asymmetric enabling of UDP-encapsulation (#861).

  • Installing unnecessary exclude routes for VPN servers on FreeBSD is now avoided (#910).

  • The default AEAD ESP proposal (sent since 5.9.0) now includes noesn to make it standards-compliant (#868).

  • Missing alerts were added to the error-notify plugin (801bb85).

  • The new map_level option for syslog loggers allows mapping log levels (0..4) to syslog levels starting at the specified number (by default, all messages are logged with LOG_INFO).

  • The addrblock plugin allows limiting the validation depth of issuer addrblock extensions (e3d1766).

  • Individual CHILD_SAs can be queried via the list-sas() vici command (or swanctl --list-sas), either by unique ID or name.

  • For developers:

    • Plugins can provide the two IKEv2 key derivation steps (KDF_PRF/KDF_PRF_PLUS), see kdf.h for details.
    • ike_sa_t::initiate() now takes a struct with optional arguments (such as traffic selectors). The same is the case for similar data from acquires (changed the signatures for acquire() on the kernel_listener_t and kernel_interface_t interfaces).
    • The trap manager allows installing externally managed trap policies (see the selinux plugin for an example of how this could be used).
    • If dynamic traffic selectors are updated due to an address change, the reqid of a CHILD_SA now changes, in which case kernel_ipsec_t::update_sa() is called with new_reqid set in the kernel_ipsec_update_sa_t struct. If a kernel interface doesn't support this, NOT_SUPPORTED should be returned to trigger a rekeying.
    • The fourth argument for ENUM_FLAGS now indicates the name used when no flags are set (previously, (unset) was used for all flag enums). Flags can now also be parsed via enum_flags_from_string() (expects the flags separated by |).

Refer to the 5.9.6 milestone for a list of all closed issues and pull requests.

Check out latest releases or
releases around strongswan/strongswan 5.9.6

Don't miss a new strongswan release

NewReleases is sending notifications on new releases.

Get notifications