Lucene search

HistoryMar 29, 2020 - 12:00 a.m.

Security update for strongswan (moderate)






An update that fixes one vulnerability is now available.


This update for strongswan fixes the following issues:

Strongswan was updated to version 5.8.2 (jsc#SLE-11370).

Security issue fixed:

  • CVE-2018-6459: Fixed a DoS vulnerability in the parser for PKCS#1
    RSASSA-PSS signatures that was caused by insufficient input validation

Full changelogs:

Version 5.8.2

 * Identity-based CA constraints, which enforce that the certificate
   chain of the remote peer contains a CA certificate with a specific
   identity, are supported via vici/swanctl.conf. This is similar to the
   existing CA constraints but doesn't require that the CA certificate is
   locally installed, for instance, intermediate CA certificates received
   from the peers. Wildcard identity matching (e.g. ..., OU=Research,
   CN=*) could also be used for the latter but requires trust in the
   intermediate CAs to only issue certificates with legitimate subject
   DNs (e.g. the "Sales" CA must not issue certificates with
   OU=Research). With the new constraint that's not necessary as long as
   a path length basic constraint (--pathlen for pki --issue) prevents
   intermediate CAs from issuing further intermediate CAs.
 * Intermediate CA certificates may now be sent in hash-and-URL encoding
   by configuring a base URL for the parent CA (#3234,
 * Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
   based on AES-CTR and SHA2-HMAC modes. Currently used by the gmp and
   ntru plugins.
 * Random nonces sent in an OCSP requests are now expected in the
   corresponding OCSP responses.
 * The kernel-netlink plugin now ignores deprecated IPv6 addresses for
   MOBIKE. Whether temporary
   or permanent IPv6 addresses are included now depends on the
    charon.prefer_temporary_addrs setting (#3192).
 * Extended Sequence Numbers (ESN) are configured via PF_KEY if supported
   by the kernel.
 * The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now
   cleared before sending requests, as many of the messages sent by the
   kernel are sent as broadcasts to all PF_KEY sockets. This is an issue
   if an external tool is used to manage SAs/policies unrelated to IPsec
 * The vici plugin now uses unique section names for CHILD_SAs in
   child-updown events (7c74ce9190).
 * For individually deleted CHILD_SAs (in particular for IKEv1) the vici
   child-updown event now includes more information about the CHILD_SAs
   such as traffic statistics (#3198).
 * Custom loggers are correctly re-registered if log levels are changed
   via stroke loglevel (#3182).
 * Avoid lockups during startup on low entropy systems when using OpenSSL
   1.1.1 (095a2c2eac).
 * Instead of failing later when setting a key, creating HMACs via
   openssl plugin now fails instantly if the underlying hash algorithm
   isn't supported (e.g. MD5 in FIPS-mode) so fallbacks to other plugins
   work properly (#3284).
 * Exponents of RSA keys read from TPM 2.0 via SAPI are correctly
   converted (8ee1242f1438).
 * Routing table IDs > 255 are supported for custom routes on Linux.
 * To avoid races, the check for hardware offloading support in the
   kernel-netlink plugin is performed during initialization of the plugin
 * The D-Bus config file for charon-nm is now installed in
   $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d,
   which is intended for sysadmin overrides. INVALID_MAJOR_VERSION
   notifies are now correctly sent in messages of the same exchange type
   and with the same message ID as the request.
 * IKEv2 SAs are now immediately destroyed when sending or receiving
   INVALID_SYNTAX notifies in authenticated messages.
 * For developers working from the repository the configure script now
   aborts if GNU gperf is not found.

Version 5.8.1

 * RDNs in DNs of X.509 certificates can now optionally be matched less
   strict. The global strongswan.conf option charon.rdn_matching takes
   two alternative values that cause the matching algorithm to either
   ignore the order of matched RDNs (reordered) or additionally (relaxed)
   accept DNs that contain more RDNs than configured (unmatched RDNs are
   treated like wildcard matches).
 * The updown plugin now passes the same interface to the script that is
   also used for the automatically installed routes, that is, the
   interface over which the peer is reached instead of the interface on
   which the local address is found (#3095).
 * TPM 2.0 contexts are now protected by a mutex to prevent issues if
   multiple IKE_SAs use the same private key concurrently (4b25885025).
 * Do a rekey check after the third QM message was received (#3060).
 * If available, explicit_bzero() is now used as memwipe() instead of our
   own implementation.
 * An .editorconfig file has been added, mainly so Github shows files
   with proper indentation (68346b6962).
 * The internal certificate of the load-tester plugin has been modified
   so it can again be used as end-entity cert with 5.6.3 and later
 * The maximum data length of received COOKIE notifies (64 bytes) is now
   enforced (#3160).

Version 5.8.0

 * The systemd service units have been renamed. The modern unit, which
   was called strongswan-swanctl, is now called strongswan (the previous
   name is configured as alias in the unit, for which a symlink is
   created when the unit is enabled). The legacy unit is now called
 * Support for XFRM interfaces (available since Linux 4.19) has been
   added, which are intended to replace VTI devices (they are similar but
   offer several advantages, for instance, they are not bound to an
   address or address family).
 * IPsec SAs and policies are associated with such interfaces via
   interface IDs that can be configured in swanctl.conf (dynamic IDs may
   optionally be allocated for each SA and even direction). It's possible
   to use separate interfaces for in- and outbound traffic (or
   only use an interface in one direction and regular policies in the
 * Interfaces may be created dynamically via updown/vici scripts, or
   statically before or after establishing the SAs. Routes must be added
   manually as needed (the daemon will not install any routes for
   outbound policies with an interface ID).
 * When moving XFRM interfaces to other network namespaces they retain
   access to the SAs and policies installed in the original namespace,
   which allows providing IPsec tunnels for processes in other network
   namespaces without giving them access to the IPsec keys or IKE
   credentials. More information can be found on the page about
   route-based VPNs.
 * Initiation of childless IKE_SAs is supported (RFC 6023). If enabled
   and supported by the responder, no CHILD_SA is established during
   IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA
   exchanges. This allows using a separate DH exchange even for the first
   CHILD_SA, which is otherwise created during IKE_AUTH with keys derived
   from the IKE_SA's key material.
 * The swanctl --initiate command may be used to initiate only the IKE_SA
   via --ike
   option if --child is omitted and the peer supports this extension.
 * The NetworkManager backend and plugin support IPv6.
 * The new wolfssl plugin is a wrapper around the wolfSSL crypto library.
   Thanks to Sean Parkinson of wolfSSL Inc. for the initial patch.
 * IKE SPIs may optionally be labeled via the charon.spi_mask|label
   options in strongswan.conf. This feature was extracted from
   charon-tkm, however, now applies the mask/label in network order.
 * The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL
 * The PB-TNC finite state machine according to section 3.2 of RFC 5793
   was not correctly implemented when sending either a CRETRY or SRETRY
   batch. These batches can only be sent in the "Decided" state and a
   CRETRY batch can immediately carry all messages usually transported by
   a CDATA batch. It is currently not possible to send a SRETRY batch
   since full-duplex mode for PT-TLS transport is not supported.
 * Instead of marking IPv6 virtual IPs as deprecated, the kernel-netlink
   plugin now uses address labels to avoid that such addresses are used
   for non-VPN traffic (00a953d090).
 * The agent plugin now creates sockets to the ssh/gpg-agent dynamically
   and does not keep them open, which otherwise might prevent the agent
   from getting terminated.
 * To avoid broadcast loops the forecast plugin now only reinjects
   packets that are marked
   or received from the configured interface.
 * UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which
   internally uses an UTF-16LE encoding to calculate the NT hash (#3014).
 * Properly delete temporary drop policies (used when updating IP
   addresses of SAs) if manual priorities are used, which was broken
   since 5.6.2 (8e31d65730).
 * Avoid overwriting start_action when parsing the inactivity timeout in
   the vici plugin (#2954).
 * Fixed the automatic termination of reloaded vici connections with
   start_action=start, which was broken since 5.6.3 (71b22c250f).
 * The lookup for shared secrets for IKEv1 SAs via sql plugin should now
   work better (6ec9f68f32).
 * Fixed a race condition in the trap manager between installation and
   removal of a policy (69cbe2ca3f).
 * The IPsec stack detection and module loading in starter has been
   removed (it wasn't enforced anyway and loading modules doesn't seem
   necessary, also KLIPS hasn't been supported for a long time and PF_KEY
   will eventually be removed from the Linux kernel, ba817d2917).
 * Several IKEv2 protocol details are now handled more strictly:
   Unrequested virtual IPs are ignored, CFG_REPLY payloads are ignored if
   no CFG_REQUEST payloads were sent, a USE TRANSPORT_MODE notify
   received from the responder is checked against the local configuration.
 * The keys and certificates used by the scenarios in the testing
   environment are now generated dynamically. Running the
   testing/scripts/build-certs script after creating the base and root
   images uses the pki utility installed in the latter to create the keys
   and certificates for all the CAs and in some cases for individual
   scenarios. These credentials are stored in the source tree, not the
   image, so this has to be called only once even if the images are later
   rebuilt. The script automatically (re-)rebuilds the guest images as
   that generates fresh CRLs and signs the DNS zones. The only
   keys/certificates currently not generated are the very large ones used
   by the ikev2/rw-eap-tls-fragments scenario.

Version 5.7.2

 * For RSA with PSS padding, the TPM 2.0 specification mandates the
   maximum salt length (as defined by the length of the key and hash).
   However, if the TPM is FIPS-168-4 compliant, the salt length equals
   the hash length. This is assumed for FIPS-140-2 compliant TPMs, but if
   that's not the case, it might be necessary to manually enable
   charon.plugins.tpm.fips_186_4 if the TPM doesn't use the maximum salt
 * Directories for credentials loaded by swanctl are now accessed
   relative to the loaded swanctl.conf file, in particular, when loading
   it from a custom location via --file argument.
 * The base directory, which is used if no custom location for
   swanctl.conf is specified, is now also configurable at runtime via
   SWANCTL_DIR environment variable.
 * If RADIUS Accounting is enabled, the eap-radius plugin will add the
   session ID (Acct-Session-Id) to Access-Request messages, which e.g.
   simplifies associating database entries for IP leases and accounting
   with sessions (the session ID does not change when IKE_SAs are
   rekeyed, #2853).
 * All IP addresses assigned by a RADIUS server are included in
   Accounting-Stop messages even if the client did not claim them,
   allowing to release them early in case of connection errors (#2856).
 * Selectors installed on transport mode SAs by the kernel-netlink plugin
   are now updated if an IP address changes (e.g. via MOBIKE) and it was
   part of the selectors.
 * No deletes are sent anymore when a rekeyed CHILD_SA expires (#2815).
 * The bypass-lan plugin now tracks interfaces to handle subnets that
   move from one interface to another and properly update associated
   routes (#2820).
 * Only valid and expected inbound IKEv2 messages are used to update the
   timestamp of the last received message (previously, retransmits also
   triggered an update).
 * IKEv2 requests from responders are now ignored until the IKE_SA is
   fully established (e.g. if a DPD request from the peer arrives before
   the IKE_AUTH response does, 46bea1add9). Delayed IKE_SA_INIT responses
   with COOKIE notifies we already recevied are ignored, they caused
   another reset of the IKE_SA previously (#2837).
 * Active and queued Quick Mode tasks are now adopted if the peer
   reauthenticates an IKEv1 SA while creating lots of CHILD_SAs.
 * Newer versions of the FreeBSD kernel add an SADB_X_EXT_SA2 extension
   to SADB_ACQUIRE messages, which allows the kernel-pfkey plugin to
   determine the reqid of the policy even if it wasn't installed by the
   daemon previously (e.g. when using FreeBSD's if_ipsec(4) VTIs, which
   install policies themselves, 872b9b3e8d).
 * Added support for RSA signatures with SHA-256 and SHA-512 to the agent
   plugin. For older versions of ssh/gpg-agent that only support SHA-1,
   IKEv2 signature authentication has to be disabled via
 * The sshkey and agent plugins support Ed25519/Ed448 SSH keys and
 * The openssl plugin supports X25519/X448 Diffie-Hellman and
   Ed25519/Ed448 keys and signatures when built against OpenSSL 1.1.1.
 * Support for Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added
   to the botan plugin.
 * The mysql plugin now properly handles database connections with
   transactions under heavy load (#2779).
 * IP addresses in ha pools are now distributed evenly among all segments
 * Private key implementations may optionally provide a list of supported
   signature schemes, which, as described above, is used by the tpm
   plugin because for each key on a TPM 2.0 the hash algorithm and for
   RSA also the padding scheme is predefined.
 * The testing environment is now based on Debian 9 (stretch) by default.
   This required some changes, in particular, updating to FreeRADIUS 3.x
   (which forced us to abandon the TNC@FHH patches and scenarios,
   2fbe44bef3) and removing FIPS-enabled versions of OpenSSL (the FIPS
   module only supports OpenSSL 1.0.2).
 * Most test scenarios were migrated to swanctl.

Version 5.7.1

 * Fixes a vulnerability in the gmp plugin triggered by crafted
   certificates with RSA keys with very small moduli. When verifying
   signatures with such keys, the code patched with the fix for
   CVE-2018-16151/2 caused an integer underflow and subsequent heap
   buffer overflow that results in a crash of the daemon.
 * The vulnerability has been registered as CVE-2018-17540.

Version 5.7.0

 * Fixes a potential authorization bypass vulnerability in the gmp plugin
   that was caused by a too lenient verification of PKCS#1 v1.5
   signatures. Several flaws could be exploited by a Bleichenbacher-style
   attack to forge signatures for low-exponent keys (i.e. with e=3).
 * CVE-2018-16151 has been assigned to the problem of accepting random
   bytes after the OID
   of the hash function in such signatures, and CVE-2018-16152 has been
    assigned to the issue
   of not verifying that the parameters in the ASN.1 algorithmIdentitifer
    structure is empty. Other flaws that don't lead to a vulnerability
    directly (e.g. not checking for at least 8 bytes of padding) have no
    separate CVE assigned.
 * Dots are not allowed anymore in section names in swanctl.conf and
   strongswan.conf. This mainly affects the configuration of file
   loggers. If the path for such a log file contains dots it now has to
   be configured in the new path setting within the arbitrarily renamed
   subsection in the filelog section.
 * Sections in swanctl.conf and strongswan.conf may now reference other
   sections. All settings and subsections from such a section are
   inherited. This allows to simplify configs as redundant information
   has only to be specified once and may then be included in other
   sections (see strongswan.conf for an example).
 * The originally selected IKE config (based on the IPs and IKE version)
   can now change if no matching algorithm proposal is found. This way
   the order of the configs doesn't matter that much anymore and it's
   easily possible to specify separate configs for clients that require
   weaker algorithms (instead of having to also add them in other configs
   that might be selected).
 * Support for Postquantum Preshared Keys for IKEv2
   (draft-ietf-ipsecme-qr-ikev2) has been added. For an example refer to
   the swanctl/rw-cert-ppk scenario (or with EAP, or PSK authentication).
 * The new botan plugin is a wrapper around the Botan C++ crypto library.
   It requires a fairly recent build from Botan's master branch (or the
   upcoming 2.8.0 release). Thanks to René Korthaus and his team from
   Rohde & Schwarz Cybersecurity for the initial patch and to Jack Lloyd
   for quickly adding missing functions to Botan's FFI (C89) interface.
 * Implementation of RFC 8412 "Software Inventory Message and Attributes
   (SWIMA) for PA-TNC".
 * SWIMA subscription option sets CLOSE_WRITE trigger on apt history.log
   file resulting in a ClientRetry PB-TNC batch to initialize a new
   measurement cycle. The new imv/imc-swima plugins replace the previous
   imv/imc-swid plugins, which were removed.
 * Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793)
   NEA protocols
   on Google's OSS-Fuzz infrastructure.
 * Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The
   presence of the in-kernel /dev/tpmrm0 resource manager is
   automatically detected.
 * The pki tool accepts a xmppAddr otherName as a subjectAlternativeName
   using the syntax --san xmppaddr:<jid>.
 * swanctl.conf supports the configuration of marks the in- and/or
   outbound SA should apply to packets after processing on Linux.
   Configuring such a mark for outbound SAs requires at least a 4.14
   kernel. The ability to set a mask and configuring a mark/mask for
   inbound SAs will be added with the upcoming 4.19 kernel.
 * New options in swanctl.conf allow configuring how/whether DF, ECN and
   DS fields in the IP headers are copied during IPsec processing.
   Controlling this is currently only possible
   on Linux.
 * The handling of sequence numbers in IKEv1 DPDs has been improved
 * To avoid conflicts, the dhcp plugin now only uses the DHCP server port
   if explicitly configured.

Version 5.6.3

 * Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl
   plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF. This
   vulnerability has been registered as CVE-2018-10811.
 * Fixed a vulnerability in the stroke plugin, which did not check the
   received length before reading a message from the socket. Unless a
   group is configured, root privileges are required to access that
   socket, so in the default configuration this shouldn't be an issue.
   This vulnerability has been registered as CVE-2018-5388.
 * CRLs that are not yet valid are now ignored to avoid problems in
   scenarios where expired certificates are removed from new CRLs and the
   clock on the host doing the revocation check is trailing behind that
   of the host issuing CRLs. Not doing this could result in accepting a
   revoked and expired certificate, if it's still valid according to the
   trailing clock but not contained anymore in not yet valid CRLs.
 * The issuer of fetched CRLs is now compared to the issuer of the
   checked certificate (#2608).
 * CRL validation results other than revocation (e.g. a skipped check
   because the CRL couldn't be fetched) are now stored also for
   intermediate CA certificates and not only for end-entity certificates,
   so a strict CRL policy can be enforced in such cases.
 * In compliance with RFC 4945, section, certificates used for
   IKE must now either not contain a keyUsage extension (like the ones
   generated by pki), or have at least one of the digitalSignature or
   nonRepudiation bits set.
 * New options for vici/swanctl allow forcing the local termination of an
   IKE_SA. This might be useful in situations where it's known the other
   end is not reachable anymore, or that it already removed the IKE_SA,
   so retransmitting a DELETE and waiting for a response would be
 * Waiting only a certain amount of time for a response (i.e. shorter
   than all retransmits would be) before destroying the IKE_SA is also
   possible by additionally specifying a timeout in the forced
   termination request.
 * When removing routes, the kernel-netlink plugin now checks if it
   tracks other routes for the same destination and replaces the
   installed route instead of just removing it. Same during installation,
   where existing routes previously weren't replaced. This should allow
   using traps with virtual IPs on Linux (#2162).
 * The dhcp plugin now only sends the client identifier DHCP option if
   the identity_lease setting is enabled (7b660944b6). It can also send
   identities of up to 255 bytes length, instead of the previous 64 bytes
   (30e886fe3b, 0e5b94d038). If a server address is configured, DHCP
   requests are now sent from port 67 instead of 68 to avoid ICMP port
   unreachables (becf027cd9).
 * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
   containing a DH group that wasn't proposed) during CREATE_CHILD_SA
   exchanges has been improved (#2536).
 * Roam events are now completely ignored for IKEv1 SAs (there is no
   MOBIKE to handle such changes properly).
 * ChaCha20/Poly1305 is now correctly proposed without key length
   (#2614). For compatibility with
   older releases the chacha20poly1305compat keyword may be included in
    proposals to also propose the algorithm with a key length
 * Configuration of hardware offload of IPsec SAs is now more flexible
   and allows a new setting (auto), which automatically uses it if the
   kernel and device both support it. If hw
   offload is set to yes and offloading is not supported, the CHILD_SA
    installation now fails.
 * The kernel-pfkey plugin optionally installs routes via internal
   interface (one with an IP in the local traffic selector). On FreeBSD,
   enabling this selects the correct source IP when sending packets from
   the gateway itself (e811659323).
 * SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL
   1.1 (#2574).
 * The pki --verify tool may load CA certificates and CRLs from
 * The IKE daemon now also switches to port 4500 if the remote port is
   not 500 (e.g. because the remote maps the response to a different
   port, as might happen on Azure), as long as the local port is 500
 * Fixed an issue with DNS servers passed to NetworkManager in charon-nm
 * Logged traffic selectors now always contain the protocol if either
   protocol or port are set (a36d8097ed).
 * Only the inbound SA/policy will be updated as reaction to IP address
   changes for rekeyed CHILD_SAs that are kept around.
 * The parser for strongswan.conf/swanctl.conf now accepts = characters
   in values without having to put the value in quotes (e.g. for Base64
   encoded shared secrets).

   Notes for developers:
   * trap_manager_t: Trap policies are now unistalled by peer/child name
     and not the reqid.
   * No reqid is returned anymore when installing trap policies.
   * child_sa_t: A new state (CHILD_DELETED) is used for CHILD_SAs that
     have been deleted but not yet destroyed (after a rekeying CHILD_SAs
     are kept around for a while to process delayed packets). This way
     child_updown events are not triggered anymore for such SAs when an
     IKE_SA that has such CHILD_SAs assigned is deleted.

Version 5.6.2

 * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
   signatures that was caused by insufficient input validation. One of
   the configurable parameters in algorithm identifier structures for
   RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1
   is currently specified for this purpose. However, this in turn takes
   itself a parameter that specifies the underlying hash function.
   strongSwan's parser did not correctly handle the case of this
   parameter being absent, causing an undefined data read. This
   vulnerability has been registered as CVE-2018-6459.
 * When rekeying IKEv2 IKE_SAs the previously negotiated DH group will be
   reused, instead of using the first configured group, which avoids an
   additional exchange if the peer previously selected a different DH
   group via INVALID_KE_PAYLOAD notify. The same is also done when
   rekeying CHILD_SAs except for the first rekeying of the CHILD_SA that
   was created with the IKE_SA, where no DH group was negotiated yet.
   Also, the selected DH group is moved to the front in all sent
   proposals that contain it and all proposals that don't are moved to
   the back in order to convey the preference for this group to the peer.
 * Handling of MOBIKE task queuing has been improved. In particular, the
   response to an address update (with NAT-D payloads) is not ignored
   anymore if only an address list update
   or DPD is queued as that could prevent updating the UDP encapsulation
    in the kernel.
 * On Linux, roam events may optionally be triggered by changes to the
   routing rules, which can be useful if routing rules (instead of e.g.
   route metrics) are used to switch from one to another interface (i.e.
   from one to another routing table). Since routing rules are currently
   not evaluated when doing route lookups this is only useful if the
   kernel-based route lookup is used (4664992f7d).
 * The fallback drop policies installed to avoid traffic leaks when
   replacing addresses in installed policies are now replaced by
   temporary drop policies, which also prevent acquires because we
   currently delete and reinstall IPsec SAs to update their addresses
 * Access X.509 certificates held in non-volatile storage of a TPM 2.0
   referenced via the NV index. Adding the --keyid parameter to pki
   --print allows to print private keys or certificates stored in a
   smartcard or a TPM 2.0.
 * Fixed proposal selection if a peer incorrectly sends DH groups in the
   ESP proposal during IKE_AUTH and also if a DH group is configured in
   the local ESP proposal and charon.prefer configured_proposals is
   disabled (d058fd3c32).
 * The lookup for PSK secrets for IKEv1 has been improved for certain
   scenarios (see #2497 for details).
 * MSKs received via RADIUS are now padded to 64 bytes to avoid
   compatibility issues with EAP-MSCHAPv2 and PRFs that have a block size
   < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
 * The tpm_extendpcr command line tool extends a digest into a TPM PCR.
 * Ported the NetworkManager backend from the deprecated libnm-glib to
 * The save-keys debugging/development plugin saves IKE and/or ESP keys
   to files compatible with Wireshark.

Version 5.6.1

 * Several algorithms were removed from the default ESP/AH and IKE
   proposals in compliance with RFC 8221 and RFC 8247, respectively.
   Removed from the default ESP/AH proposal were the 3DES and Blowfish
   encryption algorithms and the HMAC-MD5 integrity algorithm. From the
   IKE default proposal the HMAC-MD5 integrity algorithm and the
   MODP-1024 Diffie-Hellman group were removed (the latter is significant
   for Windows clients in their default configuration). These algorithms
   may still be used in custom proposals.
 * Support for RSASSA-PSS signatures has been added. For compatibility
   with previous releases they are currently not used automatically, by
   default, to change that charon.rsa_pss may be enabled. To explicitly
   use or require such signatures during IKEv2 signature authentication
   (RFC 7427) ike:rsa/pss... authentication constraints may be used for
   specific connections (regardless of whether the strongswan.conf option
   above is enabled). Only the hash algorithm can be specified in such
   constraints, the MGF1 will be based on that hash and the salt length
   will equal the hash length (when verifying the salt length is not
   enforced). To enforce such signatures during PKI verification use
   rsa/pss... authentication constraints.
 * All pki commands that create certificates/CRLs can be made to sign
   with RSASSA-PSS instead
   of the classing PKCS#1 scheme with the --rsa-padding pss option. As
    with signatures during authentication, only the hash algorithm is
    configurable (via --digest option), the MGF1 will be based on that
    and the salt length will equal the hash length.
 * These signatures are supported by all RSA backends except pkcs11 (i.e.
   gmp, gcrypt, openssl). The gmp plugin requires the mgf1 plugin. Note
   that RSASSA-PSS algorithm identifiers and parameters in keys (public
   keys in certificates or private keys in PKCS#8 files) are currently
   not used as constraints.
 * The sec-updater tool checks for security updates in dpkg-based
   repositories (e.g. Debian/Ubuntu) and sets the security flags in the
   IMV policy database accordingly. Additionally for each new package
   version a SWID tag for the given OS and HW architecture is created and
   stored in the database.
 * Using the script template the lookup can be automated
   (e.g. via an hourly cron job).
 * When restarting an IKEv2 negotiation after receiving an
   INVALID_KE_PAYLOAD notify (or due to other reasons like too many
   retransmits) a new initiator SPI is allocated. This prevents issues
   caused by retransmits for IKE_SA_INIT messages.
 * Because the initiator SPI was previously reused when restarting the
   connection delayed responses for previous connection attempts were
   processed and might have caused fatal errors due to a failed DH
   negotiation or because of the internal retry counter in the ike-init
   task. For instance, if we proposed a DH group the responder rejected
   we might have later received delayed responses that either contained
   INVALID_KE_PAYLOAD notifies with the DH group we already switched to,
   or, if we retransmitted an IKE_SA_INIT with the requested group but
   then had to restart again, a KE payload with a group different from
   the one we proposed.
 * The introduction of file versions in the IMV database scheme broke
   file reference hash measurements. This has been fixed by creating
   generic product versions having an empty package name.
 * A new timeout option for the systime-fix plugin stops periodic system
   time checks after a while and enforces a certificate verification,
   closing or reauthenticating all SAs with invalid certificates.
 * The IKE event counters, previously only available via ipsec
   listcounters command, may now also be queried and reset via vici and
   the new swanctl --counters command. They are collected and provided by
   the optional counters plugin (enabled by default for backwards
   compatibility if the stroke plugin is built).
 * Class attributes received in RADIUS Access-Accept messages may
   optionally be added to RADIUS accounting messages (655924074b).
 * Basic support for systemd sockets has been added, which may be used
   for privilege separation (59db98fb94).
 * Inbound marks may optionally be installed in the SA again (was removed
   with 5.5.2) by enabling the mark_in_sa option in swanctl.conf.
 * The timeout of leases in pools configured via pool utility may be
   configured in other units than hours. INITIAL_CONTACT notifies are now
   only omitted if never is configured as uniqueness policy.
 * Outbound FWD policies for shunts are not installed anymore, by default
   (as is the case for other policies since 5.5.1).
 * Don't consider a DH group mismatch during CHILD_SA rekeying as failure
   as responder (e7276f78aa).
 * Handling of fragmented IPv4 and IPv6 packets in libipsec has been
   improved (e138003de9).
 * Trigger expire events for the correct IPsec SA in libipsec
 * A crash in CRL verification via openssl plugin using OpenSSL 1.1 has
   been fixed (78acaba6a1).
 * No hard-coded default proposals are passed from starter to the stroke
   plugin anymore (the IKE proposal used curve25519 since 5.5.2, which is
   an optional plugin).
 * A workaround for an issue with virtual IPs on macOS 10.13 (High
   Sierra) has been added (039b85dd43).
 * Handling of IKE_SA rekey collisions in charon-tkm has been fixed.
 * Instead of failing or just silently doing nothing unit tests may now
   warn about certain conditions (e.g. if a test was not executed due to
   external dependencies).

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.1:

    zypper in -t patch openSUSE-2020-403=1

openSUSE Leap15.1noarch< - openSUSE Leap 15.1 (noarch):- openSUSE Leap 15.1 (noarch):.noarch.rpm
openSUSE Leap15.1x86_64< - openSUSE Leap 15.1 (x86_64):- openSUSE Leap 15.1 (x86_64):.x86_64.rpm