openSUSE: 2020:0403-1: moderate: strongswan
Description
This update for strongswan fixes the following issues:
Strongswan was updated to version 5.8.2 (jsc#SLE-11370).
Security issue fixed:
- CVE-2018-6459: Fixed a DoS vulnerability in the parser for PKCS#1
RSASSA-PSS signatures that was caused by insufficient input validation
(bsc#1079548).
Full changelogs:
Version 5.8.2
* Identity-based CA constraints, which enforce that the certificate
chain of the remote peer contains a CA certificate with a specific
identity, are supported via vici/swanctl.conf. This is similar to the
existing CA constraints but doesn't require that the CA certificate is
locally installed, for instance, intermediate CA certificates received
from the peers. Wildcard identity matching (e.g. ..., OU=Research,
CN=*) could also be used for the latter but requires trust in the
intermediate CAs to only issue certificates with legitimate subject
DNs (e.g. the "Sales" CA must not issue certificates with
OU=Research). With the new constraint that's not necessary as long as
a path length basic constraint (--pathlen for pki --issue) prevents
intermediate CAs from issuing further intermediate CAs.
* Intermediate CA certificates may now be sent in hash-and-URL encoding
by configuring a base URL for the parent CA (#3234,
swanctl/rw-hash-and-url-multi-level).
* Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
based on AES-CTR and SHA2-HMAC modes. Currently used by the gmp and
ntru plugins.
* Random nonces sent in an OCSP requests are now expected in the
corresponding OCSP responses.
* The kernel-netlink plugin now ignores deprecated IPv6 addresses for
MOBIKE. Whether temporary
or permanent IPv6 addresses are included now depends on the
charon.prefer_temporary_addrs setting (#3192).
* Extended Sequence Numbers (ESN) are configured via PF_KEY if supported
by the kernel.
* The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now
cleared before sending requests, as many of the messages sent by the
kernel are sent as broadcasts to all PF_KEY sockets. This is an issue
if an external tool is used to manage SAs/policies unrelated to IPsec
(#3225).
* The vici plugin now uses unique section names for CHILD_SAs in
child-updown events (7c74ce9190).
* For individually deleted CHILD_SAs (in particular for IKEv1) the vici
child-updown event now includes more information about the CHILD_SAs
such as traffic statistics (#3198).
* Custom loggers are correctly re-registered if log levels are changed
via stroke loglevel (#3182).
* Avoid lockups during startup on low entropy systems when using OpenSSL
1.1.1 (095a2c2eac).
* Instead of failing later when setting a key, creating HMACs via
openssl plugin now fails instantly if the underlying hash algorithm
isn't supported (e.g. MD5 in FIPS-mode) so fallbacks to other plugins
work properly (#3284).
* Exponents of RSA keys read from TPM 2.0 via SAPI are correctly
converted (8ee1242f1438).
* Routing table IDs > 255 are supported for custom routes on Linux.
* To avoid races, the check for hardware offloading support in the
kernel-netlink plugin is performed during initialization of the plugin
(a605452c03).
* The D-Bus config file for charon-nm is now installed in
$(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d,
which is intended for sysadmin overrides. INVALID_MAJOR_VERSION
notifies are now correctly sent in messages of the same exchange type
and with the same message ID as the request.
* IKEv2 SAs are now immediately destroyed when sending or receiving
INVALID_SYNTAX notifies in authenticated messages.
* For developers working from the repository the configure script now
aborts if GNU gperf is not found.
Version 5.8.1
* RDNs in DNs of X.509 certificates can now optionally be matched less
strict. The global strongswan.conf option charon.rdn_matching takes
two alternative values that cause the matching algorithm to either
ignore the order of matched RDNs (reordered) or additionally (relaxed)
accept DNs that contain more RDNs than configured (unmatched RDNs are
treated like wildcard matches).
* The updown plugin now passes the same interface to the script that is
also used for the automatically installed routes, that is, the
interface over which the peer is reached instead of the interface on
which the local address is found (#3095).
* TPM 2.0 contexts are now protected by a mutex to prevent issues if
multiple IKE_SAs use the same private key concurrently (4b25885025).
* Do a rekey check after the third QM message was received (#3060).
* If available, explicit_bzero() is now used as memwipe() instead of our
own implementation.
* An .editorconfig file has been added, mainly so Github shows files
with proper indentation (68346b6962).
* The internal certificate of the load-tester plugin has been modified
so it can again be used as end-entity cert with 5.6.3 and later
(#3139).
* The maximum data length of received COOKIE notifies (64 bytes) is now
enforced (#3160).
Version 5.8.0
* The systemd service units have been renamed. The modern unit, which
was called strongswan-swanctl, is now called strongswan (the previous
name is configured as alias in the unit, for which a symlink is
created when the unit is enabled). The legacy unit is now called
strongswan-starter.
* Support for XFRM interfaces (available since Linux 4.19) has been
added, which are intended to replace VTI devices (they are similar but
offer several advantages, for instance, they are not bound to an
address or address family).
* IPsec SAs and policies are associated with such interfaces via
interface IDs that can be configured in swanctl.conf (dynamic IDs may
optionally be allocated for each SA and even direction). It's possible
to use separate interfaces for in- and outbound traffic (or
only use an interface in one direction and regular policies in the
other).
* Interfaces may be created dynamically via updown/vici scripts, or
statically before or after establishing the SAs. Routes must be added
manually as needed (the daemon will not install any routes for
outbound policies with an interface ID).
* When moving XFRM interfaces to other network namespaces they retain
access to the SAs and policies installed in the original namespace,
which allows providing IPsec tunnels for processes in other network
namespaces without giving them access to the IPsec keys or IKE
credentials. More information can be found on the page about
route-based VPNs.
* Initiation of childless IKE_SAs is supported (RFC 6023). If enabled
and supported by the responder, no CHILD_SA is established during
IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA
exchanges. This allows using a separate DH exchange even for the first
CHILD_SA, which is otherwise created during IKE_AUTH with keys derived
from the IKE_SA's key material.
* The swanctl --initiate command may be used to initiate only the IKE_SA
via --ike
option if --child is omitted and the peer supports this extension.
* The NetworkManager backend and plugin support IPv6.
* The new wolfssl plugin is a wrapper around the wolfSSL crypto library.
Thanks to Sean Parkinson of wolfSSL Inc. for the initial patch.
* IKE SPIs may optionally be labeled via the charon.spi_mask|label
options in strongswan.conf. This feature was extracted from
charon-tkm, however, now applies the mask/label in network order.
* The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL
1.1.0.
* The PB-TNC finite state machine according to section 3.2 of RFC 5793
was not correctly implemented when sending either a CRETRY or SRETRY
batch. These batches can only be sent in the "Decided" state and a
CRETRY batch can immediately carry all messages usually transported by
a CDATA batch. It is currently not possible to send a SRETRY batch
since full-duplex mode for PT-TLS transport is not supported.
* Instead of marking IPv6 virtual IPs as deprecated, the kernel-netlink
plugin now uses address labels to avoid that such addresses are used
for non-VPN traffic (00a953d090).
* The agent plugin now creates sockets to the ssh/gpg-agent dynamically
and does not keep them open, which otherwise might prevent the agent
from getting terminated.
* To avoid broadcast loops the forecast plugin now only reinjects
packets that are marked
or received from the configured interface.
* UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which
internally uses an UTF-16LE encoding to calculate the NT hash (#3014).
* Properly delete temporary drop policies (used when updating IP
addresses of SAs) if manual priorities are used, which was broken
since 5.6.2 (8e31d65730).
* Avoid overwriting start_action when parsing the inactivity timeout in
the vici plugin (#2954).
* Fixed the automatic termination of reloaded vici connections with
start_action=start, which was broken since 5.6.3 (71b22c250f).
* The lookup for shared secrets for IKEv1 SAs via sql plugin should now
work better (6ec9f68f32).
* Fixed a race condition in the trap manager between installation and
removal of a policy (69cbe2ca3f).
* The IPsec stack detection and module loading in starter has been
removed (it wasn't enforced anyway and loading modules doesn't seem
necessary, also KLIPS hasn't been supported for a long time and PF_KEY
will eventually be removed from the Linux kernel, ba817d2917).
* Several IKEv2 protocol details are now handled more strictly:
Unrequested virtual IPs are ignored, CFG_REPLY payloads are ignored if
no CFG_REQUEST payloads were sent, a USE TRANSPORT_MODE notify
received from the responder is checked against the local configuration.
* The keys and certificates used by the scenarios in the testing
environment are now generated dynamically. Running the
testing/scripts/build-certs script after creating the base and root
images uses the pki utility installed in the latter to create the keys
and certificates for all the CAs and in some cases for individual
scenarios. These credentials are stored in the source tree, not the
image, so this has to be called only once even if the images are later
rebuilt. The script automatically (re-)rebuilds the guest images as
that generates fresh CRLs and signs the DNS zones. The only
keys/certificates currently not generated are the very large ones used
by the ikev2/rw-eap-tls-fragments scenario.
Version 5.7.2
* For RSA with PSS padding, the TPM 2.0 specification mandates the
maximum salt length (as defined by the length of the key and hash).
However, if the TPM is FIPS-168-4 compliant, the salt length equals
the hash length. This is assumed for FIPS-140-2 compliant TPMs, but if
that's not the case, it might be necessary to manually enable
charon.plugins.tpm.fips_186_4 if the TPM doesn't use the maximum salt
length.
* Directories for credentials loaded by swanctl are now accessed
relative to the loaded swanctl.conf file, in particular, when loading
it from a custom location via --file argument.
* The base directory, which is used if no custom location for
swanctl.conf is specified, is now also configurable at runtime via
SWANCTL_DIR environment variable.
* If RADIUS Accounting is enabled, the eap-radius plugin will add the
session ID (Acct-Session-Id) to Access-Request messages, which e.g.
simplifies associating database entries for IP leases and accounting
with sessions (the session ID does not change when IKE_SAs are
rekeyed, #2853).
* All IP addresses assigned by a RADIUS server are included in
Accounting-Stop messages even if the client did not claim them,
allowing to release them early in case of connection errors (#2856).
* Selectors installed on transport mode SAs by the kernel-netlink plugin
are now updated if an IP address changes (e.g. via MOBIKE) and it was
part of the selectors.
* No deletes are sent anymore when a rekeyed CHILD_SA expires (#2815).
* The bypass-lan plugin now tracks interfaces to handle subnets that
move from one interface to another and properly update associated
routes (#2820).
* Only valid and expected inbound IKEv2 messages are used to update the
timestamp of the last received message (previously, retransmits also
triggered an update).
* IKEv2 requests from responders are now ignored until the IKE_SA is
fully established (e.g. if a DPD request from the peer arrives before
the IKE_AUTH response does, 46bea1add9). Delayed IKE_SA_INIT responses
with COOKIE notifies we already recevied are ignored, they caused
another reset of the IKE_SA previously (#2837).
* Active and queued Quick Mode tasks are now adopted if the peer
reauthenticates an IKEv1 SA while creating lots of CHILD_SAs.
* Newer versions of the FreeBSD kernel add an SADB_X_EXT_SA2 extension
to SADB_ACQUIRE messages, which allows the kernel-pfkey plugin to
determine the reqid of the policy even if it wasn't installed by the
daemon previously (e.g. when using FreeBSD's if_ipsec(4) VTIs, which
install policies themselves, 872b9b3e8d).
* Added support for RSA signatures with SHA-256 and SHA-512 to the agent
plugin. For older versions of ssh/gpg-agent that only support SHA-1,
IKEv2 signature authentication has to be disabled via
charon.signature_authentication.
* The sshkey and agent plugins support Ed25519/Ed448 SSH keys and
signatures.
* The openssl plugin supports X25519/X448 Diffie-Hellman and
Ed25519/Ed448 keys and signatures when built against OpenSSL 1.1.1.
* Support for Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added
to the botan plugin.
* The mysql plugin now properly handles database connections with
transactions under heavy load (#2779).
* IP addresses in ha pools are now distributed evenly among all segments
(#2828).
* Private key implementations may optionally provide a list of supported
signature schemes, which, as described above, is used by the tpm
plugin because for each key on a TPM 2.0 the hash algorithm and for
RSA also the padding scheme is predefined.
* The testing environment is now based on Debian 9 (stretch) by default.
This required some changes, in particular, updating to FreeRADIUS 3.x
(which forced us to abandon the TNC@FHH patches and scenarios,
2fbe44bef3) and removing FIPS-enabled versions of OpenSSL (the FIPS
module only supports OpenSSL 1.0.2).
* Most test scenarios were migrated to swanctl.
Version 5.7.1
* Fixes a vulnerability in the gmp plugin triggered by crafted
certificates with RSA keys with very small moduli. When verifying
signatures with such keys, the code patched with the fix for
CVE-2018-16151/2 caused an integer underflow and subsequent heap
buffer overflow that results in a crash of the daemon.
* The vulnerability has been registered as CVE-2018-17540.
Version 5.7.0
* Fixes a potential authorization bypass vulnerability in the gmp plugin
that was caused by a too lenient verification of PKCS#1 v1.5
signatures. Several flaws could be exploited by a Bleichenbacher-style
attack to forge signatures for low-exponent keys (i.e. with e=3).
* CVE-2018-16151 has been assigned to the problem of accepting random
bytes after the OID
of the hash function in such signatures, and CVE-2018-16152 has been
assigned to the issue
of not verifying that the parameters in the ASN.1 algorithmIdentitifer
structure is empty. Other flaws that don't lead to a vulnerability
directly (e.g. not checking for at least 8 bytes of padding) have no
separate CVE assigned.
* Dots are not allowed anymore in section names in swanctl.conf and
strongswan.conf. This mainly affects the configuration of file
loggers. If the path for such a log file contains dots it now has to
be configured in the new path setting within the arbitrarily renamed
subsection in the filelog section.
* Sections in swanctl.conf and strongswan.conf may now reference other
sections. All settings and subsections from such a section are
inherited. This allows to simplify configs as redundant information
has only to be specified once and may then be included in other
sections (see strongswan.conf for an example).
* The originally selected IKE config (based on the IPs and IKE version)
can now change if no matching algorithm proposal is found. This way
the order of the configs doesn't matter that much anymore and it's
easily possible to specify separate configs for clients that require
weaker algorithms (instead of having to also add them in other configs
that might be selected).
* Support for Postquantum Preshared Keys for IKEv2
(draft-ietf-ipsecme-qr-ikev2) has been added. For an example refer to
the swanctl/rw-cert-ppk scenario (or with EAP, or PSK authentication).
* The new botan plugin is a wrapper around the Botan C++ crypto library.
It requires a fairly recent build from Botan's master branch (or the
upcoming 2.8.0 release). Thanks to René Korthaus and his team from
Rohde & Schwarz Cybersecurity for the initial patch and to Jack Lloyd
for quickly adding missing functions to Botan's FFI (C89) interface.
* Implementation of RFC 8412 "Software Inventory Message and Attributes
(SWIMA) for PA-TNC".
* SWIMA subscription option sets CLOSE_WRITE trigger on apt history.log
file resulting in a ClientRetry PB-TNC batch to initialize a new
measurement cycle. The new imv/imc-swima plugins replace the previous
imv/imc-swid plugins, which were removed.
* Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793)
NEA protocols
on Google's OSS-Fuzz infrastructure.
* Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The
presence of the in-kernel /dev/tpmrm0 resource manager is
automatically detected.
* The pki tool accepts a xmppAddr otherName as a subjectAlternativeName
using the syntax --san xmppaddr:
Patch
Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-403=1
Package List
- openSUSE Leap 15.1 (noarch): strongswan-doc-5.8.2-lp151.4.6.1 - openSUSE Leap 15.1 (x86_64): strongswan-5.8.2-lp151.4.6.1 strongswan-debuginfo-5.8.2-lp151.4.6.1 strongswan-debugsource-5.8.2-lp151.4.6.1 strongswan-hmac-5.8.2-lp151.4.6.1 strongswan-ipsec-5.8.2-lp151.4.6.1 strongswan-ipsec-debuginfo-5.8.2-lp151.4.6.1 strongswan-libs0-5.8.2-lp151.4.6.1 strongswan-libs0-debuginfo-5.8.2-lp151.4.6.1 strongswan-mysql-5.8.2-lp151.4.6.1 strongswan-mysql-debuginfo-5.8.2-lp151.4.6.1 strongswan-nm-5.8.2-lp151.4.6.1 strongswan-nm-debuginfo-5.8.2-lp151.4.6.1 strongswan-sqlite-5.8.2-lp151.4.6.1 strongswan-sqlite-debuginfo-5.8.2-lp151.4.6.1
References
https://www.suse.com/security/cve/CVE-2018-6459.html https://bugzilla.suse.com/1079548--