Release and vulnerability announcements for strongSwan

strongSwan 5.9.12 Released

We are happy to announce the release of strongSwan 5.9.12, which fixes a vulnerability in charon-tkm, provides a new OCSP responder utility, adds a new certificate enrollment and renewal script, and comes with several other new features and fixes.

Vulnerability Related to Processing DH Public Values in charon-tkm (CVE-2023-41913)

A vulnerability in charon-tkm (the TKM-backed version of the charon IKE daemon) related to processing DH public values was fixed. Due to an unchecked memcpy() to a fixed-length buffer on the stack, this could lead to a buffer overflow and possibly remote code execution. All strongSwan versions since 5.3.0 are affected.

More information is provided in a separate blog entry.

OCSP Responder Utility

The new pki --ocsp command produces OCSP responses based on certificate status information provided by implementations of the new ocsp_responder_t interface.

Two sources are currently available, the openxpki plugin, which directly accesses an OpenXPKI database, and the command's --index argument, which reads certificate status information from OpenSSL-style index.txt files.

Multiple CAs are supported concurrently, which is showcased by the ocsp.cgi script in the ikev2-multi-ca/ocsp-signers test scenario.

Automated Certificate Enrollment and Renewal

The new cert-enroll script handles the initial enrollment of an X.509 host certificate with a PKI server via the EST or SCEP protocols. It's based on the corresponding pki --est|estca and pki --scep|scepca commands and has been tested extensively with an OpenXPKI server.

Run as a systemd timer or via a crontab entry, the script checks the expiration date of the host certificate daily. When a given deadline is reached, the host certificate is automatically renewed via EST or SCEP re-enrollment based on the possession of the old private key and the matching certificate.

The certifictes and keys are stored in /root/certificates, by default. To make them available for different services on the system, cert-enroll calls installation scripts.

Other Notable Features and Fixes

  • Loading of certificates with ECDSA public keys that explicitly encode the curve parameters is rejected by crypto plugins if possible.
  • The --priv argument for charon-cmd allows the use of any type of private key (previously, only RSA keys were supported).
  • The openssl plugin now supports the nameConstraints extension in X.509 certificates and nameConstraints of type iPAddress are now supported by the x509, openssl and constraints plugins.
  • Support for encoding subjectAlternativeName extensions of type uniformResourceIdentifier in X.509 certificates has been added via the uri: prefix (e.g. for URNs).
  • Support for password-less PKCS#12 and PKCS#8 files has been added.
  • The NetworkManager plugin (charon-nm) now actually uses the XFRM interface it creates since 5.9.10. The name of that interface can now also be controlled via connection.interface-name setting in the *.nmconnection file.
  • The resolve plugin tries to maintain the order of DNS servers it installs via resolvconf or resolv.conf.
  • The kernel-libipsec plugin now always installs routes to remote networks even if no address is found in the local traffic selectors, which allows forwarding traffic from networks the VPN host is not part of.
  • Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with unrelated traffic selectors.
  • Fixed an issue in watcher_t with handling errors on sockets (e.g. if the receive buffer is full), which caused an infinite loop if poll() only signaled POLLERR as event.
  • Fixed an issue in the IKE_SA_INIT tracking code that was added with 5.9.6, which did not correctly untrack invalid messages with non-zero message IDs or SPIs.
  • Fixed a regression introduced with 5.9.8 when handling IKE redirects during IKE_AUTH.
  • Fixed the encoding of the CHILD_SA_NOT_FOUND notify if a CHILD_SA is not found during rekeying. It was previously empty, now contains the SPI and sets the protocol to the values received in the REKEY_SA notify.

Download Complete Changelog