Skip to content

Releases: strongswan/strongswan

strongSwan 5.9.4

18 Oct 12:01
@tobiasbrunner tobiasbrunner
5.9.4
66fa7c9
Compare
Choose a tag to compare
strongSwan 5.9.4
  • Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
    Please refer to our blog for details.
  • Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
    Please refer to our blog for details.
  • Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
  • AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
  • Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
  • Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631).
  • Loading SSH public keys via vici has been improved (#467).
  • Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
  • Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
  • The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0.
  • libtpmtss is initialized in all programs and libraries that use it.
  • Migrated testing scripts to Python 3.
  • The testing environment uses images based on Debian bullseye by default (support for jessie was removed).

Refer to the 5.9.4 milestone for a list of all closed issues and pull requests.

Assets 6

strongSwan 5.9.3

06 Jul 12:53
@tobiasbrunner tobiasbrunner
5.9.3
4817d5e
Compare
Choose a tag to compare
strongSwan 5.9.3
  • Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl plugin.
  • Added AES-CCM support to the openssl plugin (#353).
  • The x509 and the openssl plugins now consider the authorityKeyIdentifier, if available, before verifying signatures, which avoids unnecessary signature verifications after a CA key rollover if both CA certificates are loaded. The openssl plugin now does the same also for CRLs (the x509 plugin already did).
  • The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which previously depended on a version check (6537be9).
  • The NetworkManager backend (charon-nm) now supports using SANs as client identities, not only full DNs (#437).
  • charon-tkm now handles IKE encryption.
  • Send a MOBIKE update again if a a change in the NAT mappings is detected but the endpoints stay the same (e143a7d).
  • A deadlock in the HA plugin introduced with 5.9.2 has been fixed (#456).
  • DSCP values are now also set for NAT keepalives.
  • The ike_derived_keys() hook now receives more keys but in a different order (4e29d6f).
  • Converted most of the test case scenarios to the vici interface.

Refer to the 5.9.3 milestone for a list of all closed issues and pull requests.

Assets 6