NCL-2292 - Upgrade strongswan to 5.9.6 #5
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ions RFC3779 requires to validate the addrblocks of issuer certificates strictly, that is, they must contain the extension and the claimed addrblock, up to the root CA. When working with third party root CAs that do not have the extension, this makes using the plugin impossible. So add a depth setting that limits the number of issuer certificates to check bottom-up towards the root CA. A depth value of 0 disables any issuer check, the default value of -1 checks all issuers in the chain, keeping the existing behavior. Closes strongswan#860
… levels strongSwan logs all syslog messages using LOG_INFO for historical reasons, regardless of the strongSwan loglevel used producing the log message. In some setups with advanced logging infrastructure, it may be feasible to be more verbose when logging in strongSwan, but then filter messages on the syslog server. While this may be possible by custom syslog filtering rules matching the log level included with the log_level setting, this is not super convenient. So add a new map_level setting, which can map strongSwan loglevels to syslog loglevels. By default this is disabled, keeping the existing behavior. If enabled, it maps strongSwan loglevels to syslog loglevels at a given syslog loglevel offset. Closes strongswan#859
The commit mentioned below adds an AES-GCM default proposal for ESP. That proposal does not include any ESN or non-ESN transform to indicate if extended sequence numbers are supported. A standards-compliant peer will include one or more ESN support transforms, and will be unable to select this proposal due to a proposal mismatch. Fix the default AES-GCM proposal by adding a NO_ESN algorithm. While ESN has been supported in the Linux kernel for a while, having it in the default proposal can be problematic with kernel-libipsec or on other platforms. Fixes: c7bef95 ("proposal: Add AES-GCM to the ESP default AEAD proposal") Closes strongswan#868
…omitted Fixes: 46a6b06 ("openssl: Only announce ECDH groups actually supported by OpenSSL")
On the recently updated 2019 image, autoreconf is not found anymore, as recent versions of msys2 don't ship autools with base-devel aymore, so install the autotools package explicitly.
Because the command line, together with the results, is printed after executing it, there could have been weird delays between commands.
References strongswan#876.
Automatically takes care of sending/receiving newly added extensions and conditions. Signed-off-by: Thomas Egerer <[email protected]>
…mined This can happen if an IKE_SA is initiated to a static IP before DHCP is done. Instead of failing the initiation, we either fake a NAT situation (for IPv4) or disable NAT-D (for IPv6 where NATs and UDP-encap are not widely used or supported). This also removes the old fallbacks to determine the source address(es). A source address lookup is done in ike_sa_t::resolve_hosts() (wasn't the case initially) and enumerating local IPs (which was added even earlier) could still lead to issues if e.g. LAN addresses are available but the WAN address that's later used is not yet (in which case only the responder would detect a NAT and UDP-encap would be configured asymmetrically). To force UDP-encap locally in case there is no actual NAT, we store this as COND_NAT_HERE instead of COND_NAT_FAKE. This ensures DPDs will contain NAT-D notifies and we can later remove the state via MOBIKE. We trigger a MOBIKE update after such a DPD by registering a changed NAT mapping after checking for a disappearing local NAT, which is very unlikely to happen outside of a MOBIKE update (where that flag is not checked).
This allows queuing such a task before IKE_AUTH has been processed.
This adds some modifications to NAT-D in case the source IP can't be determined before generating NAT-D notifies. If this happens when using IPv4, a local NAT is faked (UDP-encap can be disabled later via MOBIKE if no NAT is actually detected). If it happens when using IPv6, NAT-T is disabled completely. It also removes the old fallbacks for source NAT-D notifies, which were generally unused but could lead to incorrect results in the above scenario. Closes strongswan#861
The client already enforces that the server identity is contained in the received certificate. But on the server, the referenced commit changed the lookup from the configured (or adopted if %any was configured) client identity to the subject DN of the received client certificate. So any client with a trusted certificate was accepted. Fixes: d2fc9b0 ("tls-server: Mutual authentication support for TLS 1.3") Closes strongswan#873
has_subject() already matches the identity against the subject DN and all the SANs (it actually already did when this check was added with c811479 ("Strictly check if the server certificate matches the TLS server identity")).
There is a conflict between atexit() handlers registered by OpenSSL and some executables (e.g. swanctl or pki) to deinitialize libstrongswan. Because plugins are usually loaded after atexit() has been called, the handler registered by OpenSSL will run before our handler. So when the latter destroys the plugins it's a bad idea to try to access any OpenSSL objects as they might already be invalid. Fixes: f556fce ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.") Closes strongswan#921
…cate TLS 1.3 defines a specific alert for this and for TLS 1.2, RFC 5246, section 7.4.6 defines handshake_failure as correct response.
The XFRM_OFFLOAD_IPV6 flag was never implemented in the kernel and there are no plans to do so. Kernel patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c76ecd9c99b6e9a771d813ab1aa7fa428b3ade1 Closes strongswan#916
…interface When installing routes based on remote traffic selectors, it can be necessary to install an exclude route for the remote peer to avoid a routing loop and continue to be able to reach it via IKE/ESP. However, such routes are only necessary, if the routes we install don't go via outbound interface. That's the case when using VIPs and routing via TUN devices, or when using internal source IPs and routing via their interfaces. Installing such exclude routes if not necessary can cause issues on FreeBSD (EINVAL when sending packets to the peer).
Such routes with a gateway that equals the peer's address are problematic on FreeBSD. And since there is most likely a narrow route for the local subnet anyway, the exclude routes would be redundant.
Avoid unnecessary exclude routes on FreeBSD where these can cause problems. Closes strongswan#890
This happens for `/0` subnet masks. In practice, it's not an issue because if `bytes` is 0, then so are `netbits`, `bits` and `mask`. So the two incorrectly addressed array elements are not actually modified. The first operation is a `&= 0xff` and the second a `|= 0`, so nothing changes. But some tools might not consider the values and report this as undefined behavior, which it technically is.
`Block` has apparently been deprecated and renamed to `BlockStmt` a while ago. Support for `Block` was recently removed completely.
The old API has been deprecated with OpenSSL 3 and direct access to the state isn't possible via EVP API. In the future we might just remove this implementation but we'd probably have to implement EAP-AKA' first, which uses HMAC-SHA-256 with IKEv2's prf+ construct to derive keys instead of this weird construct (plus what fips-prf builds around it) that's used by EAP-AKA.
Uses new and non-deprecated APIs to create/generate key pairs.
While we could assign the DH object to a EVP_PKEY object, this won't work with BoringSSL as it doesn't seem to support EVP_PKEY_derive() for DH.
This allows other plugins to parse such structures directly. The pkcs8 plugin is called recursively again if necessary.
…ctly With such plugins we only need the pkcs8 plugin to load encrypted files.
More of this code was already removed with previous commits. While versions < 1.1.1 are not officially supported anymore, 1.0.2 might still be in use because before 3.x that was the latest version with official FIPS support (OpenSSL apparently also provides extended commercial support for it).
This way we can compile it with OPENSSL_SUPPRESS_DEPRECATED for OpenSSL 3.0, which deprecated the ENGINE API.
Warnings are usually short (as compared to failures that contain data dumps), so the buffer size can be reduced.
This is an issue e.g. when running tests in default Docker containers.
This provides compatibility changes for OpenSSL 3.0.
The external-id parameter takes an int32 and the generated run_id was apparently not valid lately, resulting in undocumented 404 errors when submitting patches (the API endpoint probably doesn't like negative numbers because the last accepted id was 2059658094, rejected ids were e.g. 2167472705 or 2168792083).
mallinfo() is deprecated because it uses `int` for the members of the returned struct, whereas mallinfo2() uses `size_t`. It's available since glibc 2.33.
…gfix/NCL-2292-strongswan-5-9-5-vulnerabilities release 5.9.6
jalappatt
approved these changes
Jan 30, 2025
rishipal-Sophos
approved these changes
Jan 30, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Upgrading strongswan to 5.9.6. Below are the diffs files for below:
diffs_strongswan595_master.txt
diffs_strongswan596_ncl-2292-bugfix.txt