5.9.8
版本发布时间: 2022-10-03 23:24:15
strongswan/strongswan最新发布版本:5.9.14(2024-03-19 21:34:10)
-
Fixed a vulnerability related to online certificate revocation checking that was caused because the revocation plugin used potentially untrusted OCSP URIs and CRL distribution points in certificates. This allowed a remote attacker to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which could have lead to a denial-of-service attack. This vulnerability has been registered as CVE-2022-40617. Please refer to our blog for details.
-
The
pki --scep|--scepca
commands implement the HTTP-based "Simple Certificate Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecatedscepclient
that has been removed. -
The
pki --est|estca
commands implement the HTTPS-based "Enrollment over Secure Transport" (RFC 7070 EST) protocol. -
The
pki --req
command can create a certificate request based on an existing PKCS#10 template by replacing the public key and re-generating the signature with the new private key. -
The
ike_cfg_t
object is now always replaced together with thepeer_cfg_t
object that's set on an IKE_SA during authentication. This is more consistent and allows to properly take into account some settings that are also relevant during IKE_AUTH (e.g.childless
) and it was actually already handled this way during rekeying/reestablishing of IKE_SAs and e.g. for the DSCP setting. -
The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests (now indirectly enabled if the
pki
tool is built due to the implementation of EST) can be completed successfully with just the default plugins. -
Our TLS client implementation now sends an empty certificate payload if a certificate request is received but no certificate is available. The encoding of TLS 1.3 certificate extensions for intermediate CA certificates has also been fixed.
-
The socket plugins don't set the
SO_REUSEADDR
option anymore on the IKE UDP sockets, so an error is triggered if e.g. two daemons (e.g.charon
andcharon-systemd
) are running concurrently using the same ports. -
The
charon.rsa_pss_trailerfield
setting generates an algorithmIdentifier for RSASSA-PSS signatures with explicit trailerField, which might be necessary for interoperability with implementations of RFC 7427 that haven't considered its errata. -
A potential use-after-free issue has been fixed when caching credential encodings (e.g. fingerprints) if multiple threads operate on the same key concurrently (#1231).
-
A potential crash has been fixed caused by a race condition during shutdown between the main thread flushing the IKE_SA manager and worker threads still creating IKE_SAs (#1252).
-
A potential crash in the vici plugin has been fixed that was caused when events were triggered with messages that failed to get created successfully (#1278).
-
A file descriptor leak has been fixed in the Android client (#1160), plus some other issues related to targeting Android 12 (e.g. #1151 and 86b69f26e49f93f94f6ab84b48feac8716a719cc).
-
For developers:
- For IKEv2, the
ike_updown()
"up" event and the state change toIKE_ESTABLISHED
are now triggered after all IKE-related tasks are done. This ensures the IKE_SA is actually fully established, which now includes any assigned virtual IPs, additional MOBIKE peer addresses or a reauthentication time updated viaAUTH_LIFETIME
notify. This was an issue for the selinux plugin if virtual IPs were used. - In the
cert_validator_t
interface, theonline
flag has been removed from thevalidate()
method, which is called during basic certificate chain validation. Online validation is now instead triggered via the newvalidate_online()
method, which is called after a trusted certificate chain has been built. -
pen_t
is now used for EAP vendor IDs instead ofuint32_t
. - The
--enable-asan
configure option enables building with AddressSanitizer (ASan). - The
TESTS_ITERATIONS
environment variable allows running only specific iterations of loop-based test functions.
- For IKEv2, the
Refer to the 5.9.8 milestone for a list of all closed issues and pull requests.
1、 strongswan-5.9.8.tar.bz2 4.53MB
2、 strongswan-5.9.8.tar.bz2.sig 659B
3、 strongswan-5.9.8.tar.gz 7.39MB
4、 strongswan-5.9.8.tar.gz.sig 659B