We are happy to announce the release of strongSwan 5.9.5, which fixes a vulnerability in the EAP client, supports TPM 2.0 secure sessions, brings basic OpenSSL 3.0 support and comes with several other new features and fixes.
Vulnerability in the EAP Client (CVE-2021-45079)
A vulnerability in the EAP client implementation was fixed that was caused by by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. All strongSwan versions since 4.2.1 may be affected.
More information is provided in a separate blog entry.
TPM 2.0 Secure Sessions
Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now establish a secure session via RSA OAEP public key encryption or an ephemeral ECDH key exchange, respectively. The session allows HMAC-based authenticated communication with the TPM 2.0 and the exchanged parameters can be encrypted with AES-CFB where necessary to guarantee confidentiality (e.g. when using the TPM 2.0 as RNG).
Basic Support for OpenSSL 3.0
Basic support for OpenSSL 3.0 has been added to the openssl plugin, in particular, the new load_legacy option (enabled by default) allows loading the "legacy" provider for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the existing fips_mode option allows explicitly loading the "fips" provider e.g. if it's not activated in OpenSSL's
fipsmodule.cnf. All loaded providers are logged when the plugin is initialized.
Other Notable Features and Fixes
- The MTU of TUN devices created by the kernel-pfroute plugin on macOS and FreeBSD is now configurable and reduced to 1400 bytes, by default. This also fixes an issue on macOS 12 that prevented the detection of virtual IPs installed on such TUN devices.
- When rekeying CHILD_SAs, the old outbound SA is now uninstalled shortly after the new SA has been installed on the initiator/winner. This is useful for IPsec implementations where the ordering of SAs is unpredictable and we can't set the SPI on the outbound policy to switch to the new SA while both are installed.
- The sw-collector utility may now iterate through APT history logs processed by logrotate.
- The openssl plugin now only announces the ECDH groups actually supported by OpenSSL (determined via