Tobias Brunner [Tue, 24 Mar 2026 17:05:01 +0000 (18:05 +0100)]
gmp: Avoid crash and timing leaks in PKCS#1 v1.5 decryption padding validation
This fixes a potential crash due to a null-pointer dereference if rsadp()
returns NULL (e.g. with an all-zero ciphertext).
And it also implements the PKCS#1 v1.5 decryption padding check in
constant time.
The timing leak caused by the previous implementation was measured at
~17.5 μs at 3 GHz, which could allow a Bleichenbacher-like attack in
LAN environments. However, because of how RSA encryption is used in
strongSwan, this is not that much of an issue in practice. The mechanism
is only used for two use cases. One is SCEP/EST via PKCS#7 enveloped
data. Fortunately, this can not be triggered in significant numbers by
an attacker. The other use case is TLS as used by EAP methods (EAP-TLS,
EAP-PEAP/TTLS) during the authentication. While the cipher suites that
use RSA encryption are still enabled by default, the TLS messages are
wrapped in EAP and encrypted by IKE, making any kind of attack difficult.
Note that the gmp plugin isn't enabled anymore by default. And even
before that, most setups had the openssl plugin enabled, which has
priority over the gmp plugin. So it's unlikely the plugin was used in
practice.
Tobias Brunner [Wed, 25 Mar 2026 09:17:46 +0000 (10:17 +0100)]
tls-server: Prevent infinite loop if supported versions are too short
If the extension doesn't contain a multiple of two bytes, the previous
code would get stuck in an infinite loop as `remaining()` continued to
return TRUE while `read_uint16()` failed to parse a value. Initiating
several connections with such an extension allows a DoS attack as no
threads would eventually be available to handle packets/events.
Fixes: 7fbe2e27ecf6 ("tls-server: TLS 1.3 support for TLS server implementation") Fixes: CVE-2026-35328
Tobias Brunner [Mon, 23 Mar 2026 17:02:19 +0000 (18:02 +0100)]
constraints: Reject excluded directoryName (DN) name constraints
There is an issue similar to the one fixed with the previous commit when
using directoryName (DN) name constraints. Some RDNs have to be matched
in a case-insensitive manner, which we e.g. do in
`identification.c::rdn_equals`. By not doing it for name constraints,
a malicious intermediate CA could evade an excluded name constraint
just by modifying the case in such an RDN.
While we could use the mentioned function in `dn_matches`, this doesn't
properly fix the problem because the function is basically too strict.
Especially in regards to RDNs of type UTF8String, which are only compared
binary. To match these properly, we'd have to implement the string
preparation described in RFC 5280, section 7.1 and the referenced RFCs.
Until that's the case, we reject excluded name constraints of type
directoryName as we are unable to enforce them.
Fixes: a2b340764fac ("Implemented NameConstraint matching in constraints plugin") Fixes: CVE-2026-35331
Tobias Brunner [Mon, 23 Mar 2026 16:45:11 +0000 (17:45 +0100)]
constraints: Match FQDN and email addresses case-insensitively
The case is generally ignored when matching such identities. So this is
an issue with excluded name constraints where a malicious intermediate
CA could evade the constraints by issuing certificates with names that
just modify the case (e.g. strongSwan.org instead strongswan.org).
Note that it's likely that permitted name constraints are preferred over
excluded name constraints as it might be difficult to come up with a
conclusive list of names to exclude.
Fixes: a2b340764fac ("Implemented NameConstraint matching in constraints plugin") Fixes: CVE-2026-35331
Tobias Brunner [Fri, 20 Mar 2026 16:38:07 +0000 (17:38 +0100)]
tls-server: Only accept non-empty ECDH public keys with TLS < 1.3
This prevents a crash due to a null-pointer dereference when processing
an empty ECDH public key.
The previous length check only applied in the `!ec` case, so in the `ec`
case, the access to `pub.ptr[0]` was unguarded. If a crafted TLS
record ends with an empty ClientKeyExchange, then `read_data8` sets
`pub` to `chunk_empty`, causing a null-pointer dereference.
Note that if some data follows the empty ClientKeyExchange, this just
causes a 1-byte out-of-bounds read that has no further effect as the
TLS session is aborted immediately. Either because the read value
doesn't equal TLS_ANSI_UNCOMPRESSED or because the empty public key
is rejected by `set_public_key()`.
The referenced commit that introduced the pointer access, added the
check for `pub.len` specifically to the `!ec` case, while the pointer
access was initially unconditional (probably because the code was just
copied from `tls_peer.c` which processes ECDH public keys in a separate
function, so there was no `ec` flag). The latter was fixed a couple of
days later with 7b3c01845f63 ("Read the compression type byte for EC
groups, only"). However, that commit didn't change the length check.
Anyway, it's possible that the original intention was to add the check
to the `ec` case on the previous line, or that there was some confusion
with the parenthesis and something like the current code was intended to
begin with.
Fixes: e6cce7ff0d1b ("Prepend point format to ECDH public key") Fixes: CVE-2026-35332
libradius: Reject undersized attributes in enumerator
attribute_enumerate() accepts RADIUS attributes whose length byte is
smaller than sizeof(rattr_t) (2). For length == 0, the iterator never
advances and traps callers — including verify() — in a non-advancing
loop. For length == 1, misaligned packed-struct reads occur.
Add a separate check for this->next->length < sizeof(rattr_t) after
the existing truncation guard. This mirrors radius_message_parse(),
which already distinguishes invalid length from truncation.
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev> Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk") Fixes: CVE-2026-35333
parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA,
AT_RAND, AT_PADDING, default branches. The code then subtracts the
fixed attribute header size from the encoded length, which underflows
and exposes a wrapped payload length to later code. In particular,
for the cases where add_attribute() is called, this causes a heap-based
buffer overflow (a buffer of 12 bytes is allocated to which the wrapped
length is written). For AT_PADDING, the underflow is irrelevant as
add_attribute() is not called. Instead, this results in an infinite loop.
Reject zero-length attributes before subtracting the attribute header.
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev> Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA") Fixes: CVE-2026-35330
github: Move CI for Windows from AppVeyor to GitHub Actions
These are quite a bit faster than on AppVeyor (with ccache about a fifth,
without less than half - and they run concurrently).
We only keep the AppVeyor builds for now to test against those old
OpenSSL versions (1.1.1 and 1.0.2) for which there is still extended
support available. Even simplified like that they still take longer
than the builds on GA.
This reduces the cache storage for active branches and since caches for
different branches are separate and we abort previous builds of the same
branch, this is not necessary to ensure caches can successfully be stored.
appveyor: Reduce build time and remove build against OpenSSL 1.1.0
We are still too close to the limit of 1 hour (at least with the 2019
image and the 2022 image is about the same), so reduce the build time by
not building libimcv natively, which saves about 10 minutes.
Also, only build against OpenSSL 1.0.2 (on the 2017 image) and 1.1.1 (on
the 2019 image) as these are the only versions for which OpenSSL provides
extended support.
wolfSSL 5.9.1 starts to enforce a minimum (and maximum) length for the
hash when signing. Since we'll always require SHA-1, use 20 bytes as
input in the tests to succeed with SIGN_ECDSA_WITH_NULL.
Tobias Brunner [Wed, 11 Feb 2026 10:31:24 +0000 (11:31 +0100)]
fuzz: Remove unnecessary calls to set plugin dirs
All the plugins are linked statically into the binaries, so there
is no reason to set the directories that are only required when loading
them from files.
Tobias Brunner [Wed, 11 Feb 2026 10:14:53 +0000 (11:14 +0100)]
fuzz: Create fuzzers with default and custom crypto plugins
The pa_tnc fuzzer does not rely on any plugins and the pb_tnc fuzzer is
a bit special in that it does use code from the tnccs-20 plugin, but that
doesn't actually have to be loaded as such. The fuzzer directly calls
statically linked code from the plugin.
tls-server: Avoid allocating large buffer for cipher suites on stack
The `cipher_suites` field has a 16-bit length field, so up to 32k 2-byte
cipher suites could technically be proposed. With `tls_cipher_suite_t`
typically being 4 bytes wide, the necessary allocation for the temporary
array can be up to 128 KiB. Even though this should be fine on typical
systems, we avoid potentially overflowing the stack by using malloc()
instead of alloca().
Tobias Brunner [Wed, 25 Mar 2026 17:49:45 +0000 (18:49 +0100)]
certreq: Avoid OOB read when enumerating hashes in OCSP CERTREQ
These certificate requests also contain SHA-1 hashes, which is assumed
in `ike_cert_pre.c::process_certreq()` when enumerating key IDs.
Because the parser allocates a separate chunk for the data and the
enumerator doesn't read beyond that chunk's length after the first
iteration, only lengths between 1 and 19 are problematic (0 doesn't
cause an enumeration because chunk_empty is assigned).
Whether the OOB read then can cause a segmentation fault depends on the
allocator, its alignment rules, and its minimum overhead. For instance,
with glibc on a typical 64-bit system (8 bytes for pointers and size_t),
the alignment is 16 bytes and the minimum allocated size is 32 bytes,
with typically 24 that are technically available for data, even if only
0 bytes are allocated (as returned by `malloc_usable_size()`). So with
an allocation between 1 and 19, we can always safely read 20 bytes.
Assuming that other allocators behave similar for small allocations, it
seems unlikely that this causes a crash.
Fixes: 15612b3a4243 ("Add support for IKEv2 OCSP extensions (RFC 4806)")
Tobias Brunner [Mon, 23 Mar 2026 17:58:18 +0000 (18:58 +0100)]
message: Drop fragments with total fragment count lower than before
The RFC only allows that the number of fragments increases (if the
sender reduces the MTU).
Not enforcing this before could cause early reassembly as the trigger was
that the number of received fragments matches the total count of the
current packet (which was a bit weird anyway). Only an active MITM could
trigger this as individual fragments are encrypted and authenticated.
Tobias Brunner [Fri, 20 Mar 2026 16:20:55 +0000 (17:20 +0100)]
credential-factory: Enforce an upper limit when creating nested credentials
This mainly intended as defense-in-depth measure to avoid parsing
massively nested structures that could cause a call stack overflow due
to the massive recursion. In particular PKCS#7 signed data is prone to
this as these can be nested basically infinitely. When used in IKEv1 via
ENC_PKCS7_WRAPPED_X509 CERT payloads, our default of 10000 bytes for IKE
messages guards against this, but that's configurable and there might be
a chance for some bug that triggers problematic recursive parsing for
smaller input.
The upper limit is chosen arbitrarily, but there are currently no known
cases that require a depth of more than 10 levels.
Tobias Brunner [Fri, 20 Mar 2026 15:05:27 +0000 (16:05 +0100)]
tls-peer: Ensure TLS 1.3 CertificateRequest structure is valid
If nothing was read from the message, the previous code could result in
a crash depending on where `ext.ptr` pointed to, as determined by the
current stack contents. Since TLS 1.3 is still disabled by default and
this is usually used for TLS-based EAP methods after validating the
IKEv2 server's certificate, the real world impact seems relatively low.
Fixes: 9ef46cfaf917 ("tls-peer: Mutual authentication support for TLS 1.3")
Tobias Brunner [Fri, 20 Mar 2026 14:48:41 +0000 (15:48 +0100)]
libsimaka: Prevent out-of-bounds read when parsing attributes with actual length field
These attributes contain a 16-bit length field for the actual length of
the data in bits or bytes, as compared to the length in 4-byte blocks in
the attribute header. The previous code didn't correctly account for the
length of the fixed header (4 bytes) when it compared the parsed length
to the length in the header. This could cause an out-of-bounds read of
up to four bytes beyond the end of the attribute/message.
Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA")
Tobias Brunner [Thu, 5 Mar 2026 11:43:12 +0000 (12:43 +0100)]
eap-ttls: Prevent crash if AVP length header field is invalid
The length field in the AVP header includes the 8 bytes of the header
itself. Not checking for that and later subtracting it causes an
integer underflow that usually triggers a crash when accessing a
NULL pointer that resulted from the failing chunk_alloc() call because
of the high value.
The attempted allocations for invalid lengths (0-7) are 0xfffffff8,
0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result
in a buffer overflow even if the allocation succeeds.
Fixes: 79f2102cb442 ("implemented server side support for EAP-TTLS") Fixes: CVE-2026-25075
Tobias Brunner [Tue, 17 Mar 2026 07:27:37 +0000 (08:27 +0100)]
conf: Install charon-specific snippets also when charon itself is not built
To make the default strongswan.conf, with `load_modular` enabled, work
if charon itself is not built, we enable generating the charon-specific
snippets also for the two other daemons that fall back on reading
options from the `charon` section.
Arthur Chan [Wed, 11 Mar 2026 22:57:49 +0000 (22:57 +0000)]
fuzz: Add dependency to fuzz RADIUS message parsing
Due to the static build, libcharon will depend on libradius as soon as
eap-radius is enabled even if not actually used. So in order to avoid
breaking the build of fuzz_ike when enabling this in CIFuzz, enable
it now before adding the actual fuzzer.
Closes strongswan/strongswan#3028
Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
Tobias Brunner [Fri, 13 Mar 2026 08:35:28 +0000 (09:35 +0100)]
vici: Prevent uninitialized memory access when finding VICI_END in message
VICI_END (7) shouldn't be encoded in a message. However, if we encounter
it, we should at least set `out` accordingly so callers can abort the
enumeration. By not doing so previously and returning TRUE, callers
might access the possibly uninitialized name/value arguments passed to
the enumerator.
Tobias Brunner [Wed, 11 Mar 2026 17:16:53 +0000 (18:16 +0100)]
gmp: Reject public keys with public exponent e < 3
This ensures that we don't load a key with e=1, which basically renders
RSA into a no-op. Since keys are universally generated with e=65537 and
no reputable CA will sign keys with e=1, allowing this before didn't have
any real world impact.
Dustin Kirkland [Thu, 26 Feb 2026 17:25:27 +0000 (11:25 -0600)]
string: Fix -Werror=discarded-qualifiers with GCC 15
GCC 15 tightened its built-in declarations for strchr() and strstr() so
that they now propagate const from their first argument, triggering
-Werror=discarded-qualifiers on three assignments in string.c:
translate():
char *match = strchr(from, *pos)
`from` is const char *, so the result of strchr() is const char *.
`match` is only used for pointer arithmetic (match - from), so
declaring it const char * is correct and safe.
strreplace():
found = strstr(str, search) [line ~73]
found = strstr(pos, search) [line ~89, while condition]
`str`/`pos` are derived from a const char * parameter, so strstr()
returns const char *. `found` is used as a mutable char * later
(pos = found + slen), consistent with the existing (char*) casts
already used throughout this function for the same reason.
Add explicit (char*) casts to match the established pattern.
seantywork [Sun, 15 Feb 2026 09:40:49 +0000 (09:40 +0000)]
whitelist: Fix deadlock when handling client disconnection
Calling stream_t::destroy from the stream_t::on_read callback will
block the thread in watcher_t::remove because the FD is currently "in
callback". A similar issue was fixed in the lookip plugin with 961409b66858 ("lookip: Disconnect asynchronously to avoid dead-locking
watcher unregistration").
Fixes: 85ebf6abd441 ("whitelist: Add error handling to socket reads and fix a memory leak")
Tobias Brunner [Fri, 29 Nov 2024 13:57:31 +0000 (14:57 +0100)]
kernel-netlink: Don't fallback to peer address as gateway/nexthop
This doesn't really seem useful (perhaps it was before we started to
configure the outbound interface on our routes). And it can actually
cause the route installation to fail e.g. for routes over point-to-point
interfaces where we'd get "Error: Nexthop has invalid gateway" errors.
Note that we can't return NULL if we find an interface as e.g. the updown
plugin uses this method to determine the outbound interface (it ignores
the nexthop), which it passes to the script. If we returned NULL, it
would pass "unknown" instead, which would cause the firewall rules to
mismatch. While it seems that 0.0.0.0/:: is ignored as nexthop by the
kernel on the installed route, I still explicitly ignore such addresses
to avoid any unintended side-effects.
The automatic route installation in the ikev2/shunt-manual-prio scenario
had to be disabled on the clients. The reason is that the route in table
220 won't have a nexthop set (the peers are directly connected), so when
trying to reach alice or venus via SSH, which matches the port-specific
bypass policies for which we don't install throw routes, the hosts will
do ARP requests for the target IPs instead of routing the packets via
moon.
Tobias Brunner [Fri, 20 Feb 2026 11:34:04 +0000 (12:34 +0100)]
github: Replace action for TKM tests with direct "docker run" call
The action causes errors because it is not compatible to the Docker
version used in the runner images. Unfortunately, it doesn't seem
maintained anymore. The action is simple enough, though, so instead of
switching to a fork, we just use "docker run" directly.
Tobias Brunner [Thu, 12 Feb 2026 15:21:46 +0000 (16:21 +0100)]
Merge branch 'icmp-forwarding'
Adds support for ICMP error forwarding that the kernel supports properly
since v6.9 (it still sends locally generated errors from the wrong source
IP, though).
Tobias Brunner [Mon, 7 Feb 2022 13:28:19 +0000 (14:28 +0100)]
ipsec-types: Add a proper hash function for ipsec_sa_cfg_t
While 3c1290510366 ("ipsec: Add function to compare two ipsec_sa_cfg_t
instances") added a comparison function to avoid issues with non-zeroed
padding, hashes were still calculated using chunk_hash().
Martin Willi [Thu, 12 Feb 2026 07:53:01 +0000 (08:53 +0100)]
bus: Prevent redundant down event on rekeyed CHILD_SA delete timeout
If a CHILD_SA is rekeyed using a CREATE_CHILD_SA request, a subsequent
DELETE for the old CHILD_SA may time out. Before sending this DELETE,
a CHILD_REKEYED state CHILD_SA set from child_rekey::process_i() is
immediately set to CHILD_DELETING from child_delete::build_i(). If the
IKE_SA dies due to a retransmission timeout of this DELETE, a redundant
child-down event is issued for the rekeyed CHILD_SA that has already seen a
child-rekey event.
A reproducer shows the following log and events:
[CFG] vici rekey CHILD_SA #533
[IKE] establishing CHILD_SA XXX{534} reqid 20
[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No KE TSi TSr ]
[ENC] parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
[IKE] rekeyed CHILD_SA XXX{533} with SPIs ca997de6_i cd27d4fe_o with XXX{534} with SPIs ced1cd01_i c460a7c9_o
Event: child-rekey
[OLD SA] state: REKEYING, spi-in: ca997de6
[NEW SA] state: INSTALLED, spi-in: ced1cd01
[IKE] closing CHILD_SA XXX{533} with SPIs ca997de6_i (352 bytes) cd27d4fe_o (264 bytes) and TS 0.0.0.0/0 === 10.11.9.40/29
[IKE] sending DELETE for ESP CHILD_SA with SPI ca997de6
[ENC] generating INFORMATIONAL request 1 [ D ]
[IKE] retransmit 1 of request with message ID 1
[IKE] retransmit 2 of request with message ID 1
[IKE] retransmit 3 of request with message ID 1
[IKE] retransmit 4 of request with message ID 1
[IKE] giving up after 4 retransmits
Event: child-updown
[SA] state: DELETING, spi-in: ca997de6
Event: child-updown
[SA] state: INSTALLED, spi-in: ced1cd01
To prevent the redundant child-down event for the successfully rekeyed CHILD_SA,
check if a DELETING CHILD_SA has already removed its outbound state due to
having been rekeyed before issuing the child-down event.
Add a new exchange test exercising that a delete timeout after rekeying does
not cause a duplicate child-down event.
Tobias Brunner [Fri, 6 Feb 2026 15:10:50 +0000 (16:10 +0100)]
Merge branch 'swanctl-plugins'
Uses a separate default plugin list for swanctl (instead of just loading
all of libstrongswan's plugins) to avoid some side-effects of loaded but
unused plugins. The load statements in the regression tests have been
updated accordingly.
A new configure option for maintainers of distributions that ship
plugins in separate packages changes the message if a plugin is not
found and reduces its log level. This confused users of tools that don't
use modular plugin loading (e.g. pki or swanctl).
Also changes command line handling in pki and swanctl so that the shared
options can be passed before the actual command and that the debug level
also affects library/plugin initialization.
Tobias Brunner [Fri, 30 Jan 2026 11:20:05 +0000 (12:20 +0100)]
swanctl: Add global --debug, --options and --uri arguments
Similarly to the previous commit for pki, this allows setting these
options before the command, and by pre-parsing them we can see log
messages during the initialization.
projects / thirdparty / strongswan.git / log
