Tobias Brunner [Mon, 1 Jun 2026 06:54:49 +0000 (08:54 +0200)]
charon-cmd: Use %any as local address so IPv4 is not preferred
When resolving the remote host, we first determine if a particular
address family is preferred locally. With `0.0.0.0` that's IPv4, with
`%any` that's not the case. So we use the latter to allow resolvers
to return an IPv6 address.
Tobias Brunner [Thu, 28 May 2026 14:27:37 +0000 (16:27 +0200)]
Merge branch 'vici-proposals'
Adds IKE and IPsec proposals to the `list-conn` VICI event. Currently
not printed in `swanctl --list-conns` to keep the output compact (`--raw`
can be used to see the proposals).
Tobias Brunner [Wed, 27 May 2026 06:27:15 +0000 (08:27 +0200)]
vici: Return proposals in a more structured way
This allows clients to distinguish between algorithms of different
transform types more easily. The names are similar to those used
when returning the algorithms of the selected proposal in list-sas (except
for `ke` instead of `dh` and `sn` instead of `esn` to reflect the
latest IETF/IANA changes).
Tobias Brunner [Wed, 20 May 2026 11:49:44 +0000 (13:49 +0200)]
ike-init: Fix key derivation if SA is reset after IKE_INTERMEDIATE retransmits
Because the `derived` flag was not reset (it's set after the initial
IKE_SA_INIT exchange), no keys would get derived when sending
IKE_INTERMEDIATE during the next try. As there is then no `aead_t`
available, encrypting the message would fail and the initiation would
remain stuck.
Fixes: 0d49ddec2ef5 ("ike-init: Add support for multiple key exchanges")
Thomas Jarosch [Tue, 5 May 2026 13:41:01 +0000 (15:41 +0200)]
credential-manager: Check expiry also for last cert in incomplete trust chain
While the validity of a pre-trusted certificate for which an issuer is
found is enforced via `check_certificate()`, the validity of such a
certificate in an incomplete trust chain, or rather that of the last
certificate in such a chain, was not enforced. This fixes that
inconsistency.
Tobias Brunner [Mon, 18 May 2026 12:19:35 +0000 (14:19 +0200)]
swid-gen: Use process_t to avoid potential command injection
In a targeted request, the software ID is provided by the IMV. If no
database is used (which is not the recommended setup), the ID is not
validated and could potentially contain special characters. With the
previous command string construction and use of popen(), which runs a
shell, that could potentially allow running arbitrary commands.
Tobias Brunner [Mon, 18 May 2026 12:45:38 +0000 (14:45 +0200)]
openssl: Check that EC keys don't have explicit params for internally loaded keys
Keys loaded via generic loader (KEY_ANY) or from a PKCS#12 file (or an
engine) don't go through the openssl_ec_private_key_load() constructor
that checks for explicit parameters.
Tobias Brunner [Wed, 13 May 2026 14:03:31 +0000 (16:03 +0200)]
botan: Fix registration of ECDSA signature/verification plugin features
This was broken since the Botan 3 release, which removed the EMSA1
class and the define. The "EMSA1()" wrapper when signing/verifying is
technically not necessary anymore since then (it's deprecated but still
accepted). But to still support Botan 2, we keep that in for now.
Tobias Brunner [Mon, 11 May 2026 08:40:36 +0000 (10:40 +0200)]
dhcp: Fix potential OOB read when parsing DHCP messages
The missing parentheses around the additions when calculating optlen
in the previous code can cause an out-of-bound read of up to 228 bytes
if no DHCP_OPTEND is found in the message (the calculation basically
evaluated to `- 20 + 8 + 240`).
Since the buffer for the received packet (via pf_handler_t) is located
on the stack, this shouldn't cause much of an issue in practice.
Tobias Brunner [Tue, 19 May 2026 09:29:27 +0000 (11:29 +0200)]
github: Evict old entries from ccache
We don't want to build old versions using these caches, so we don't
need old entries (if header files change, there could be lots of
differences that increase the cache size unnecessarily).
Tobias Brunner [Tue, 12 May 2026 08:46:29 +0000 (10:46 +0200)]
github: Use separate caches for custom-built dependencies
These are shared by many tests, in particular the "all", "coverage",
"no-dbg" and "no-testable-ke" tests, which each would otherwise require
their own large cache.
Similarly, the "codeql" and "sonarcloud" tests rely on the same
dependencies but only the latter uses ccache for the strongSwan build.
Also reduce the maximum size per cache for all workflows to keep them
in check over time (some could even be set lower, we'll have to see
how this develops).
Tobias Brunner [Mon, 11 May 2026 16:20:04 +0000 (18:20 +0200)]
github: Remove most builds with leak detective
As mentioned in the previous commit, ASAN does a fine job detecting leaks
during the tests. We just add a single LD-enabled build of the "default"
test here to test the basic functionality.
And we continue to use leak detective in our testing environment to keep
the memory requirements low.
We don't need a separate cache for the "apidoc" test and while the
"dist" test is similar as well, it builds in a different directory,
which means that config.h causes a cache miss for everything but the
configure checks.
Tobias Brunner [Mon, 11 May 2026 12:53:10 +0000 (14:53 +0200)]
github: Always build OpenSSL with SRP support
The special handling caused a significant diff between builds with and
without LD, which made ccache less effective as we only store the cache
once for the build without LD.
However, despite this change, while it previously was the case that the
LD vs. non-LD builds didn't differ much, that's not the case anymore
nowadays. In particular the --disable-asan option and the BFD-based
backtraces for the native OpenSSL builds (e.g. default or openssl-sys)
cause quite a significant diff. As cache storage is limited, we keep
the current behavior for now. But it might be an option to reduce or
even remove the LD builds in the future as ASAN seems do the job pretty
well and we still use LD in the testing environment.
Tobias Brunner [Mon, 11 May 2026 09:27:44 +0000 (11:27 +0200)]
github: Only store a cache for large custom-built crypto libs
The others are either included already in the "all" build (to which we
now switch) or they have a relatively small diff to that (e.g. gcrypt
only differs in that relatively small plugin). For the "openssl-sys"
build, we can rely on the "default" build but only on ubuntu-latest as
we don't build that on ubuntu-22.04.
github: Remove commit ID from cache keys and manually evict old entries
Let's try this again :) Since cache entries with the same key are not
updated/replaced and there is no option to do so, we manually delete the
previous entry for the current branch.
This reduces the cache storage for active branches, which can cause
caches of the master branch to get evicted, which in turn will slow down
builds of not only master but also new branches as they can't fall back
on those caches.
Permission has to be explicitly granted in order to delete the cache
entries when not using the legacy all-write tokens that are the default
for old repositories.
The continue-on-error option is set for the step that deletes the old
cache entry as it's expected that cache-hit will be true for a new feature
branch when restoring the cache from the master branch. However, because
there won't be anything to delete for this branch yet, the command will
fail. The --succeed-on-no-caches option of the command unfortunately
only works with --all.
For the Linux tests, several jobs use the same cache key. So there is
a chance that two jobs try to store a new entry concurrently, which will
fail (it works if there was a cache hit and they are slightly off as
previous entries are first deleted). To avoid that, we store the cache
only for one particular config.
Also made sure that the "openssl" test does not remove "openssl-3/4"
caches by adding a suffix to the former.
For alpine, the repository had to be set explicitly as gh wasn't able to
determine it (didn't detect the Git working dir).
Tobias Brunner [Wed, 6 May 2026 14:11:00 +0000 (16:11 +0200)]
github: Disable fail-fast strategy instead of using continue-on-error
While continue-on-error can be configured more specifically (e.g. also
would allow to handle "default" and "printf-builtin" tests that rely
on debug symbols), it also lets the workflow succeed if any of these
jobs fail. That's not ideal if there is an actual error and not
just an intermittent package sync problem.
Tobias Brunner [Mon, 4 May 2026 13:06:49 +0000 (15:06 +0200)]
openssl: Prevent OpenSSL from using posix_memalign() if LD is enabled
The leak detective doesn't wrap this function and calling the original
causes unknown memory frees and even segmentation faults. This is now
triggered with OpenSSL 4 as the implementation of ECP256 uses
OPENSSL_aligned_alloc_array().
Setting a custom memory functions forces OpenSSL to implement aligned
allocations internally, using the registered allocation function.
Thomas Egerer [Wed, 5 Nov 2025 10:18:48 +0000 (10:18 +0000)]
openssl: Use openssl_i2chunk when creating ASN.1 chunks
Using the return value of i2d_* directly as input of chunk_alloc imposes
the risk of creating an invalid chunk when the return value of the i2d_*
function is -1. The openssl_i2chunk macro is meant to avoid this.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Tobias Brunner [Tue, 24 Mar 2026 17:05:01 +0000 (18:05 +0100)]
gmp: Avoid crash and timing leaks in PKCS#1 v1.5 decryption padding validation
This fixes a potential crash due to a null-pointer dereference if rsadp()
returns NULL (e.g. with an all-zero ciphertext).
And it also implements the PKCS#1 v1.5 decryption padding check in
constant time.
The timing leak caused by the previous implementation was measured at
~17.5 μs at 3 GHz, which could allow a Bleichenbacher-like attack in
LAN environments. However, because of how RSA encryption is used in
strongSwan, this is not that much of an issue in practice. The mechanism
is only used for two use cases. One is SCEP/EST via PKCS#7 enveloped
data. Fortunately, this can not be triggered in significant numbers by
an attacker. The other use case is TLS as used by EAP methods (EAP-TLS,
EAP-PEAP/TTLS) during the authentication. While the cipher suites that
use RSA encryption are still enabled by default, the TLS messages are
wrapped in EAP and encrypted by IKE, making any kind of attack difficult.
Note that the gmp plugin isn't enabled anymore by default. And even
before that, most setups had the openssl plugin enabled, which has
priority over the gmp plugin. So it's unlikely the plugin was used in
practice.
Tobias Brunner [Wed, 25 Mar 2026 09:17:46 +0000 (10:17 +0100)]
tls-server: Prevent infinite loop if supported versions are too short
If the extension doesn't contain a multiple of two bytes, the previous
code would get stuck in an infinite loop as `remaining()` continued to
return TRUE while `read_uint16()` failed to parse a value. Initiating
several connections with such an extension allows a DoS attack as no
threads would eventually be available to handle packets/events.
Fixes: 7fbe2e27ecf6 ("tls-server: TLS 1.3 support for TLS server implementation") Fixes: CVE-2026-35328
Tobias Brunner [Mon, 23 Mar 2026 17:02:19 +0000 (18:02 +0100)]
constraints: Reject excluded directoryName (DN) name constraints
There is an issue similar to the one fixed with the previous commit when
using directoryName (DN) name constraints. Some RDNs have to be matched
in a case-insensitive manner, which we e.g. do in
`identification.c::rdn_equals`. By not doing it for name constraints,
a malicious intermediate CA could evade an excluded name constraint
just by modifying the case in such an RDN.
While we could use the mentioned function in `dn_matches`, this doesn't
properly fix the problem because the function is basically too strict.
Especially in regards to RDNs of type UTF8String, which are only compared
binary. To match these properly, we'd have to implement the string
preparation described in RFC 5280, section 7.1 and the referenced RFCs.
Until that's the case, we reject excluded name constraints of type
directoryName as we are unable to enforce them.
Fixes: a2b340764fac ("Implemented NameConstraint matching in constraints plugin") Fixes: CVE-2026-35331
Tobias Brunner [Mon, 23 Mar 2026 16:45:11 +0000 (17:45 +0100)]
constraints: Match FQDN and email addresses case-insensitively
The case is generally ignored when matching such identities. So this is
an issue with excluded name constraints where a malicious intermediate
CA could evade the constraints by issuing certificates with names that
just modify the case (e.g. strongSwan.org instead strongswan.org).
Note that it's likely that permitted name constraints are preferred over
excluded name constraints as it might be difficult to come up with a
conclusive list of names to exclude.
Fixes: a2b340764fac ("Implemented NameConstraint matching in constraints plugin") Fixes: CVE-2026-35331
Tobias Brunner [Fri, 20 Mar 2026 16:38:07 +0000 (17:38 +0100)]
tls-server: Only accept non-empty ECDH public keys with TLS < 1.3
This prevents a crash due to a null-pointer dereference when processing
an empty ECDH public key.
The previous length check only applied in the `!ec` case, so in the `ec`
case, the access to `pub.ptr[0]` was unguarded. If a crafted TLS
record ends with an empty ClientKeyExchange, then `read_data8` sets
`pub` to `chunk_empty`, causing a null-pointer dereference.
Note that if some data follows the empty ClientKeyExchange, this just
causes a 1-byte out-of-bounds read that has no further effect as the
TLS session is aborted immediately. Either because the read value
doesn't equal TLS_ANSI_UNCOMPRESSED or because the empty public key
is rejected by `set_public_key()`.
The referenced commit that introduced the pointer access, added the
check for `pub.len` specifically to the `!ec` case, while the pointer
access was initially unconditional (probably because the code was just
copied from `tls_peer.c` which processes ECDH public keys in a separate
function, so there was no `ec` flag). The latter was fixed a couple of
days later with 7b3c01845f63 ("Read the compression type byte for EC
groups, only"). However, that commit didn't change the length check.
Anyway, it's possible that the original intention was to add the check
to the `ec` case on the previous line, or that there was some confusion
with the parenthesis and something like the current code was intended to
begin with.
Fixes: e6cce7ff0d1b ("Prepend point format to ECDH public key") Fixes: CVE-2026-35332
libradius: Reject undersized attributes in enumerator
attribute_enumerate() accepts RADIUS attributes whose length byte is
smaller than sizeof(rattr_t) (2). For length == 0, the iterator never
advances and traps callers — including verify() — in a non-advancing
loop. For length == 1, misaligned packed-struct reads occur.
Add a separate check for this->next->length < sizeof(rattr_t) after
the existing truncation guard. This mirrors radius_message_parse(),
which already distinguishes invalid length from truncation.
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev> Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk") Fixes: CVE-2026-35333
parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA,
AT_RAND, AT_PADDING, default branches. The code then subtracts the
fixed attribute header size from the encoded length, which underflows
and exposes a wrapped payload length to later code. In particular,
for the cases where add_attribute() is called, this causes a heap-based
buffer overflow (a buffer of 12 bytes is allocated to which the wrapped
length is written). For AT_PADDING, the underflow is irrelevant as
add_attribute() is not called. Instead, this results in an infinite loop.
Reject zero-length attributes before subtracting the attribute header.
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev> Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA") Fixes: CVE-2026-35330
github: Move CI for Windows from AppVeyor to GitHub Actions
These are quite a bit faster than on AppVeyor (with ccache about a fifth,
without less than half - and they run concurrently).
We only keep the AppVeyor builds for now to test against those old
OpenSSL versions (1.1.1 and 1.0.2) for which there is still extended
support available. Even simplified like that they still take longer
than the builds on GA.
This reduces the cache storage for active branches and since caches for
different branches are separate and we abort previous builds of the same
branch, this is not necessary to ensure caches can successfully be stored.
appveyor: Reduce build time and remove build against OpenSSL 1.1.0
We are still too close to the limit of 1 hour (at least with the 2019
image and the 2022 image is about the same), so reduce the build time by
not building libimcv natively, which saves about 10 minutes.
Also, only build against OpenSSL 1.0.2 (on the 2017 image) and 1.1.1 (on
the 2019 image) as these are the only versions for which OpenSSL provides
extended support.
wolfSSL 5.9.1 starts to enforce a minimum (and maximum) length for the
hash when signing. Since we'll always require SHA-1, use 20 bytes as
input in the tests to succeed with SIGN_ECDSA_WITH_NULL.
Tobias Brunner [Wed, 11 Feb 2026 10:31:24 +0000 (11:31 +0100)]
fuzz: Remove unnecessary calls to set plugin dirs
All the plugins are linked statically into the binaries, so there
is no reason to set the directories that are only required when loading
them from files.
Tobias Brunner [Wed, 11 Feb 2026 10:14:53 +0000 (11:14 +0100)]
fuzz: Create fuzzers with default and custom crypto plugins
The pa_tnc fuzzer does not rely on any plugins and the pb_tnc fuzzer is
a bit special in that it does use code from the tnccs-20 plugin, but that
doesn't actually have to be loaded as such. The fuzzer directly calls
statically linked code from the plugin.
tls-server: Avoid allocating large buffer for cipher suites on stack
The `cipher_suites` field has a 16-bit length field, so up to 32k 2-byte
cipher suites could technically be proposed. With `tls_cipher_suite_t`
typically being 4 bytes wide, the necessary allocation for the temporary
array can be up to 128 KiB. Even though this should be fine on typical
systems, we avoid potentially overflowing the stack by using malloc()
instead of alloca().
projects / thirdparty / strongswan.git / log
