Tobias Brunner [Wed, 25 Mar 2026 17:49:45 +0000 (18:49 +0100)]
certreq: Avoid OOB read when enumerating hashes in OCSP CERTREQ
These certificate requests also contain SHA-1 hashes, which is assumed
in `ike_cert_pre.c::process_certreq()` when enumerating key IDs.
Because the parser allocates a separate chunk for the data and the
enumerator doesn't read beyond that chunk's length after the first
iteration, only lengths between 1 and 19 are problematic (0 doesn't
cause an enumeration because chunk_empty is assigned).
Whether the OOB read then can cause a segmentation fault depends on the
allocator, its alignment rules, and its minimum overhead. For instance,
with glibc on a typical 64-bit system (8 bytes for pointers and size_t),
the alignment is 16 bytes and the minimum allocated size is 32 bytes,
with typically 24 that are technically available for data, even if only
0 bytes are allocated (as returned by `malloc_usable_size()`). So with
an allocation between 1 and 19, we can always safely read 20 bytes.
Assuming that other allocators behave similar for small allocations, it
seems unlikely that this causes a crash.
Fixes: 15612b3a4243 ("Add support for IKEv2 OCSP extensions (RFC 4806)")
Tobias Brunner [Mon, 23 Mar 2026 17:58:18 +0000 (18:58 +0100)]
message: Drop fragments with total fragment count lower than before
The RFC only allows that the number of fragments increases (if the
sender reduces the MTU).
Not enforcing this before could cause early reassembly as the trigger was
that the number of received fragments matches the total count of the
current packet (which was a bit weird anyway). Only an active MITM could
trigger this as individual fragments are encrypted and authenticated.
Tobias Brunner [Fri, 20 Mar 2026 16:20:55 +0000 (17:20 +0100)]
credential-factory: Enforce an upper limit when creating nested credentials
This mainly intended as defense-in-depth measure to avoid parsing
massively nested structures that could cause a call stack overflow due
to the massive recursion. In particular PKCS#7 signed data is prone to
this as these can be nested basically infinitely. When used in IKEv1 via
ENC_PKCS7_WRAPPED_X509 CERT payloads, our default of 10000 bytes for IKE
messages guards against this, but that's configurable and there might be
a chance for some bug that triggers problematic recursive parsing for
smaller input.
The upper limit is chosen arbitrarily, but there are currently no known
cases that require a depth of more than 10 levels.
Tobias Brunner [Fri, 20 Mar 2026 15:05:27 +0000 (16:05 +0100)]
tls-peer: Ensure TLS 1.3 CertificateRequest structure is valid
If nothing was read from the message, the previous code could result in
a crash depending on where `ext.ptr` pointed to, as determined by the
current stack contents. Since TLS 1.3 is still disabled by default and
this is usually used for TLS-based EAP methods after validating the
IKEv2 server's certificate, the real world impact seems relatively low.
Fixes: 9ef46cfaf917 ("tls-peer: Mutual authentication support for TLS 1.3")
Tobias Brunner [Fri, 20 Mar 2026 14:48:41 +0000 (15:48 +0100)]
libsimaka: Prevent out-of-bounds read when parsing attributes with actual length field
These attributes contain a 16-bit length field for the actual length of
the data in bits or bytes, as compared to the length in 4-byte blocks in
the attribute header. The previous code didn't correctly account for the
length of the fixed header (4 bytes) when it compared the parsed length
to the length in the header. This could cause an out-of-bounds read of
up to four bytes beyond the end of the attribute/message.
Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA")
Tobias Brunner [Thu, 5 Mar 2026 11:43:12 +0000 (12:43 +0100)]
eap-ttls: Prevent crash if AVP length header field is invalid
The length field in the AVP header includes the 8 bytes of the header
itself. Not checking for that and later subtracting it causes an
integer underflow that usually triggers a crash when accessing a
NULL pointer that resulted from the failing chunk_alloc() call because
of the high value.
The attempted allocations for invalid lengths (0-7) are 0xfffffff8,
0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result
in a buffer overflow even if the allocation succeeds.
Fixes: 79f2102cb442 ("implemented server side support for EAP-TTLS") Fixes: CVE-2026-25075
Tobias Brunner [Tue, 17 Mar 2026 07:27:37 +0000 (08:27 +0100)]
conf: Install charon-specific snippets also when charon itself is not built
To make the default strongswan.conf, with `load_modular` enabled, work
if charon itself is not built, we enable generating the charon-specific
snippets also for the two other daemons that fall back on reading
options from the `charon` section.
Arthur Chan [Wed, 11 Mar 2026 22:57:49 +0000 (22:57 +0000)]
fuzz: Add dependency to fuzz RADIUS message parsing
Due to the static build, libcharon will depend on libradius as soon as
eap-radius is enabled even if not actually used. So in order to avoid
breaking the build of fuzz_ike when enabling this in CIFuzz, enable
it now before adding the actual fuzzer.
Closes strongswan/strongswan#3028
Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
Tobias Brunner [Fri, 13 Mar 2026 08:35:28 +0000 (09:35 +0100)]
vici: Prevent uninitialized memory access when finding VICI_END in message
VICI_END (7) shouldn't be encoded in a message. However, if we encounter
it, we should at least set `out` accordingly so callers can abort the
enumeration. By not doing so previously and returning TRUE, callers
might access the possibly uninitialized name/value arguments passed to
the enumerator.
Tobias Brunner [Wed, 11 Mar 2026 17:16:53 +0000 (18:16 +0100)]
gmp: Reject public keys with public exponent e < 3
This ensures that we don't load a key with e=1, which basically renders
RSA into a no-op. Since keys are universally generated with e=65537 and
no reputable CA will sign keys with e=1, allowing this before didn't have
any real world impact.
Dustin Kirkland [Thu, 26 Feb 2026 17:25:27 +0000 (11:25 -0600)]
string: Fix -Werror=discarded-qualifiers with GCC 15
GCC 15 tightened its built-in declarations for strchr() and strstr() so
that they now propagate const from their first argument, triggering
-Werror=discarded-qualifiers on three assignments in string.c:
translate():
char *match = strchr(from, *pos)
`from` is const char *, so the result of strchr() is const char *.
`match` is only used for pointer arithmetic (match - from), so
declaring it const char * is correct and safe.
strreplace():
found = strstr(str, search) [line ~73]
found = strstr(pos, search) [line ~89, while condition]
`str`/`pos` are derived from a const char * parameter, so strstr()
returns const char *. `found` is used as a mutable char * later
(pos = found + slen), consistent with the existing (char*) casts
already used throughout this function for the same reason.
Add explicit (char*) casts to match the established pattern.
seantywork [Sun, 15 Feb 2026 09:40:49 +0000 (09:40 +0000)]
whitelist: Fix deadlock when handling client disconnection
Calling stream_t::destroy from the stream_t::on_read callback will
block the thread in watcher_t::remove because the FD is currently "in
callback". A similar issue was fixed in the lookip plugin with 961409b66858 ("lookip: Disconnect asynchronously to avoid dead-locking
watcher unregistration").
Fixes: 85ebf6abd441 ("whitelist: Add error handling to socket reads and fix a memory leak")
Tobias Brunner [Fri, 29 Nov 2024 13:57:31 +0000 (14:57 +0100)]
kernel-netlink: Don't fallback to peer address as gateway/nexthop
This doesn't really seem useful (perhaps it was before we started to
configure the outbound interface on our routes). And it can actually
cause the route installation to fail e.g. for routes over point-to-point
interfaces where we'd get "Error: Nexthop has invalid gateway" errors.
Note that we can't return NULL if we find an interface as e.g. the updown
plugin uses this method to determine the outbound interface (it ignores
the nexthop), which it passes to the script. If we returned NULL, it
would pass "unknown" instead, which would cause the firewall rules to
mismatch. While it seems that 0.0.0.0/:: is ignored as nexthop by the
kernel on the installed route, I still explicitly ignore such addresses
to avoid any unintended side-effects.
The automatic route installation in the ikev2/shunt-manual-prio scenario
had to be disabled on the clients. The reason is that the route in table
220 won't have a nexthop set (the peers are directly connected), so when
trying to reach alice or venus via SSH, which matches the port-specific
bypass policies for which we don't install throw routes, the hosts will
do ARP requests for the target IPs instead of routing the packets via
moon.
Tobias Brunner [Fri, 20 Feb 2026 11:34:04 +0000 (12:34 +0100)]
github: Replace action for TKM tests with direct "docker run" call
The action causes errors because it is not compatible to the Docker
version used in the runner images. Unfortunately, it doesn't seem
maintained anymore. The action is simple enough, though, so instead of
switching to a fork, we just use "docker run" directly.
Tobias Brunner [Thu, 12 Feb 2026 15:21:46 +0000 (16:21 +0100)]
Merge branch 'icmp-forwarding'
Adds support for ICMP error forwarding that the kernel supports properly
since v6.9 (it still sends locally generated errors from the wrong source
IP, though).
Tobias Brunner [Mon, 7 Feb 2022 13:28:19 +0000 (14:28 +0100)]
ipsec-types: Add a proper hash function for ipsec_sa_cfg_t
While 3c1290510366 ("ipsec: Add function to compare two ipsec_sa_cfg_t
instances") added a comparison function to avoid issues with non-zeroed
padding, hashes were still calculated using chunk_hash().
Martin Willi [Thu, 12 Feb 2026 07:53:01 +0000 (08:53 +0100)]
bus: Prevent redundant down event on rekeyed CHILD_SA delete timeout
If a CHILD_SA is rekeyed using a CREATE_CHILD_SA request, a subsequent
DELETE for the old CHILD_SA may time out. Before sending this DELETE,
a CHILD_REKEYED state CHILD_SA set from child_rekey::process_i() is
immediately set to CHILD_DELETING from child_delete::build_i(). If the
IKE_SA dies due to a retransmission timeout of this DELETE, a redundant
child-down event is issued for the rekeyed CHILD_SA that has already seen a
child-rekey event.
A reproducer shows the following log and events:
[CFG] vici rekey CHILD_SA #533
[IKE] establishing CHILD_SA XXX{534} reqid 20
[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No KE TSi TSr ]
[ENC] parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
[IKE] rekeyed CHILD_SA XXX{533} with SPIs ca997de6_i cd27d4fe_o with XXX{534} with SPIs ced1cd01_i c460a7c9_o
Event: child-rekey
[OLD SA] state: REKEYING, spi-in: ca997de6
[NEW SA] state: INSTALLED, spi-in: ced1cd01
[IKE] closing CHILD_SA XXX{533} with SPIs ca997de6_i (352 bytes) cd27d4fe_o (264 bytes) and TS 0.0.0.0/0 === 10.11.9.40/29
[IKE] sending DELETE for ESP CHILD_SA with SPI ca997de6
[ENC] generating INFORMATIONAL request 1 [ D ]
[IKE] retransmit 1 of request with message ID 1
[IKE] retransmit 2 of request with message ID 1
[IKE] retransmit 3 of request with message ID 1
[IKE] retransmit 4 of request with message ID 1
[IKE] giving up after 4 retransmits
Event: child-updown
[SA] state: DELETING, spi-in: ca997de6
Event: child-updown
[SA] state: INSTALLED, spi-in: ced1cd01
To prevent the redundant child-down event for the successfully rekeyed CHILD_SA,
check if a DELETING CHILD_SA has already removed its outbound state due to
having been rekeyed before issuing the child-down event.
Add a new exchange test exercising that a delete timeout after rekeying does
not cause a duplicate child-down event.
Tobias Brunner [Fri, 6 Feb 2026 15:10:50 +0000 (16:10 +0100)]
Merge branch 'swanctl-plugins'
Uses a separate default plugin list for swanctl (instead of just loading
all of libstrongswan's plugins) to avoid some side-effects of loaded but
unused plugins. The load statements in the regression tests have been
updated accordingly.
A new configure option for maintainers of distributions that ship
plugins in separate packages changes the message if a plugin is not
found and reduces its log level. This confused users of tools that don't
use modular plugin loading (e.g. pki or swanctl).
Also changes command line handling in pki and swanctl so that the shared
options can be passed before the actual command and that the debug level
also affects library/plugin initialization.
Tobias Brunner [Fri, 30 Jan 2026 11:20:05 +0000 (12:20 +0100)]
swanctl: Add global --debug, --options and --uri arguments
Similarly to the previous commit for pki, this allows setting these
options before the command, and by pre-parsing them we can see log
messages during the initialization.
Tobias Brunner [Thu, 29 Jan 2026 16:32:03 +0000 (17:32 +0100)]
pki: Add global --debug and --options arguments
This allows setting the log level before initializing the library and
loading the plugins, as well as having the top-level command itself in
an options file.
Tobias Brunner [Wed, 28 Jan 2026 14:45:23 +0000 (15:45 +0100)]
plugin-loader: Add option to change log message if plugin is not found
Distributions like Debian/Ubuntu ship the plugins in multiple packages
that are not all installed by default. When running tools like pki or
swanctl, which don't use modular loading with config snippets by default,
there are errors in the output if these packages and plugins are
currently not available. In order to not alarm users, this change adds
a configure option that package maintainers can use. It causes the log
level of the message to increase and also adds a note that mentions that
plugins are potentially available in other packages (which should be the
case unless the user tried to load a plugin, e.g. via load statement,
that is not actually built and shipped by the package maintainers).
Tobias Brunner [Mon, 5 Jan 2026 15:32:02 +0000 (16:32 +0100)]
swanctl: Use a custom default plugin list
Loading all libstrongswan plugins isn't necessary as the tool only uses
the plugins to parse/decrypt credentials. So it's similar to pki, but
it doesn't do (online) certificate validation, access tokens, or need
access to databases.
While it's usually not an issue to load unnecessary plugins, one thing
that came up recently are the new capabilities required by the agent
plugin. Since Debian's AppArmor policy for swanctl doesn't grant them,
this produces an error message that might confuse users.
Tobias Brunner [Thu, 18 Dec 2025 14:51:02 +0000 (15:51 +0100)]
dhcp: Don't release the address via DHCP if it's still used
This is useful during make-before-break reauthentication, where the
new SA is created before the old one is terminated and the virtual IP
gets released.
This also changes the hash() and equals() functions to avoid potential
collisions.
Tobias Brunner [Thu, 8 Jan 2026 07:59:11 +0000 (08:59 +0100)]
pubkey-authenticator: Avoid conflict with config switch based on EAP-Identity
The referenced commit ignored that INVALID_ARG was returned by this
authenticator if an unsupported signature scheme is encountered. This
caused a crash in find_alternative_eap_cfg() as no EAP identity is
stored in the current auth config.
Since we don't distinguish the situation outside of the authenticator,
we can just return FAILED.
Closes strongswan/strongswan#2979
Fixes: 2f2e4abe3c52 ("ikev2: Add support to switch peer configs based on EAP-Identities")
Tobias Brunner [Tue, 20 Jan 2026 14:21:12 +0000 (15:21 +0100)]
appveyor: Reduce runtime by using lld instead of ld
In particular with the 2019 image, the time required often exceeded the
maximum of 60 minutes. Using lld reduces the runtime quite a bit (it's
still close to the limit, though).
This doesn't work with the old OpenSSL version we use with the 2015
image (that libeay32.lib file just doesn't seem to work), so continue
to use ld (the build on that image is the quickest anyway).
Tobias Brunner [Tue, 20 Jan 2026 09:58:01 +0000 (10:58 +0100)]
array: Handle recursive calls to array_sort() if qsort_r() is not supported
Such a recursive call occurs when sorting the array of Child SAs inside
an IKE SA that causes comparisons of the child configs and their
proposals, which in turn creates a merged array of all transform types
and that uses array_sort() and array_bsearch().
Closes strongswan/strongswan#2926
Fixes: 8e7f379f716c ("ike-sa: Sort CHILD_SAs by CPU ID")
Tobias Brunner [Fri, 12 Dec 2025 07:10:13 +0000 (08:10 +0100)]
ip-packet: Fix compiler warning seen on FreeBSD 15
We explicitly use untoh16() so this warning isn't relevant:
ip_packet.c:313:42: error: taking address of packed member 'ip_len' of class or structure 'ip' may result in an unaligned pointer value [-Werror,-Waddress-of-packed-member]
Tobias Brunner [Thu, 11 Dec 2025 16:25:12 +0000 (17:25 +0100)]
Use Botan 3.10.0 for tests
Clean up leak-detective whitelist for newer Botan versions but add
`botan_private_key_load` as `botan_privkey_load*` won't show up anymore
without bfd-backtraces due to inlining if we don't call it directly.
Tobias Brunner [Thu, 4 Dec 2025 12:56:31 +0000 (13:56 +0100)]
nm: Pass back the username auth-dialog runs as to access ssh-agent socket
This ensures we access the socket as user who NM ran the auth-dialog for,
especially for system-wide connections where the connection does not
mention a user.
We also make sure we don't use the cached socket and user of a previous
connection attempt, because system-wide connections might be used by
different users.
Tobias Brunner [Tue, 2 Dec 2025 15:17:36 +0000 (16:17 +0100)]
charon-nm: Pass configured user when connecting to SSH/GPG agent
This prevents an attack similar to the one fixed previously where a
user passes the path to credentials of another user, in this case the
path to the agent socket of that user.
Tobias Brunner [Wed, 26 Nov 2025 12:55:54 +0000 (13:55 +0100)]
nm: Create safe copies of files for user-specific connections
This ensures that only certificates/private keys accessible by the
configured user are accessed and prevents attackers from misusing
other user's credentials.
Also removed setting NM_VERSION_MIN_REQUIRED, which suppresses deprecation
warnings that were added with newer API versions, and
NM_VERSION_MAX_ALLOWED, which warns if using functions added in newer
API versions, so we always build against the latest API available.
But we check explicitly for the required function so this works with
older NM versions and automatically will use it if the function is
backported.
Note that we can't use BUILD_FROM_FILE to read the temporary files as that
uses mmap() which SELinux policies prevent us from using at the location
these files are stored ([/var]/run/NetworkManager/cert/).
Tobias Brunner [Mon, 24 Nov 2025 11:24:21 +0000 (12:24 +0100)]
child-rekey: Prevent crash if peer rekeys a Child SA twice before sending a delete
Some (Windows) peers have been seen to initiate a second rekeying for the
same Child SA. Presumably, this happens if a rekey request from us for
the same old Child SA arrives while it waits for the response to its
first rekey request. Once we receive the delete for the old SA, we
conclude the rekeying with the second replacement. However, the first
replacement remained linked to the old SA. So this change prevents a
crash once the peer sends a delete for that first replacement (which it
seems to do after about 5 minutes).
Tobias Brunner [Wed, 3 Dec 2025 10:40:17 +0000 (11:40 +0100)]
testing: Make per-CPU SAs scenarios more predictable by pinning IRQs to vCPUs
This ensures that packets on sun are processed on a particular CPU and
not randomly on one, which causes expected SAs not to get created or
other weird things.
Tobias Brunner [Fri, 21 Nov 2025 09:49:18 +0000 (10:49 +0100)]
Use wolfSSL 5.8.4 for tests
Also remove the --enable-md4 option. We never supported MD4 via wolfSSL,
as it's not available via the hash API we use (would require explicit
MD4-specific functions and structures).
Tobias Brunner [Thu, 20 Nov 2025 14:54:57 +0000 (15:54 +0100)]
Merge branch 'swanctl-names'
Increases buffers in settings and swanctl to allow longer connection
names (up to the limit of 256 characters imposed by VICI). The limit
for names is now also enforced when generating VICI messages.
projects / thirdparty / strongswan.git / log
