Android.common.mk

@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.8.0"
+strongswan_VERSION := "5.8.1"
 

Makefile.in

@@ -276,6 +276,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FUZZING_CFLAGS = @FUZZING_CFLAGS@
 FUZZING_LDFLAGS = @FUZZING_LDFLAGS@
 GEM = @GEM@
 GENHTML = @GENHTML@

NEWS

+strongswan-5.8.1
+----------------
+
+- RDNs in Distinguished Names can now optionally be matched less strict. The
+  global option charon.rdn_matching takes two alternative values that cause the
+  matching algorithm to either ignore the order of matched RDNs or additionally
+  accept DNs that contain more RDNs than configured (unmatched RDNs are treated
+  like wildcard matches).
+
+- The updown plugin now passes the same interface to the script that is also
+  used for the automatically installed routes, i.e. the interface over which the
+  peer is reached instead of the interface on which the local address is found.
+
+- TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple
+  IKE_SAs use the same private key concurrently.
+
+
 strongswan-5.8.0
 ----------------
 
@@ -1949,7 +1966,7 @@ strongswan-4.3.1
   fuzzing techniques: 1) Sending a malformed IKE_SA_INIT request leaved an
   incomplete state which caused a null pointer dereference if a subsequent
   CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
-  a missing TSi or TSr payload caused a null pointer derefence because the
+  a missing TSi or TSr payload caused a null pointer dereference because the
   checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
   developed by the Orange Labs vulnerability research team. The tool was
   initially written by Gabriel Campana and is now maintained by Laurent Butti.

conf/Makefile.in

@@ -199,6 +199,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FUZZING_CFLAGS = @FUZZING_CFLAGS@
 FUZZING_LDFLAGS = @FUZZING_LDFLAGS@
 GEM = @GEM@
 GENHTML = @GENHTML@

conf/options/charon.conf

@@ -184,6 +184,10 @@ charon {
     # Process RTM_NEWROUTE and RTM_DELROUTE events.
     # process_route = yes
 
+    # How RDNs in subject DNs of certificates are matched against configured
+    # identities (strict, reordered, or relaxed).
+    # rdn_matching = strict
+
     # Delay in ms for receiving packets, to simulate larger RTT.
     # receive_delay = 0
 

conf/options/charon.opt

@@ -296,6 +296,22 @@ charon.processor.priority_threads {}
 	Section to configure the number of reserved threads per priority class
 	see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
 
+charon.rdn_matching = strict
+	How RDNs in subject DNs of certificates are matched against configured
+	identities (_strict_, _reordered_, or _relaxed_).
+
+	How RDNs in subject DNs of certificates are matched against configured
+	identities. Possible values are _strict_ (the default), _reordered_, and
+	_relaxed_. With _strict_ the number, type and order of all RDNs has to
+	match, wildcards (*) for the values of RDNs are allowed (that's the case
+	for all three variants). Using _reordered_ also matches DNs if the RDNs
+	appear in a different order, the number and type still has to match.
+	Finally, _relaxed_ also allows matches of DNs that contain more RDNs than
+	the configured identity (missing RDNs are treated like a wildcard match).
+
+	Note that _reordered_ and _relaxed_ impose a considerable overhead on memory
+	usage and runtime, in particular, for mismatches, compared to _static_.
+
 charon.receive_delay = 0
 	Delay in ms for receiving packets, to simulate larger RTT.
 

conf/plugins/imc-attestation.opt

@@ -29,7 +29,8 @@ libimcv.plugins.imc-attestation.pcr17_before =
 	PCR17 value before measurement.
 
 libimcv.plugins.imc-attestation.pcr17_meas =
-        Dummy measurement value extended into PCR17 if the TBOOT log is not available.
+	Dummy measurement value extended into PCR17 if the TBOOT log is not
+	available.
 
 libimcv.plugins.imc-attestation.pcr17_after =
 	PCR17 value after measurement.
@@ -38,7 +39,8 @@ libimcv.plugins.imc-attestation.pcr18_before =
 	PCR18 value before measurement.
 
 libimcv.plugins.imc-attestation.pcr18_meas =
-       Dummy measurement value extended into PCR17 if the TBOOT log is not available. 
+	Dummy measurement value extended into PCR17 if the TBOOT log is not
+	available.
 
 libimcv.plugins.imc-attestation.pcr18_after =
 	PCR18 value after measurement.

conf/strongswan.conf.5.main

@@ -1820,6 +1820,37 @@ PRIORITY MANAGEMENT in
 .RB "" "strongswan.conf" "(5)."
 
 
+.TP
+.BR charon.rdn_matching " [strict]"
+How RDNs in subject DNs of certificates are matched against configured
+identities. Possible values are
+.RI "" "strict" ""
+(the default),
+.RI "" "reordered" ","
+and
+.RI "" "relaxed" "."
+With
+.RI "" "strict" ""
+the number, type and order of all RDNs has to match,
+wildcards (*) for the values of RDNs are allowed (that's the case for all three
+variants). Using
+.RI "" "reordered" ""
+also matches DNs if the RDNs appear in a different
+order, the number and type still has to match. Finally,
+.RI "" "relaxed" ""
+also allows
+matches of DNs that contain more RDNs than the configured identity (missing RDNs
+are treated like a wildcard match).
+
+Note that
+.RI "" "reordered" ""
+and
+.RI "" "relaxed" ""
+impose a considerable overhead on memory
+usage and runtime, in particular, for mismatches, compared to
+.RI "" "static" "."
+
+
 .TP
 .BR charon.receive_delay " [0]"
 Delay in ms for receiving packets, to simulate larger RTT.

config.h.in

@@ -64,6 +64,9 @@
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
 
+/* Define to 1 if you have the `explicit_bzero' function. */
+#undef HAVE_EXPLICIT_BZERO
+
 /* Define to 1 if you have the `fmemopen' function. */
 #undef HAVE_FMEMOPEN
 

configure

 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.8.0.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.8.1.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.8.0'
-PACKAGE_STRING='strongSwan 5.8.0'
+PACKAGE_VERSION='5.8.1'
+PACKAGE_STRING='strongSwan 5.8.1'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
@@ -1067,6 +1067,7 @@ RUBY_GEMS_INSTALL_TRUE
 RUBYGEMDIR
 GEM
 FUZZING_LDFLAGS
+FUZZING_CFLAGS
 COVERAGE_LDFLAGS
 COVERAGE_CFLAGS
 GENHTML
@@ -2112,7 +2113,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.8.0 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.8.1 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -2183,7 +2184,7 @@ fi
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.8.0:";;
+     short | recursive ) echo "Configuration of strongSwan 5.8.1:";;
    esac
   cat <<\_ACEOF
@@ -2495,7 +2496,8 @@ Optional Packages:
                           ipsec).
   --with-fips-mode=arg    set openssl FIPS mode: disabled(0), enabled(1),
                           Suite B enabled(2) (default: 0).
-  --with-libfuzzer=arg    path to libFuzzer.a (default: ).
+  --with-libfuzzer=arg    -fsanitize=fuzzer or path to libFuzzer.a, a local
+                          driver is used if not specified (default: ).
   --with-capabilities=arg set capability dropping library. Currently supported
                           values are "libcap" and "native" (default: no).
   --with-mpz_powm_sec=arg use the more side-channel resistant mpz_powm_sec in
@@ -2671,7 +2673,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.8.0
+strongSwan configure 5.8.1
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3193,7 +3195,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by strongSwan $as_me 5.8.0, which was
+It was created by strongSwan $as_me 5.8.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   $ $0 $@
@@ -4056,7 +4058,7 @@ fi
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.8.0'
+ VERSION='5.8.1'
 cat >>confdefs.h <<_ACEOF
@@ -19258,7 +19260,7 @@ _ACEOF
 fi
 done
-for ac_func in fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo
+for ac_func in fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo explicit_bzero
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -23151,19 +23153,27 @@ $as_echo "$as_me: coverage enabled, adding \"-g -O0\" to CFLAGS" >&6;}
 fi
 if test x$fuzzing = xtrue; then
-	if test x$libfuzzer = x; then
+	case "$libfuzzer" in
+	"")
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: fuzz targets enabled without libFuzzer, using local driver" >&5
 $as_echo "$as_me: fuzz targets enabled without libFuzzer, using local driver" >&6;}
 		CFLAGS="${CFLAGS} -fsanitize=address"
 		libfuzzer="libFuzzerLocal.a"
-	else
+		;;
+	"-fsanitize=fuzzer")
+		libfuzzer=""
+		FUZZING_CFLAGS="-fsanitize=fuzzer"
+
+		;;
+	*)
 		# required for libFuzzer
 		FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++"
 		if test "$SANITIZER" = "coverage"; then
 			FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm"
 		fi
-	fi
+		;;
+	esac
 fi
 if test x$ruby_gems = xtrue; then
@@ -27659,7 +27669,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.8.0, which was
+This file was extended by strongSwan $as_me 5.8.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   CONFIG_FILES    = $CONFIG_FILES
@@ -27725,7 +27735,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.8.0
+strongSwan config.status 5.8.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"

configure.ac

@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.8.0])
+AC_INIT([strongSwan],[5.8.1])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -63,7 +63,7 @@ ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
 ARG_WITH_SUBST([ipsec-script],       [ipsec], [change the name of the ipsec script])
 ARG_WITH_SUBST([fips-mode],          [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)])
-ARG_WITH_SUBST([libfuzzer],          [], [path to libFuzzer.a])
+ARG_WITH_SUBST([libfuzzer],          [], [-fsanitize=fuzzer or path to libFuzzer.a, a local driver is used if not specified])
 ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
 ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available])
 ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
@@ -650,7 +650,7 @@ AC_CHECK_FUNC(
 )
 
 AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
-AC_CHECK_FUNCS(fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo)
+AC_CHECK_FUNCS(fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo explicit_bzero)
 
 AC_CHECK_FUNC([syslog], [
 	AC_DEFINE([HAVE_SYSLOG], [], [have syslog(3) and friends])
@@ -1294,18 +1294,26 @@ if test x$coverage = xtrue; then
 fi
 
 if test x$fuzzing = xtrue; then
-	if test x$libfuzzer = x; then
+	case "$libfuzzer" in
+	"")
 		AC_MSG_NOTICE([fuzz targets enabled without libFuzzer, using local driver])
 		CFLAGS="${CFLAGS} -fsanitize=address"
 		libfuzzer="libFuzzerLocal.a"
-	else
+		;;
+	"-fsanitize=fuzzer")
+		libfuzzer=""
+		FUZZING_CFLAGS="-fsanitize=fuzzer"
+		AC_SUBST(FUZZING_CFLAGS)
+		;;
+	*)
 		# required for libFuzzer
 		FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++"
 		if test "$SANITIZER" = "coverage"; then
 			FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm"
 		fi
 		AC_SUBST(FUZZING_LDFLAGS)
-	fi
+		;;
+	esac
 fi
 
 if test x$ruby_gems = xtrue; then

debian/changelog

-strongswan (5.8.0-3) UNRELEASED; urgency=medium
+strongswan (5.8.1-1) UNRELEASED; urgency=medium
 
-  * d/salsa-ci.yml: disable blhc tests
   * d/rules: disable http and stream tests under CI
+  * New upstream version 5.8.1
 
- -- Yves-Alexis Perez <corsac@debian.org>  Tue, 08 Oct 2019 09:44:57 +0200
+ -- Yves-Alexis Perez <corsac@debian.org>  Fri, 18 Oct 2019 16:39:27 +0200
 
 strongswan (5.8.0-2) unstable; urgency=medium
 

debian/salsa-ci.yml

@@ -2,5 +2,3 @@
 include:
     - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
     - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-variables:
-    SALSA_CI_DISABLE_BLHC: 1

fuzz/Makefile.am

 AM_CPPFLAGS = @CPPFLAGS@ \
+	@FUZZING_CFLAGS@ \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libimcv \
 	-I$(top_srcdir)/src/libtncif \

fuzz/Makefile.in

@@ -217,6 +217,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FUZZING_CFLAGS = @FUZZING_CFLAGS@
 FUZZING_LDFLAGS = @FUZZING_LDFLAGS@
 GEM = @GEM@
 GENHTML = @GENHTML@
@@ -425,6 +426,7 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = @CPPFLAGS@ \
+	@FUZZING_CFLAGS@ \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libimcv \
 	-I$(top_srcdir)/src/libtncif \