strongSwan 5.9.4

• Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
  Please refer to our blog for details.
• Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
  Please refer to our blog for details.
• Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
• AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
• Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
• Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631).
• Loading SSH public keys via vici has been improved (#467).
• Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
• Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
• The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0.
• libtpmtss is initialized in all programs and libraries that use it.
• Migrated testing scripts to Python 3.
• The testing environment uses images based on Debian bullseye by default (support for jessie was removed).

Refer to the 5.9.4 milestone for a list of all closed issues and pull requests.