strongSwan 5.9.8

• Fixed a vulnerability related to online certificate revocation checking that was caused because the revocation plugin used potentially untrusted OCSP URIs and CRL distribution points in certificates. This allowed a remote attacker to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which could have lead to a denial-of-service attack. This vulnerability has been registered as CVE-2022-40617. Please refer to our blog for details.

• The pki --scep|--scepca commands implement the HTTP-based "Simple Certificate Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecated scepclient that has been removed.

• The pki --est|estca commands implement the HTTPS-based "Enrollment over Secure Transport" (RFC 7070 EST) protocol.

• The pki --req command can create a certificate request based on an existing PKCS#10 template by replacing the public key and re-generating the signature with the new private key.

• The ike_cfg_t object is now always replaced together with the peer_cfg_t object that's set on an IKE_SA during authentication. This is more consistent and allows to properly take into account some settings that are also relevant during IKE_AUTH (e.g. childless) and it was actually already handled this way during rekeying/reestablishing of IKE_SAs and e.g. for the DSCP setting.

• The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests (now indirectly enabled if the pki tool is built due to the implementation of EST) can be completed successfully with just the default plugins.

• Our TLS client implementation now sends an empty certificate payload if a certificate request is received but no certificate is available. The encoding of TLS 1.3 certificate extensions for intermediate CA certificates has also been fixed.

• The socket plugins don't set the SO_REUSEADDR option anymore on the IKE UDP sockets, so an error is triggered if e.g. two daemons (e.g. charon and charon-systemd) are running concurrently using the same ports.

• The charon.rsa_pss_trailerfield setting generates an algorithmIdentifier for RSASSA-PSS signatures with explicit trailerField, which might be necessary for interoperability with implementations of RFC 7427 that haven't considered its errata.

• A potential use-after-free issue has been fixed when caching credential encodings (e.g. fingerprints) if multiple threads operate on the same key concurrently (#1231).

• A potential crash has been fixed caused by a race condition during shutdown between the main thread flushing the IKE_SA manager and worker threads still creating IKE_SAs (#1252).

• A potential crash in the vici plugin has been fixed that was caused when events were triggered with messages that failed to get created successfully (#1278).

• A file descriptor leak has been fixed in the Android client (#1160), plus some other issues related to targeting Android 12 (e.g. #1151 and 86b69f2).

• For developers:

  • For IKEv2, the ike_updown() "up" event and the state change to IKE_ESTABLISHED are now triggered after all IKE-related tasks are done. This ensures the IKE_SA is actually fully established, which now includes any assigned virtual IPs, additional MOBIKE peer addresses or a reauthentication time updated via AUTH_LIFETIME notify. This was an issue for the selinux plugin if virtual IPs were used.
  • In the cert_validator_t interface, the online flag has been removed from the validate() method, which is called during basic certificate chain validation. Online validation is now instead triggered via the new validate_online() method, which is called after a trusted certificate chain has been built.
  • pen_t is now used for EAP vendor IDs instead of uint32_t.
  • The --enable-asan configure option enables building with AddressSanitizer (ASan).
  • The TESTS_ITERATIONS environment variable allows running only specific iterations of loop-based test functions.

Refer to the 5.9.8 milestone for a list of all closed issues and pull requests.