Vulnerabilities

• Fixed a vulnerability in charon-tkm (the TKM-backed version of the charon IKE daemon) related to processing DH public values that can lead to a buffer overflow and potentially remote code execution. This vulnerability has been registered as CVE-2023-41913. Please refer to our blog for details.

New Feature Additions

• The new pki --ocsp command produces OCSP responses based on certificate status information provided by implementations of the new ocsp_responder_t interface (#1958).

  Two sources are currently available, the openxpki plugin that directly accesses the OpenXPKI database and the command's --index argument, which reads certificate status information from OpenSSL-style index.txt files (multiple CAs are supported concurrently).

• The new cert-enroll script handles the initial enrollment of an X.509 host certificate with a PKI server via the EST or SCEP protocols.

  Run as a systemd timer or via a crontab entry, the script checks the expiration date of the host certificate daily. When a given deadline is reached, the host certificate is automatically renewed via EST or SCEP re-enrollment based on the possession of the old private key and the matching certificate.

• Added a global option (charon.reject_trusted_end_entity) to prevent peers from authenticating with certificates that are locally trusted, in particular, our own local certificate, which safeguards against accidental reuse of certificates on multiple peers. As the name suggests, all trusted end-entity certificates are rejected if enabled, so peer certificates can't be configured explicitly anymore (e.g. via remote.certs in swanctl.conf).

• The --priv argument for charon-cmd allows the use of any type of private key (previously, only RSA keys were supported).

• The openssl plugin now supports the nameConstraints extension in X.509 certificates (#1990).

• Support for nameConstraints of type iPAddress are now supported by the x509, openssl and constraints plugins (#1991).

• Support for encoding subjectAlternativeName extensions of type uniformResourceIdentifier in X.509 certificates has been added via the uri: prefix (e.g. for URNs, #1983).

• Support for password-less PKCS#12 and PKCS#8 files has been added (#1955).

Enhancements and Optimizations

• Because of a relatively recent NIAP requirement (TD0527, Test 8b), loading of certificates with ECDSA keys that explicitly encode the curve parameters is rejected if possible. Explicit encoding is pretty rare to begin with and e.g. wolfSSL already rejects such keys, by default. All crypto plugins that support ECDSA enforce this by rejecting such public keys, except when using older versions of OpenSSL (< 1.1.1h) or Botan (< 3.2.0) (#1949).

• Make the NetworkManager plugin (charon-nm) actually use the XFRM interface it creates since 5.9.10. This involves setting interface IDs on SAs and policies, and installing routes via the interface. To avoid routing loops if the remote traffic selectors include the VPN server, IKE and ESP packets are marked to bypass the routing table that contains the routes via XFRM interface (69e0c1161d54f0ecb5d18b0e0c5e39dcc69fba93).

  If available, the plugin now also adopts the interface name configured in connection.interface-name in a *.nmconnection file as name for the XFRM interface instead of generating one randomly (e8f8d32494e2945f6f43b7ac46fa5d0491b417ec).

• The resolve plugin tries to maintain the order of DNS servers it installs via resolvconf or resolv.conf (6440975bb40609e4894931ae3d679ecea73784c8, 8238ad480aa7b404e345cee06bc49389141ca269).

• The kernel-libipsec plugin now always installs routes to remote networks even if no address is found in the local traffic selectors, which allows forwarding traffic from networks the VPN host is not part of (190d8cbe1931ec57484d9bb451824a7fc57979bd).

• Increased the default receive buffer size for Netlink sockets to 8 MiB (doubled by the kernel to account for overhead) and simplified the configuration (no need for a separate option to force overriding rmem_max). It's now also set for event sockets, which previously could cause issues on hosts with e.g. lots of route changes (#1757).

• When issuing certificates, the subjectKeyIdentifier of the issuing certificate, if available, is now copied as authorityKeyIdentifier, instead of always generating a SHA-1 hash of the issuer's subjectPublicKey (#1992, 6941dcb17aa5fb51b6fe7831794a4c3593480c3c).

• Explicitly request permission to display notifications on Android 13+ (ddf84c165d94811a025f128fb6016f5911d6b179), also enabled hardware acceleration for the Android-specific OpenSSL build.

Fixes

• Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with unrelated traffic selectors (#1855).
• Fixed an issue in watcher_t with handling errors on sockets (e.g. if the receive buffer is full), which caused an infinite loop if poll() only signaled POLLERR as event (#1757).
• Fixed an issue in the IKE_SA_INIT tracking code that was added with 5.9.6, which did not correctly untrack invalid messages with non-zero message IDs or SPIs (0b4735709189f9f3b20f64bce4f38211527fff5b).
• Fixed a regression introduced with 5.9.8 when handling IKE redirects during IKE_AUTH (595fa077b63c4cbea292fdb4a05606b65cf4f8c1).
• Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs in the kernel-netlink plugin, which prevented MOBIKE updates if a large anti-replay window was used (#1967).
• Fixed a race condition in the kernel-pfroute plugin when adding virtual IPs if the TUN device is activated after the address was already added internally, which caused the installed route not to go via TUN device in order to force the virtual IP as source address (#1807).
• Fixed an issue in libtls that could cause the wrong ECDH group to get instantiated (b5e4bf4b6c2d5a3ac46cce78d69673c224256206).
• Fixed the encoding of the CHILD_SA_NOT_FOUND notify if a CHILD_SA is not found during rekeying. It was previously empty, now contains the SPI and sets the protocol to the values received in the REKEY_SA notify (849c2c9707e00fc5210bd389631a2fc1a97089e6).
• Fixed a possible issue with MOBIKE in the Android client on certain devices (#1691).

For Developers

• The new ocsp_responder_t interface can be implemented to provide certificate status information to the pki --ocsp command. Responders can be (un-)registered via the ocsp_responders_t instance at lib->ocsp.
• For the watcher_t component, WATCHER_EXCEPT has been removed as there is no way to explicitly listen for errors on sockets and poll() actually can return POLLERR for any FD and it might even be the only signaled event (which caused an infinite loop previously). Now we simply notify the registered callbacks. The error is then reported by e.g. recvfrom(), which was already the case before if POLLERR was returned together with e.g. POLLIN.
• The reqids allocated for CHILD_SAs (including trap policies) via kernel_interface_t::alloc_reqid() are now refcounted. When recreating a CHILD_SA, a reference to the reqid can be requested via child_sa_t::get_reqid_ref(). If another reference is required afterwards, one can be acquired directly via kernel_interface_t::ref_reqid(). Each reference has to be released via kernel_interface_t::release_reqid(), whose interface was simplified.
• The testing environment is now based on Debian 12 (bookworm), by default. Also, when copying files to guests, the guest-specific files are now copied after the default files, which allows overriding files per guest (fixes an issue with winnetou's /etc/fstab and mounting the test results).

Refer to the 5.9.12 milestone for a list of all closed issues and pull requests.