• Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079. Please refer to our blog for details.
• Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now establish a secure session via RSA OAEP public key encryption or an ephemeral ECDH key exchange, respectively. The session allows HMAC-based authenticated communication with the TPM 2.0 and the exchanged parameters can be encrypted with AES-CFB where necessary to guarantee confidentiality (e.g. when using the TPM 2.0 as RNG).
• Basic support for OpenSSL 3.0 has been added to the openssl plugin, in particular, the new load_legacy option (enabled by default) allows loading the "legacy" provider for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the existing fips_mode option allows explicitly loading the "fips" provider e.g. if it's not activated in OpenSSL's fipsmodule.cnf. All loaded providers are logged when the plugin is initialized.
• The MTU of TUN devices created by the kernel-pfroute plugin on macOS and FreeBSD is now configurable and reduced to 1400 bytes, by default. This also fixes an issue on macOS 12 that prevented the detection of virtual IPs installed on such TUN devices (#707).
• When rekeying CHILD_SAs, the old outbound SA is now uninstalled earlier on the initiator/winner. Instead of delaying this until the delete for the old CHILD_SA has been exchanged, we do this shortly after the new SA has been installed. This is useful for IPsec implementations where the ordering of SAs is unpredictable and we can't set the SPI on the outbound policy to switch to the new SA while both are installed.
• The sw-collector utility may now iterate through APT history logs processed by logrotate.
• The openssl plugin now only announces the ECDH groups actually supported by OpenSSL (determined via EC_get_builtin_curves()).
• Added support for RSA encryption with OEAP padding with optional label via openssl and wolfssl plugins (the botan plugin supports OAEP padding, but only without labels, while the gcrypt only supports OEAP padding with SHA-1 and without labels). See below for the interface change this required.
• Added support for AES-CFB via botan, gcrypt, openssl and wolfssl plugins.
• Failure handling in unit tests for libtls has been improved (#752).
• Fixed the application of configured identities to raw public keys via vici/swanctl (e43052893dd7464572e1533767fdc7f6a42ea4ee).
• Fixed the detection of several vendor IDs (broken since 5.9.3).
• Unit tests for charon-tkm now run automatically on GitHub (to test locally, refer to testing/tkm/Dockerfile).
• For developers:
  • Custom EAP plugins that don't generate an MSK have to return NOT_SUPPORTED from get_msk(). Those that do have to make sure to return FAILED until the EAP method is complete and an MSK has been established, see the blog post about the vulnerability above for more information.
  • The public_key_t::encrypt() and private_key_t::decrypt() gained a void* argument for algorithm specific parameters. First application is the optional label for RSA with OEAP padding.
  • A new metadata facility allows to attach arbitrary integer values to packet_t/message_t, which may be used to transport information from custom socket plugins to other plugins that later process IKE messages and back again.

Refer to the 5.9.5 milestone for a list of all closed issues and pull requests.