While this does require quite a bit of memory, on initiators there are
usually fewer concurrent SAs getting created so this should be less of
an issue than on a gateway that handles lots of SAs as responder.
The speed up is about 30% on the initiator during the decapsulation,
while the key generation does take a bit more time (about 3%).
This follows FIPS 203 relatively closely but takes some ideas from the
reference implementation. In particular, how to avoid potential
side-channels via direct C division/modulo operations. However, it just
uses Barrett reduction (no Montgomery reduction) and no negative
coefficients to avoid number format conversions and keep the
implementation clearer.
This registers support for the ML_KEM_{512,768,1024} key exchange
algorithms in the `openssl` plugin when built using AWS-LC as the
libcrypto. To do this, we introduce the `openssl_kem` source files
which implement the key exchange algorithm using the Key Encapsulation
Mechanism (KEM) API. Future KEM algorithms can be implemented
generically using this interface by substituting the appropriate NIDs.
It also supports both seeded (via DRBG) and unseeded modes depending
on the user's requirements for KATs or entropy sources.
It should be noted that this does not add support for KEM algorithms
within upstream OpenSSL and is API incompatible. Future work will need
to condition out the incompatibilities as-appropriate. However, the
high-level logic should be the same for all KEMs and KEM APIs.
References strongswan/strongswan#2228Closesstrongswan/strongswan#2490
Both Diffie-Hellman (DH) and Key Encapsulation Mechanism (KEM) based
key exchange methods use a common ke_test_vector format. The
set_seed() function is used to provide deterministic private key
material for the crypto tests.
If uniqueness checks are disabled and multiple IKE_SAs with the same
identities are created, an offline lease could have gotten reassigned
during a make-before-break reauthentication if such an SA was closed
earlier. Checking for an online lease for the same client (IP/port)
first ensures that the correct IP is reassigned during the
reauthentication.
References strongswan/strongswan#2472
Since we now open sockets for each address family independently (via
IPV6_V6ONLY) and without SO_REUSEADDR, it could happen with the previous
order on Linux that opening the port that was allocated as ephemeral
port for IPv6 was already used by a different process for IPv4.
Most IPv6 sockets on ephemeral ports will not have IPV6_V6ONLY set, so
the same port is also reserved for IPv4. Therefore, it's save to assume
that any ephemeral port we first get for IPv4 is free for IPv6.
References strongswan/strongswan#2494
This reverts commit 84a3077e780e7b25bf536da42a583bdc18448362.
Support for dots in names of settings was removed quite a while ago and
now the \. sequence caused `SyntaxWarning: invalid escape sequence`.
The order was different when not setting `esp_proposals` or explicitly
configuring `default`.
Fixes: 33412158f58c ("ike: Send AEAD ESP default proposal first")
Similar to the previous commit. Instead of
generating rule 10 (1258)
followed by (or not if the list is empty)
generating payload of type PROPOSAL_SUBSTRUCTURE
we now get
generating rule 10 LIST of PROPOSAL_SUBSTRUCTURE
in the debug log.
Instead of this
parsing rule 10 (1258)
we now see this
parsing rule 10 LIST of PROPOSAL_SUBSTRUCTURE
in the debug log. Particularly useful if the list is empty as there won't
be a message like this following it:
x bytes left, parsing recursively PROPOSAL_SUBSTRUCTURE
struct ifreq can't be used for IPv6 as the ifr_addr member is not large
enough. Actually, configuring an IPv6 address via an AF_INET socket won't
work anyway. And unfortunately, it's not standardized how IPv6 addresses
are installed, so we have to do this quite differently on Linux and on BSD.
However, we already use SIOCAIFADDR for IPv4 on newer FreeBSD systems,
which wasn't the case when this patch was originally created in 2014.
