sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity
18,362 Commits 101 Branches 327 Tags
Commit Graph

18362 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
be0ce6db93 configure: Move pkcs8 plugin after plugins that can parse PKCS#8 directly 
With such plugins we only need the pkcs8 plugin to load encrypted files.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
544fb1cf92 pkcs8: Parse the decrypted PKCS#8 structure via regular builders 
This allows other plugins to parse such structures directly.  The pkcs8
plugin is called recursively again if necessary.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
21b586c61c openssl: Fixes for RSA with OpenSSL 3.0 2022-04-14 19:05:44 +02:00
Tobias Brunner
36cf74f5d9 openssl: Fixes for DH with OpenSSL 3.0 
While we could assign the DH object to a EVP_PKEY object, this won't work
with BoringSSL as it doesn't seem to support EVP_PKEY_derive() for DH.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
f5710c9ccb openssl: Fixes for ECDH with OpenSSL 3.0 
Uses new and non-deprecated APIs to create/generate key pairs.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
13efce489e openssl: PRF_KEYED_SHA1 might not be supported 
The old API has been deprecated with OpenSSL 3 and direct access to the
state isn't possible via EVP API.  In the future we might just remove this
implementation but we'd probably have to implement EAP-AKA' first, which
uses HMAC-SHA-256 with IKEv2's prf+ construct to derive keys instead
of this weird construct (plus what fips-prf builds around it) that's used
by EAP-AKA.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
519bc22091 leak-detective: Whitelist OpenSSL 3.0 functions 2022-04-14 19:05:44 +02:00
Tobias Brunner
1c1213f4b6 openssl: Move shared secret calculation to get_shared_secret() 
This is a change from the multi-KE branch.
 2022-04-14 19:05:44 +02:00
Tobias Brunner
94a3563c68 Merge branch 'ikev2-kdf-modularization' 
This modularizes the IKEv2 key derivation, which makes certification (e.g.
FIPS) easier because it allows the two steps (PRF/prf+) to be implemented
by already certified third-party libraries.

For the existing third-party libraries, the two KDFs are implemented via
the respective library's HKDF implementation.  A generic implementation,
based on existing PRFs, is provided by the new kdf plugin.
 2022-04-14 19:03:03 +02:00
Tobias Brunner
f619b833ac keymat_v2: Use plugin-provided KDF_PRF to derive SKEYSEED 2022-04-14 19:02:56 +02:00
Tobias Brunner
743b486118 unit-tests: Hand out an actual shared secret and pubkey in mock KE implementation 
Makes this a bit more realistic and makes key derivation via OpenSSL's
HKDF work during tests.
 2022-04-14 19:02:56 +02:00
Tobias Brunner
56afc6e298 wolfssl: Implement HMAC-based IKEv2 PRFs via wolfSSL's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
7498769aba botan: Implement HMAC-based IKEv2 PRFs via Botan's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
e0fc786ecd openssl: Implement HMAC-based IKEv2 PRFs via OpenSSL's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
0339ce34f6 kdf: Implement wrapper for IKEv2 PRFs 2022-04-14 19:02:56 +02:00
Tobias Brunner
ad0e94b6ed test-vectors: Add vectors for HMAC-based IKEv2 PRFs 2022-04-14 19:02:56 +02:00
Tobias Brunner
37dbc87960 crypto: Add new KDF type for IKEv2 PRFs 2022-04-14 19:02:56 +02:00
Tobias Brunner
7bde56a9bc crypto: Adapt kdf_t interface to support KDFs with fixed output length 2022-04-14 19:02:56 +02:00
Tobias Brunner
96c7692661 wolfssl: Implement prf+ via wolfSSL's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
cb8f924051 botan: Implement prf+ via Botan's HKDF implementation 2022-04-14 19:02:56 +02:00
Tobias Brunner
f535f1ed53 crypto: Remove unused prf_plus_t 2022-04-14 19:02:56 +02:00
Tobias Brunner
f0957d1250 kdf: Implement prf+ directly without relying on prf_plus_t 2022-04-14 19:02:56 +02:00
Tobias Brunner
9cb3c10418 keymat_v1: Derive CHILD_SA keys without using prf_plus_t 
We already expand skeyid_e in a similar fashion so do this analogous
without relying on prf_plus_t.
 2022-04-14 19:02:56 +02:00
Tobias Brunner
be07b9dc01 unit-tests: Use plugin-provided prf+ in unit test 
This tests the params API and the counter overflow.
 2022-04-14 19:02:56 +02:00
Tobias Brunner
df16d7902a tls-hkdf: Use plugin-provided prf+ 2022-04-14 19:02:56 +02:00
Tobias Brunner
7161c87617 keymat_v2: Use plugin-provided prf+ to derive keys 2022-04-14 19:02:56 +02:00
Tobias Brunner
08e31138bd appveyor: Enable kdf plugin on old images with OpenSSL 1.0.2/1.1.0 
HKDF with expand-only mode is only available since OpenSSL 1.1.1.
 2022-04-14 19:02:56 +02:00
Tobias Brunner
5cc47c11f2 android: Build and load kdf plugin for prf+ 
Not necessary with newer versions of OpenSSL, but our BoringSSL release
does not support HKDF yet.
 2022-04-14 19:02:56 +02:00
Tobias Brunner
3a52fc83f8 testing: Load kdf plugin in all scenarios that require it 
Once we use plugin-provided prf+() these won't work otherwise.
 2022-04-14 19:02:48 +02:00
Tobias Brunner
742134c112 keymat_v2: Refactor CHILD_SA key derivation so it only needs one prf+ call 2022-04-14 18:54:24 +02:00
Tobias Brunner
00cfc05467 keymat_v2: Refactor IKE key derivation so it only needs one prf+ call 2022-04-14 18:54:24 +02:00
Tobias Brunner
2b9b579af9 openssl: Add a prf+ implementation based on OpenSSL's HKDF implementation 
The HKDF-Expand() function defined in RFC 5869 is basically the same as
IKEv2's prf+(), so we can use the former to implement the latter.
However, we can only support HMAC-based PRFs this way, which should be
fine as others are rarely used.
 2022-04-14 18:54:24 +02:00
Tobias Brunner
9e228de60a kdf: Add plugin that provides a default prf+ implementation 2022-04-14 18:54:24 +02:00
Tobias Brunner
ce431366e6 test-vectors: Add test vectors for prf+ 2022-04-14 18:54:24 +02:00
Tobias Brunner
71ba969884 plugin-feature: Add plugin feature for KDFs 2022-04-14 18:54:24 +02:00
Tobias Brunner
961cb781b9 plugin-feature: Remove 'default' case in plugin_feature_un|load() 2022-04-14 18:54:24 +02:00
Tobias Brunner
86d526876d test-vectors: Add support for KDF test vectors 2022-04-14 18:54:24 +02:00
Tobias Brunner
02f7d63e52 crypto-factory: Use actual plugin name when testing during construction 2022-04-14 18:54:24 +02:00
Tobias Brunner
0c6baa8997 crypto-tester: Add facility to test KDFs 2022-04-14 18:54:24 +02:00
Tobias Brunner
ec17fa2fef vici: Report registered KDFs 2022-04-14 18:54:24 +02:00
Tobias Brunner
07bf428ad1 stroke: List registered KDFs 2022-04-14 18:54:24 +02:00
Tobias Brunner
fbb0bdebe7 crypto-factory: Add constructor and methods to create KDFs 
Using some arguments directly in the constructor will allow us to fall
back on other implementations.
 2022-04-14 18:54:24 +02:00
Tobias Brunner
35ad267fce pkcs5: Rename kdf_t to avoid conflict 2022-04-14 18:54:24 +02:00
Tobias Brunner
e93882c6a0 transform: Add private transform for KDFs 2022-04-14 18:54:24 +02:00
Tobias Brunner
40a09613d2 crypto: Add interface for key derivation functions 2022-04-14 18:54:24 +02:00
Tobias Brunner
8b8a2ee43a Merge branch 'labeled-ipsec' 
This adds support for labeled IPsec with SELinux (and a proprietary mode
that can be used to match child configs).  For SELinux support, compile
with --enable-selinux.

Other changes include a combined start action (trap|start), avoiding
initiating duplicate CHILD_SAs, updating reqids if dynamic traffic
selectors change, removing reqid errors on policy updates, or querying
specific CHILD_SAs with vici's list-sas command.

Closes #3075
 2022-04-14 18:52:38 +02:00
Tobias Brunner
6910347d1a testing: Add DSCP scenario that uses simple labels 
Instead of creating two IKE_SAs with different identities, this scenario
uses simple labels to select the correct child config.
 2022-04-14 18:42:01 +02:00
Tobias Brunner
955b526be8 swanctl: Add options to filter CHILD_SAs in --list-sas 2022-04-14 18:42:01 +02:00
Tobias Brunner
b1c7fac768 vici: Add options to only return specific CHILD_SAs in list-sas() 2022-04-14 18:42:01 +02:00
Tobias Brunner
994d9d37d4 testing: Copy comments to test log 2022-04-14 18:42:01 +02:00