sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity
19,106 Commits 101 Branches 327 Tags
Commit Graph

19106 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tobias Brunner
882ff93bfd proposal: Accept NONE for additional key exchanges also for IKE proposals 2024-08-07 16:20:19 +02:00
Tobias Brunner
33e421320a unit-tests: Add tests for CHILD_SA rekeying with multiple key exchanges 2024-08-07 16:20:19 +02:00
Tobias Brunner
37eeafa37f unit-tests: Add tests for CHILD_SA creation with multiple key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
329a7b331d unit-tests: Add tests for IKE_SA rekeying with multiple key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
37c56affa1 unit-tests: Support multiple proposals in exchange tests 2024-08-07 16:20:18 +02:00
Andreas Steffen
d4fb07911f vici: Increase maximum proposal length 2024-08-07 16:20:18 +02:00
Andreas Steffen
355f917532 vici: List additional key exchanges 
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
 2024-08-07 16:20:18 +02:00
Tobias Brunner
c5a6938b9e proposal: Add prefix for additional key exchanges when logging proposals 2024-08-07 16:20:18 +02:00
Tobias Brunner
e05d86b27a key-exchange: Add dynamic parser for additional key exchange methods 2024-08-07 16:20:18 +02:00
Tobias Brunner
95275d2fe5 child-rekey: Support CHILD_SA rekeying with multiple key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
c200bd1668 unit-tests: Fix CHILD_SA rekey tests after INVALID_KE_PAYLOAD handling changed 
The responder doesn't create a CHILD_SA and allocate an SPI anymore
when responding with an INVALID_KE_PAYLOAD notify.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
d7760416d6 child-create: Add support for multiple key exchanges 
It also changes that payloads are built before installing the CHILD_SA
on the responder, that is, the KE payload is generated before keys are
derived, so that key_exchange_t::get_public_key() is called before
get_shared_secret(), or its internal equivalent, which could be relevant
for KE implementations that want to ensure that the key can't be
accessed again after the key derivation.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
ca3e6d2d14 ike-rekey: Support IKE_SA rekeying with multiple key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
0d49ddec2e ike-init: Add support for multiple key exchanges 
Initially, this is handled with a key derivation for each
IKE_INTERMEDIATE exchange.  When rekeying, the keys are derived only
once all IKE_FOLLOWUP_KE exchanges are done.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
eff0c43a17 bus: Support multiple key exchanges in ike/child_keys() events 2024-08-07 16:20:18 +02:00
Tobias Brunner
c14e4ab2a8 keymat_v2: Support key derivation with multiple key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
c36eaf42da key-exchange: Add helper to concatenate shared secrets of several key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
ec0ec55070 keymat_v2: Proper cleanup if derive_ike_keys() is called multiple times 2024-08-07 16:20:18 +02:00
Tobias Brunner
f6b2e6a21f ike-auth: Calculate and collect IntAuth for IKE_INTERMEDIATE exchanges 
The message ID of the first IKE_AUTH exchange is a safe-guard against
potential truncation attacks if IKE_INTERMEDIATE exchanges are not used
for multiple key exchanges but some other future use where the number of
exchanges might not depend on the selected proposal.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
1212780b32 pubkey-authenticator: Handle IntAuth data 2024-08-07 16:20:18 +02:00
Tobias Brunner
c4dac17d8c psk-authenticator: Handle IntAuth data 2024-08-07 16:20:18 +02:00
Tobias Brunner
5c69262ce6 eap-authenticator: Handle IntAuth data 2024-08-07 16:20:18 +02:00
Tobias Brunner
e5828d26ea keymat_v2: Include optional IntAuth in signed octets 2024-08-07 16:20:18 +02:00
Tobias Brunner
91f09b8d25 authenticator: Add optional method to set IntAuth data 2024-08-07 16:20:18 +02:00
Tobias Brunner
515b9303de message: Store original encrypted payload when generating fragments 
If we don't do this, get_plain() will fail after generating the message
fragmented unless it was generated non-fragmented previously.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
b9c69f9080 message: Add method to generate data to authenticate IKE_INTERMEDIATE exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
5c439bb8a3 generator: Make pointer to length field optional 
Only useful if we generate an IKE header.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
a24993213e keymat_v2: Add method to calculate IntAuth for IKE_INTERMEDIATE exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
b8358936aa message: Add rules for IKE_FOLLOWUP_KE exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
414db6cab1 ike-header: Add IKE_FOLLOWUP_KE exchange type 2024-08-07 16:20:18 +02:00
Tobias Brunner
041358976b notify-payload: Add notify types for multiple key exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
aedf73f7cf ikev2: Reject IKE_INTERMEDIATE requests after IKE_AUTH 
We currently only support these exchanges for additional key exchanges,
so once we have the final keys derived and the ike-init task is removed,
we don't expect any more of them.
 2024-08-07 16:20:18 +02:00
Tobias Brunner
25f2cdfc56 message: Add rules for IKE_INTERMEDIATE exchanges 2024-08-07 16:20:18 +02:00
Tobias Brunner
a45d454e94 ike-header: Add IKE_INTERMEDIATE exchange type 2024-08-07 16:20:18 +02:00
Tobias Brunner
cc9ab450d6 notify-payload: Add notify type for IKE_INTERMEDIATE exchange 2024-08-07 16:20:18 +02:00
Tobias Brunner
3e0495745c proposal-substructure: Encode additional key exchange methods 2024-08-07 16:20:18 +02:00
Tobias Brunner
9cc5f4a511 proposal: Make all key exchange transforms optional in ESP/AH proposals 2024-08-07 16:20:18 +02:00
Tobias Brunner
fb6b8c833b proposal: Skip all KE transforms if PROPOSAL_SKIP_KE given 2024-08-07 16:20:18 +02:00
Tobias Brunner
2e059e0c27 transform: Add helper to check if transform type negotiates key exchange 2024-08-07 16:20:18 +02:00
Tobias Brunner
22550bd262 transform: Add additional key exchange transform types 2024-08-07 16:20:18 +02:00
Tobias Brunner
a7f617ab33 kernel-pfkey: Fix list of extension type names on FreeBSD 
The list was extended earlier this year.
 2024-08-07 15:09:45 +02:00
Tobias Brunner
abdc7878a4 Merge branch 'sa-dir' 
Configures the direction of IPsec SAs in the Linux kernel if
possible (6.10+).
 2024-08-07 15:00:56 +02:00
Tobias Brunner
22eded1da4 kernel-netlink: Set replay window 0 if kernel supports SA direction attribute 
The kernel now allows a 0 replay window with ESN for SAs that are
explicitly tagged as outbound SAs.  But not just that, it actually
rejects outbound SAs with replay windows > 0.  So we add a version check
to control the replay window size.  Note that adding the attribute
unconditionally would be fine even for older kernels, but if somebody
backports the direction patches, the installation of outbound SAs might
fail if the replay window is not adjusted accordingly.
 2024-08-07 14:41:28 +02:00
Tobias Brunner
661f6bd0ad kernel-netlink: Add SA direction attribute 2024-08-07 14:41:28 +02:00
Tobias Brunner
2601fabbb4 kernel-netlink: Only disable DF-flag copying on outbound SAs 
This will cause errors on inbound SAs if the SA direction attribute is
used.
 2024-08-07 14:41:28 +02:00
Tobias Brunner
dc8fa1b3e8 kernel-netlink: Add missing names for XFRM message types and attributes 2024-08-07 14:41:28 +02:00
Tobias Brunner
b05628dd2d include: Update XFRM header for SA direction attribute 2024-08-07 14:41:28 +02:00
Thomas Egerer
84bd011752 ike-sa: Add address family specific configuration of fragment size 
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
 2024-08-07 14:19:41 +02:00
Tobias Brunner
9b9cf2001f android: Fix import of an already existing VPN profile 2024-08-07 08:58:12 +02:00
Tobias Brunner
740cbb2c0a Merge branch 'android-14' 
Updates target SDK to Android 14 (34) and fixes compatibility issues.
android-2.5.2 		2024-08-06 18:02:18 +02:00